With nations across the globe depending on technology for essential government functions, “cyber warfare” is more commonly being leveraged in tactical military responses. The Department of Homeland Security (Cybersecurity and Infrastructure Security Agency (CISA) Division) has just released a statement to help spread awareness and mitigation steps specifically in response to the U.S. Military strike in Baghdad.
With Iran’s historic use of cyber-strategy in response to perceived harm, the CISA recommends organizations take the following actions:
- Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call information is up to date.
- Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify unusual behavior. Flag any known indicators of compromise/attempts to compromise for immediate response.
- Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. If you are unsure of the proper procedure, contact your IT Department or Managed Service Provider.
- Exercise organizational incident response plans. Ensure employees are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes well? Are your data backups current and accessible? Ensure personnel are positioned to act in a calm and unified manner in case of emergency.
Recommended Mitigation Actions
The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.
- Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
- Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.
- Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
- Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
Detailed Technical Explanations
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. You can read the full alert from CISA here.
Does your business need assistance with Disaster Response Planning, or are you unsure where your network’s vulnerabilities are? We can help.