On January 11, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) recently published a joint cybersecurity advisory warning operators of critical infrastructure of the threat of Russian state-sponsored cyberattacks and recommending best practices for minimizing the disruption caused by such an attack (the “Advisory”).
The notice was quickly approved by the National Cyber Security Centre, a division of Government Communications Headquarters (“GCHQ”), a UK intelligence agency. Within days, data security experts at Microsoft, Palo Alto Networks (“PANW”), and Beggar confirmed reports of an increase in Russian cyber activity and offered their own recommendations for hardening measures (many of which overlap with the advice).
Key points to remember
The advisory, along with the Microsoft, PANW, and Mandiant reports, are noteworthy for a few reasons in particular.
- First of allall reports focus specifically on the threat of Russian state-sponsored cyberattacks. This is an important public action by the US government, especially in light of the continuing tensions between the US and Russia in Ukraine. A few days after the notice, Ukrainian government websites were attack by Russian actors while the Russian government simultaneously arrested members of notorious ransomware gang REvil.
- Second, although the advisory focuses on critical infrastructure, the recommendations are broader than that and can apply to a wide range of businesses. These recommendations are detailed below, but two are of particular note:
- The advisory recommends that organizations “require multi-factor authentication for all users, without exception.” Other government agencies, such as the New York Department of Financial Services and the Federal Trade Commission, are also increasingly focused on the need for broad implementation of MFA.
- Another example is the inclusion of remediation details for old vulnerabilities (some dating back to 2018) and CISA stating that Russian state-sponsored Advanced Persistent Threat (“APT”) actors used these vulnerabilities” common but effective” for attacks. This suggests that the FBI could still see attacks exploiting historical vulnerabilities; emphasizing the need for companies to closely examine their IT systems to confirm appropriate remediation of these vulnerabilities.
Best Practices for Minimizing Disruption
Here are the best practices highlighted by the advisory, the Microsoft report, the PANW report and the Mandiant report.
- Require multi-factor authentication (MFA) for all users
The agencies recommend that all users, without exception, be authenticated with MFA for remote access to internal networks. Like an incident response plan, MFA has become an essential part of cybersecurity programs.
The agencies’ position is consistent with the demands of prominent regulators, such as the New York Department of Financial Services and the Federal Trade Commission, which also insist on broad implementation of MFA. MFA was also specifically named by Microsoft and Mandiant as one of the most important recommendations for mitigating risk.
- Implement centralized log collection and monitoring
The agencies recommend that organizations centralize log collection and monitoring capabilities to detect threat actor behavior and investigate incidents. Organizations can use the logs to find password spray activity, identify unusual activity in inactive accounts, or identify when an IP address is inconsistent with the user’s intended location. Microsoft and Mandiant have recommended that organizations also review the Remote Access Infrastructure logs to confirm authenticity
- Create, maintain and enforce a cyber incident response, resiliency and business continuity plan
An incident response and business continuity plan are increasingly common features in a credible cybersecurity program. The agencies are urging organizations to regularly test their backup controls and procedures so staff are properly prepared for an incident.
While the Council only recommends the adoption of comprehensive cybersecurity programs, a growing number of states have begun to mandate such cybersecurity programs, particularly if the organization possesses personal data. The most prominent examples include the NY DFS Cyber Regulations, California Consumer Privacy Act (“CCPA”), NY SHIELD Law, Massachusetts Data Security Lawand the many Insurance Data Security Laws. Federal law and regulations also mandate such cybersecurity programs under Gramm-Leach Bliley and HIPAA, as does the General Data Protection Regulation in the EU and its counterpart in the UK.
- Keep software up-to-date and use industry-recommended anti-virus programs
The advisory reminds organizations to regularly update their software, particularly to patch vulnerabilities known to have been exploited. Mandiant advised organizations to quickly patch and harden any identified vulnerabilities. PANW also encouraged organizations to update their firmware. Going forward, the agencies are urging organizations to adopt a centralized patch management system and use anti-virus programs to regularly scan computer network assets for malware.
- Enable Controlled Folder Access
Microsoft and Mandiant have further recommended that organizations using Windows Defender Antivirus enable Controlled Folder Access. The service determines if an application is malicious or suspicious and, if so, will prevent it from making changes to files in a protected folder.