Emergency Enhancements to Security Posture
In our previous advisory, the Krebs Stamos Group discussed the current situation surrounding Ukraine and some of the potential cybersecurity risks facing western businesses as a result. Alarm bells are ringing across the U.S. government (note the screen of CISA’s front page at this moment, imploring U.S. businesses to put their “Shields Up”). This advisory addresses the broader question: What can a company can do to enhance their security posture on short notice?
A tragic truism is that the period during which a company’s security posture improves the most is immediately after a breach. When security is seen as an existential issue for a company, the normal constraints imposed by the partners of a security team fall away, and bureaucracies are often bypassed or operate miraculously quickly for brief durations.
One of the biggest constraints on the effectiveness of a Chief Information Security Officer (CISO) and their team is the expectation that security improvements must come with minimal operational or business risk. Subsequently, this stretches projects that might only require a couple of weeks of technical work into months of requirements gathering, vendor qualification, endless rounds of meetings, and tiny incremental changes implemented only in far-flung change windows. On the other hand, security improvements implemented in crash programs after a breach often turn out more manageable than typically expected when making major IT changes.
With the right executive support and coordination across the enterprise, organizations can create the same kind of momentum that exists after a massive security incident to prevent potentially existential risks.
A large, public company needs effective executive-level coordination to implement emergency enhancements to its existing security programs:
Its board and audit committee must recognize the potential risks and encourage the Chief Executive Officer (CEO) to arbitrage business and cybersecurity risk.
Its CEO should recognize and try to loosen the normal constraints placed on their security organization. It is easy for a CEO to tell their CISO “do everything you need to do” without considering the unspoken constraint of “without causing the business any trouble” that often goes with such an ask. It is incumbent on the CEO not only to bring the rest of the executive staff on-board with a security project, but also to make it clear to the CISO that they will not be punished for unforeseen operational issues caused by quickly implemented changes.
Its CISO should aggressively prioritize projects based upon immediate security ROI and tenaciously push the organization outside of its comfort zone. Successful CISOs are often prized for their ability to manage risk without getting in the way of the business, but this natural impulse to be seen as a team player can also make a CISO pull back from being assertive when needed. CISOs should push beyond the normal scope of operational or risk limits (change processes, minimized downtime).
Its line-of-business leaders must understand they also have shared responsibility for the security of the systems they rely upon for normal operations and work with the CISO to mitigate impacts instead of demanding perfection before changes are made.
Its CIO should see themselves as part of the security team and emphasize trustworthy infrastructure over bolted-on tools and products.
Its purchasing and legal teams should execute vendor relationships or change orders quickly and understand that vendor and legal risks are sometimes less important than the cyber risks that need to be addressed.
Its systems and network administrators should be empowered to not only implement these changes but recommend additional capabilities. They are on the ground with these systems every day; seek their input in securing these systems and networks.
Emergency Security Steps
With the right support in place, what are some of the projects you should help your security teams prioritize? The answer is highly dependent on your organization, and your exposed risk.
KSG recommends the following measures be considered to improve your organization’s security posture.
Switch from long-term goals to short-term priorities
Security improvements planned for completion in Q2 will come too late. Accelerate the critical projects (like MFA) by adding resources and removing bureaucratic barriers.
Initiate crash deployment of multi-factor authentication
Starting with admin accounts, restrict to hardware multi-factor authentication (MFA) tokens on managed, compliant systems.
Extend deployment to include key leaders and those with access to confidential data. Protect the accounts of those team members who may be targeted in a phishing or email compromise.
Aggressively prune access and accounts
Disable or lock long-unused accounts.
Disable endpoints that have not connected to your network within a reasonable amount of time.
Prune access from large groups of employees and then re-add using an exception process.
Accelerate deployment of endpoint detection and response (EDR)
Deploying an EDR solution is just the start. If your organization does not have a team to review and manage those alerts, consider using a managed service who can extend and augment your capabilities.
Include servers and legacy systems in this deployment. Think about gaining visibility not just from user endpoints, but your servers as well.
Many tools can be deployed first in audit-only mode, which reduces the risk of business impact for a snap deployment. However, enabling “Block” or Active mode must be done to reap the full benefits of the software. Ensure team members are adequately supported during the testing and deployment phase.
Review network traffic and DNS logs to scrutinize outbound connections. Have system owners review expected behavior and flag anything suspicious. Look at commonly abused protocols:
Outbound secure shell (SSH)
Outbound virtual private network (VPN)
Requests to low-quality or newly registered domain name system (DNS) domains
Include a review of requests to public services like Slack and OneDrive as they can be used for malicious activity.
Consolidate logs in a cloud security information and event management (SIEM) system
Find a provider that your team can provision quickly. If you have a public cloud relationship that works, deployment of services such as Elasticsearch or Microsoft Sentinel may be the fastest option.
Extend and review protection capabilities of legacy systems, and take as many zero trust steps as possible
Many enterprises have legacy applications which are not integrated with modern and secure authentication. For those applications extend any available protections you can (EDR, Firewalls, etc). Take time to ensure you are capturing the right information from the system.
Access to legacy systems can be restricted using on-prem or cloud proxy solutions that allow modern access restrictions and logging to be applied without modifying the base product.
Take special note of business operations (systems, personnel, partners) in regions that could experience deteriorating security conditions.
Where possible, limit network access, consider alternative vendors, and take appropriate protective measures for personnel.
Implement a secondary encrypted communication channel (like Signal or similar services) with staff in those regions.
Deploy cloud backup or take local backup images offline
Where offline backups are available, verify their accessibility and ensure relevant staff have the access required in an emergency. If you are using an off-site vendor, contact them and identify who needs to approve a recall.
Audit cloud services for high-risk bindings and remove them if nobody can quickly identify why they exist
High-privilege tokens, certificates, Open Authorization (OAuth) relationships, application programming interface (API) keys
The Information Security industry offers many tools to audit existing environments. Have your security team review the output of these tools and prioritize resolving high findings.
CISA’s Sparrow tool can review Azure and Office 365 (GitHub - cisagov/Sparrow: Sparrow.ps1)
NCC’s Scout Suite can be used against all providers (GitHub - nccgroup/ScoutSuite: Multi-Cloud Security Auditing Tool