Business & Technology
With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered. While we have seen cases of destructive cyber actions focused on Ukraine, at this point attribution is not possible.
As a result of these actions, there is a heightened sense of concern being felt by many organizations. Our focus here is to protect organizations by helping them prepare for potential cyberattacks. For that, we have put together this cyber readiness checklist. While many of these suggestions are standard cyber hygiene protocols and best practices, being reminded of doing the basics never hurts, especially when there are so many other concerns. In the same way that hand washing helps in our fight against COVID-19, simple actions can also go a long way towards fighting against cyberthreats.
For hunting for adversaries in your networks CISA recommends the following TTPs:
Tactic |
Technique |
Procedure |
Reconnaissance [TA0043] |
Active Scanning: Vulnerability Scanning [T1595.002] |
|
Russian state-sponsored APT (Advanced Persistent Threat) actors have performed large-scale scans to find vulnerable servers. |
||
Phishing for Information [T1598] |
Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. |
|
Resource Development [TA0042] |
Develop Capabilities: Malware [T1587.001] |
Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. |
Initial Access [TA0001] |
Exploit Public Facing Applications [T1190] |
Russian state-sponsored APT actors target publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. |
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002] |
Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. |
|
Execution [TA0002] |
Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003] |
Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands. |
Persistence [TA0003] |
Valid Accounts [T1078] |
Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. |
Credential Access [TA0006] |
Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003] |
Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. |
OS Credential Dumping: NTDS [T1003.003] |
Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit. |
|
Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003] |
Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. |
|
Credentials from Password Stores [T1555] |
Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. |
|
Exploitation for Credential Access [T1212] |
Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers. |
|
Unsecured Credentials: Private Keys [T1552.004] |
Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML (Security Assertion Markup Language) signing certificates. |
|
Command and Control [TA0011] |
Proxy: Multi-hop Proxy [T1090.003] |
Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic. |
Fortinet provides multiple opportunities for organizations to mitigate serious cyberattacks and investigate possible breaches. Below are just a few popular examples of the technologies and solutions Fortinet offers.
Fortinet Cyber Threat Assessment: Secure network architectures need to constantly evolve to keep up with the latest advanced persistent threats. There are two ways to find out if your solution isn’t keeping up—wait for a breach to happen or run validation tests.
Managed Detection and Response: Fortinet helps customers better understand the cybersecurity risks they face and improve how they identify and react to threats.
Fortinet Virtual Patching solutions: FortiGuard Labs protects against specific exploits.
FortiGuard Incident Response Service: The FortiGuard Incident Response Service provides organizations in the midst of a cybersecurity incident (including targeted ransomware attacks), with experienced staff, expert skills, and powerful tools.
FortiGuard IPS and Anti-Virus: Services and engines utilize a variety of techniques including multiple machine learning and artificial intelligence strategies to protect our customers against advanced and zero-day threats.
CISA - Shields Up: high level and strategic recommendations on how to prepare for an attack
Mandiant - Anticipating Cyber Threats as the Ukraine Crisis Escalates
Fortinet - New Wiper Malware Discovered Targeting Ukrainian Interests