CISA, FBI and the DOE released a joint Cybersecurity Advisory (CSA) detailing state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international Energy Sector organizations. The CSA highlights historical tactics, techniques, and procedures as well as mitigations Energy Sector organizations can take to protect their networks. They recommend a set of ICS Best Practices, as well as a list of 10 mitigations with specific actions intended to harden corporate enterprise networks:
- Privileged Account Management: Manage the creation of, modification of, use of—and permissions associated with—privileged accounts, including SYSTEM and root.
- Password Policies: Set and enforce secure password policies for accounts.
- Disable or Remove Features or Programs: Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
- Audit: Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
- Operating System Configuration: Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
- Multifactor Authentication: Enforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
- Filter Network Traffic: Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
- Network Segmentation: Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.
CI (Critical Infrastructure) is under attack by the Russians and other concerns. The new recommendations of CISA are improvements on the general wording. What is heartening about this messaging is the focus on privilege accounts and auditing. All of the 16 CISA identified critical infrastructure sectors must take these necessary pro-active measures to ensure that hackers aren\’t already in their systems.
A key aspect of the hacks is the desire of the hackers to stay persistent in the victim\’s enterprise. Without thorough and constant review of the user and service account permissions granted (rightly or wrongly) – hackers are allowed to live in these systems for an extended duration. Focus on \”system hygiene\” and identity governance are key to limiting these threats.
Nation state threat actors utilize very advanced toolkits to capture and break secure data flows. This methodology can be lethal for commercial enterprises as they can operate underneath the protection rendered by conventional session-based encryption like TLS. Such actors have devoted significant compute and human resources to build large database libraries of provable prime numbers that enable them to crack the discrete logarithm problem more efficiently than using traditional algebra.
Governments and Critical Infrastructure companies should implement multipath VPNs with managed attribution to obfuscate source and destination relationships as well as sensitive data flows making the environment virtually impossible to target. Such VPNs can utilize packet dispersion with keys negotiated on a different path than the one carrying information of value thereby making it very hard for a bad actor to intercept or disrupt the entire payload. Such solutions should also support cloud micro segmentation, protocol filtering and endpoint device posture checking.