A report launched by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) outlines quite a few options and common finest practices to thwart infiltration by the ongoing Dragonfly cyberattack marketing campaign, which it says is concentrating on operational expertise personnel. (For an in-depth story on that report, see: “DHS, FBI Identify Tactics in Cyberattack Campaign Targeting Industrial Control Systems.”)
The report, “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors,” launched on October 20, lists “indicators of compromise” in addition to technical particulars on the ways, strategies, and procedures utilized by the risk actors on compromised networks.
The federal businesses encourage community customers and directors to make use of these common finest practices to assist defend their organizations in opposition to Dragonfly ways.
- Prevent exterior communication of all variations of SMB and associated protocols on the community boundary by blocking TCP ports 139 and 445 with associated UDP port 137. (See the NCCIC/US-CERT publication on SMB Security Best Practices for extra info.)
- Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway gadgets on the community.
- Monitor VPN logs for irregular exercise (e.g., off-hour logins, unauthorized IP tackle logins, and a number of concurrent logins).
- Deploy internet and e-mail filters on the community. Configure these gadgets to scan for identified unhealthy domains, sources, and addresses; block these earlier than receiving and downloading messages. This motion will assist to scale back the assault floor on the community’s first stage of protection. Scan all emails, attachments, and downloads (each on the host and on the mail gateway) with a good anti-virus resolution that features cloud status providers.
- Segment any essential networks or management programs from enterprise programs and networks based on business finest practices.
- Ensure sufficient logging and visibility on ingress and egress factors.
- Ensure the usage of PowerShell model 5, with enhanced logging enabled. Older variations of PowerShell don’t present sufficient logging of the PowerShell instructions an attacker could have executed. Enable PowerShell module logging, script block logging, and transcription. Send the related logs to a centralized log repository for monitoring and evaluation. See the FireEye weblog submit Greater Visibility through PowerShell Logging.
for extra info.
- Implement the prevention, detection, and mitigation methods outlined within the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.
- Establish a coaching mechanism to tell finish customers on correct e-mail and internet utilization, highlighting present info and evaluation, and together with frequent indicators of phishing. End customers ought to have clear directions on the best way to report uncommon or suspicious emails.
- Implement utility listing whitelisting. System directors could implement utility or utility listing whitelisting by Microsoft Software Restriction Policy, AppLocker, or comparable software program. Safe defaults permit functions to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software program folders. All different areas must be disallowed until an exception is granted.
- Block RDP connections originating from untrusted exterior addresses until an exception exists; routinely assessment exceptions regularly for validity.
- Store system logs of mission essential programs for a minimum of one 12 months inside a safety info occasion administration instrument.
- Ensure functions are configured to log the right stage of element for an incident response investigation.
- Consider implementing HIPS or different controls to stop unauthorized code execution.
- Establish least-privilege controls.
- Reduce the variety of Active Directory area and enterprise administrator accounts.
- Based on the suspected stage of compromise, reset all consumer, administrator, and repair account credentials throughout all native and area programs.
- Establish a password coverage to…