On January 11, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recently released a joint Cybersecurity Advisory warning critical infrastructure operators about the threat of Russian state-sponsored cyberattacks and recommended best practices to minimize disruption from such an attack (the “Advisory”).
The advisory was promptly endorsed by the National Cyber Security Centre, a division of Government Communications Headquarters (“GCHQ”), a UK intelligence agency. Within a few days, data security experts at Microsoft, Palo Alto Networks (“PANW”), and Mandiant confirmed reports of increasing Russian cyberactivity and offered their own recommendations for hardening measures (many of which overlap with the Advisory).
The Advisory, as well as the Microsoft, PANW, and Mandiant reports, are noteworthy for a few reasons in particular.
- First, all of the reports specifically focus on the threat of Russian state-sponsored cyberattacks. This is an important public action by the U.S. government, especially in light of ongoing tensions between the U.S. and Russia in Ukraine. A few days after the Advisory, Ukrainian government websites were attacked by Russian actors while the Russian government simultaneously arrested members of the notorious ransomware gang REvil.
- Second, although the focus of the Advisory is on critical infrastructure, the recommendations are broader than that and may be applicable to a wide-range of companies. These recommendations are further detailed below, but two to note in particular:
- The Advisory recommends that organizations “require multi-factor authentication for all users, without exception.” Other government agencies, like the New York Department of Financial Services and the Federal Trade Commission, are also increasingly focused on the need for broad implementation of MFA.
- Another example is the inclusion of remediation details for old vulnerabilities (including some dating back to 2018) and CISA stating that the Russian state-sponsored advanced persistent threat (“APT”) actors have used these “common but effective” vulnerabilities for attacks. This suggests that the FBI may still be seeing attacks exploiting historic vulnerabilities; emphasizing the need for companies to closely review their IT systems to confirm proper remediation of such vulnerabilities.
Best Practices to Minimize Disruptions
The following are the best practices highlighted by the Advisory, Microsoft report, PANW report, and Mandiant report.
- Require multi-factor authentication (MFA) for all users
The agencies recommend that all users, without exception, must be authenticated with MFA for remote access to internal networks. Like an incident response plan, MFA has become a critical element of cybersecurity programs.
The agencies’ posture is consistent with requirements from prominent regulators, like the New York Department of Financial Services and the Federal Trade Commission, that similarly insist on broad implementation of MFA. MFA was also expressly named by both Microsoft and Mandiant as one of the most important recommendations to mitigate risk.
- Implement centralized log collection and monitoring
The agencies recommend that organizations centralize log collection and monitoring capabilities to detect threat actor behavior and investigate incidents. Organizations can use the logs to look for password spray activity, identify unusual activity in dormant accounts, or identify when an IP address is not consistent with the user’s expected location. Microsoft and Mandiant recommended that organizations also review logs for remote access infrastructure to confirm authenticity
- Create, Maintain, and Exercise a Cyber Incident Response, Resilience, and Continuity of Operations Plan
An incident response and continuity of operations plan are increasingly common features in a credible cybersecurity program. The agencies urge organizations to regularly test their controls and backup procedures so that personnel are adequately prepared for an incident.
While the Advisory only urges the adoption of comprehensive cybersecurity programs, an increasing number of states have begun to mandate such cybersecurity programs – especially if the organization possesses personal data. Prominent examples include the NY DFS Cyber Regulations, California Consumer Privacy Act (“CCPA”), NY SHIELD Act, Massachusetts data security law, and the numerous Insurance Data Security laws. Federal law and regulations also mandates such cybersecurity programs under Gramm-Leach Bliley and HIPAA, as does the General Data Protection Regulation in the EU, and its counterpart in the UK.
- Keep software updated and use industry-recommended antivirus programs
The Advisory reminds organizations to regularly update their software, especially to patch vulnerabilities that are known to have been exploited. Mandiant advised organizations to promptly patch and harden any identified vulnerabilities. PANW similarly encouraged organizations to update their firmware. Moving forward, the agencies urge organizations to adopt a centralized patch management system and to use antivirus programs to regularly scan IT network assets for malware.
- Enable Controlled Folder Access
Microsoft and Mandiant further recommended organizations using Windows Defender Antivirus activate Controlled Folder Access. The service determines whether an application is malicious or suspicious and, if so, will block it from making changes to any files in a protected folder.