By John San Filippo
On Friday, January 28, the NCUA issued a cybersecurity alert based on two advisories that were recently published by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, (CISA):
Understanding and Mitigating Russian State Sponsored Cyber Threats to U.S. Critical Infrastructure, published January 11, and
Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats, published January 18.
The NCUA alert stated in part, “Given current geopolitical events, the NCUA, along with CISA, the Federal Bureau of Investigation, and the National Security Agency encourage credit unions and their cybersecurity teams nationwide to adopt a heightened state of awareness and to conduct proactive threat hunting. In addition, COVID-related supply chain disruptions may require management to reevaluate previously held assumptions for business continuity and disaster recovery plans.”
According to the Jan. 11 CISA advisory, “Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks.” The document then lists more than a dozen vulnerabilities that Russians ATP actors have exploited, including vulnerabilities in Cisco routers, Microsoft Exchange and VMware, as well as links to additional information on each of the listed vulnerabilities.
The Jan. 11 CISA advisory also offered guidance on detection, suggesting that because Russian state-sponsored actors have demonstrated the ability to maintain persistent, long-term access to compromised enterprise and cloud environments, all critical infrastructure organizations should implement robust log collection and retention and look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored tactics, techniques and procedures (TTPs).
The Jan. 18 CISA advisory, which is significantly shorter, provides a bulleted list of steps that all organizations are encouraged to implement. These include:
Reduce the likelihood of a damaging cyber intrusion.
Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.
Sign up for CISA's free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Take steps to quickly detect a potential intrusion.
Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
Confirm that the organization's entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs.
Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal and business continuity.
Assure availability of key personnel; identify means to provide surge support for responding to an incident.
Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization's resilience to a destructive cyber incident.
Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.