CISA Best Practices in Defending Against Advanced Persistent Threats
With escalating tensions in Europe, American businesses are on heightened alert for cyber-attacks against financial institutions and energy infrastructure. The reality of the threat has caused the Cybersecurity and Infrastructure Security Agency (CISA) to consolidate the latest advisories, intelligence, and information in a separate Russia Cyber Threat Overview and Advisories section on their site.
Attacks targeting critical infrastructure are not new. In December of 2015, state-backed Russian hackers executed an attack on Ukraine’s power grid that left 230,000 customers in the dark during the depths of winter. And as recently as May of 2021, Russian cybercriminals attacked U.S. infrastructure causing Colonial Pipeline to shut down 5,550 miles of critical pipeline. Just last month hackers attacked 21 U.S. natural gas producers including Chevron Corp., Cheniere Energy Inc., and Kinder Morgan Inc., according to research shared with Bloomberg News.
As Dmitri Alperovitch, the co-founder of CrowdStrike recently stated on CNBC,
“The colonial pipeline is going to be like child’s play if the Russians truly unleash all their capability,”
Last month, a joint advisory by the FBI, National Security Agency (NSA), and the (CISA) warned of “regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors.” The report warns actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources affecting the following areas.
- Command, control, communications, and combat systems;
- Intelligence, surveillance, reconnaissance, and targeting;
- Weapons and missile development;
- Vehicle and aircraft design; and
- Software development, data analytics, computers, and logistics.
Tactics used to gain access to the networks include spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. The actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data.
What is further alarming about the advisory is that actors have maintained persistent access to multiple networks, in some cases for at least six months. These advanced persistent threats (APT) pose a real threat to all businesses.
Through a collaborative research effort by the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States, CISA highlights technical approaches to uncovering malicious activity from APTs and mitigation steps according to best practices.
The CISA also warns of common missteps should a breach be discovered which can lead to:
1. Modifying volatile data that could give a sense of what has been done; and
2. Tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).
The cyber threats today are real for businesses of all sizes. APTs can evade the most advanced automated security techniques and protection requires the use of advanced threat hunting. Protocols must be established to find suspicious activity, report the incident, and take proper steps to remediate. If you are unsure of your current state of security, contact us. We are here to help.