Security Best Practices Amid Geopolitical Crisis

by | Mar 1, 2022

During times of geopolitical conflict, it can be easy to direct your attention to the trending “IOC’s of the day” and many media outlets will take advantage of the crisis to feed you an unlimited supply of fear, uncertainty, and doubt (FUD). However, it is crucial, as a security leader, to not lose focus on the big picture while maintaining agility to adapt as credible threats are introduced.

There are actions that organizations can take that don’t involve immediately purchasing tools. We encourage everyone to review their security controls, apply best security practices, and to take the appropriate actions to address known issues in a timely manner.

Stay protected from threat actors by applying these security best practices:

 

  1. Attack Surface Management
    • The first step to applying effective defensive measures is understanding your external (Internet-facing) footprint. Conduct a footprint exercise and identify public facing assets and remote access points. Investigate any unknown assets that are discovered and prioritize applying security controls to the assets within your footprint, as they are more likely to be attacked.
    • Helpful Resources: There’s lots of tools that are useful, here are a few we like: ShadowStar, Recon-ng, Whoxy, Subfinder, Shodan, VirusTotal.
  2. Multi-Factor Authentication (MFA)
    • Use your Footprint to help identify and decommission any remote access portals which are not utilizing multi-factor authentication. Review your Office 365 and Cloud IAM policies to validate that you are requiring MFA for all users, but especially users with any level of administrative access.
    • Helpful Resources: Double check your Azure environment with MSSpray.
  3. Endpoint Detection and Response (EDR) Coverage
    • EDR can be one of the most effective tools for preventing and detecting malicious activity on endpoints. Most vendors provide continuous updates with new detection rules, signatures, and behavioral models for threats. However, an EDR is only as effective as the scope that it covers. Use sources of record such as vulnerability scanners and other endpoint agents to confirm your current deployment and prioritize the deployment of EDR to all endpoints as soon as possible.
  4. Phishing Protection
  5. Emulation and Measurement
    • Test your defenses with purple teams to identify gaps and make the recommended improvements. This will help you understand what attacker TTP’s may be successful in your environment and you can engineer defenses to help detect or block them.
    • Helpful Resources: VECTR™, a free platform that you can use to model and execute purple team exercises.
  6. Block Egress When Possible
    • Blocking egress to the Internet except strict allow-lists for servers can help to limit attacker mobility. C2 lives on egress, monitoring and shutting it down is the most decisive way to cut off attackers. If you’re not already doing egress blocking, implementing detection controls in your EDR and SIEM will help to identify C2s.
    • Helpful Resources: The points here are still relevant: SolarWinds Breach: How do we stop this from happening again?
  7. Cyber Incident Response Plan Cheat Sheet
    • Your CIRP is a great resource for your team when responding to an incident, but it is often too lengthy and outdated to be effective. Use this time to create a cheat sheet with the most pertinent items such as:
      1. Secure communications channels, escalation trees and when to use them.
      2. A list of critical vendors and contact information for each in case services go down.
      3. Downtime procedures for critical business processes.
      4. Backup restoration procedures.
  8. Vulnerability Management
    • Review your processes for vulnerability management, and validate that systems that can be fully patched are fully patched and enrolled in your VM program. If you lack a formal vulnerability management program, we encourage you to manually identify critical and external facing assets such as web servers and validate that security patches have been applied.
    • Helpful Resources: For patch priority, please refer to the “CISA Known Exploited Vulnerabilities Catalog”, which is updated frequently by CISA.
Zoey Selman
Consultant | Archive

Zoey focuses on intelligence gathering, analysis and investigations. Zoey specializes in Open Source Intelligence (OSINT), Human Intelligence (HUMINT), Geospatial Intelligence (GEOINT) and Social Engineering (SE).

Zoey co-organizes Blue Team Village held annually at DEFCON, and is a former Director of Trace Labs; an initiative used to aid law enforcement in locating missing persons. In addition, she volunteers on the Predator Identification Team at Innocent Lives Foundation; an initiative partnered with law enforcement to unmask anonymous online child predators.

Zoey obtained her degree in Cybersecurity while living in Australia, prior to her relocation to the United States.