Audit Microsoft 365 Configuration and Authentication to Thwart Active Attacks; Educate Users About Fake Popups; CISA Uses Tabletop Exercise to Raise the Bar on Election Systems Security

Not just Russian hackers, but pretty much anybody in the cybercrime game is going after Microsoft 365 accounts. Just like for any cloud-based service, 2FA is a must and accounts as well as account configurations need to be carefully audited, even if you are not in the cross hairs of nation state attackers.

Johannes Ullrich

They are disabling logging, such as Purview Audit (formerly Advanced Audit) which is required to enable the Mail Items Accessed audit which is a very effective tool for determining specific accesses to Mail items. Make sure that you've enabled MFA for _ALL_ accounts, including dormant/disabled accounts. Make sure the MFA self-enrollment process leverages features such as conditional access to ensure an adversary who guesses credentials isn’t able to self-enroll before the legitimate user can. When considering MS 365 security, don’t underestimate the skills of possible attackers.

Lee Neely

This is an interesting “trick” in that it is likely perfectly reasonable to users to follow the instructions on these fake DDoS protection pages. There is no good way for a user to distinguish a fake from a real DDoS protection page. Some user education may help.

Johannes Ullrich

As a site owner, make sure that you're keeping it updated; implement MFA for administrator accounts. If you're not implementing MFA for all accounts, use strong passwords for end-users, and allow them to self-enroll in MFA. Put a firewall in front of your site, and looking into file integrity monitoring which can alert you to unauthorized or unexpected changes. As a user, beyond keeping your system updated, look carefully at requests to verify you are not a bot or other malicious agent. Make sure that your endpoint protection is both enabled and keeping current.

Lee Neely

Good to see proactive effort for assuring the security of election systems. This was a larger, longer version of a tabletop exercise – many CISOs have found doing 1-4 hour tabletop exercises with Boards of Directors, often outside of the regular board meeting, to be very effective in both gaining trust for strategy and support from directors and senior management.

John Pescatore

When's the last time you conducted a tabletop exercise? Did it include the same systems as last time or are you working through all your systems, including cloud and outsourced services? CISA has resources to help if you don't have a handle on conducting these exercises. Make them regular – at least annual – and implement lessons learned, don't leave them sitting in a report someplace.

Lee Neely

At this point, if you’ve not applied the patches and have Internet facing Zimbra instances, you need to assume they've been compromised. This means you need to forensicate your environment _AND_ apply the updates. Leverage the snort signatures in the CISA alert to detect malicious activities, as well as any activity from the C2 domain. Act now before you show up on a list of pwned sites. Note the Zimbra flaws are on the CISA KEV site with due dates of September 1st.

Lee Neely

I worked for the original Entrust PKI company back in the late 1990s – a security firm launching a DDoS attack back then wasn’t even a consideration. Doing so today shouldn’t be one either, as it is unlikely to have any positive outcome. Good example to use to drive planning for how your company would respond if attack traffic was doctored to appear as if it was coming from you.

John Pescatore

Entrust has contracts through GSA and US-Access to provide HSPD-12 badges to much of the US Government as well as many other customers of their hosted and local PKI services. I have been involved with their products since 1998 and knowing the company it’s unlikely that they would jeopardize these relationships to strike back at the LockBit gang. If you have a desire to strike back at a threat actor or ransomware gang, be very careful. Not only do you need good operational security, but also a clear understanding of risks, blow-back and permission to use the devices and networks involved in that retaliatory move.

Lee Neely

It should come as no surprise the cybercriminals do not have robust cybersecurity measures in place and can themselves be victims of cyberattacks. This is a cautionary reminder that even if a criminal gang promises not to release your data should you pay the extortion fee, they themselves cannot guarantee the security of that data on an ongoing basis.

Brian Honan

The attack impacted their online services, not their gas delivery (OT) systems. DESFA is taking a conservative approach of validating and restoring all non-OT IT services, rather than just known compromised systems, before bringing them back online. That is a scenario worth discussing at your next tabletop. While there is no such thing as perfect security, there are steps you can take, like these, to reduce the likelihood of recurrence.

Lee Neely

If you're holding off on pushing people to install the patches for iOS and macOS because a new version is “around the corner,” you need to rethink that strategy as the vulns are being actively exploited. Don't overlook the SAP issues while you're heads-down updating Windows, Chrome and PAN-OS.

Lee Neely

In other verticals, like healthcare, there have been problems when multiple sharing organizations existed without coordination. More sharing is better than less, but isolate silos don’t lead to effective sharing – the JSOC and the Multi-State ISAC should work together to establish coordination/cooperation.

John Pescatore

Information sharing is how we help each other. Overturning that law which limited participation to bordering states allowed the J-CSOC to include the entire nation. As a participant in a service like this, make sure that you understand what information is stored, and how it is shared. Make sure that you have appropriate NDAs as well as sign-off from your risk executive as your CISO and SOC will benefit from access to the information. For optimal benefit, all participants need to ensure they're contributing not just consuming incident and threat data.

Lee Neely

A couple of key points in the study include that deserialization vulnerabilities have an average of six years for removal of the exposed exploitable code constructs as well as using caution to only accept deserialized data from a trusted source. Even with a long patch time, make sure that you're using updated libraries which include fixes for these flaws.

Lee Neely

The efficient use of computers relies upon code reuse. Secure use of computers requires that developers (and users) be accountable for the quality of all the code that they use, regardless of source.

William Hugh Murray

This is the feed between government and private sector customers. As such, data quality and relevance are crucial for effective decision making. CISA has been directed to upgrade systems, hire staff, and implement quality controls on reporting of data to ensure needed context is included to allow consumers to make better decisions.

Lee Neely

Timely and effective intelligence sharing is much more difficult than it looks. It takes years to establish, not weeks or months.

William Hugh Murray