Here's how Italian companies can defend themselves in these weeks of grave danger on the cybersecurity front: the instructions of the CSIRT. After the alarms of recent days, a new post from the CSIRT (Computer Security Incident Response Team) of the National Cybersecurity Agency contains a new important notice. "The worsening of malicious activities in cyberspace", he explains, "increases the possibility that they can generate spillover phenomena outside the assets directly targeted by the campaigns". The notice is a real vademecum for Italian companies, especially those most exposed to foreign markets or the most important from a strategic point of view, so that they avoid lending their side to a swarm of cyberattacks that are now taken for granted. However, experts also warn the world of SMEs because, by virtue of fewer internal experiences and fewer funds to be able to invest on this front, there is a risk of seeing an entire production fabric or entire supply chains exposed to dangers. Instead, companies and the economy need to be secured through precise actions that the Cybersecurity Agency has well described in this new bulletin issued in the very hours of the consultation between Ukraine and Russia.
CSIRT: how to raise the defensive posture The CSIRT talks about "raising the defensive posture" and explains this concept in detail. First of all, the main vectors used to conduct malicious activities from outside the perimeter of corporate networks are listed: • use of public communication platforms for the release of malicious code; • sending phishing emails containing malicious attachments or links in the body of the emails; Malicious files distributed via peer-to-peer sharing platforms; • exploitation of known vulnerabilities in internet-facing systems; • malware released through specially created or compromised websites, for example for watering-hole campaigns; • use of systems that can be used to amplify the effect of volumetric DDoS attacks (e.g. incorrectly configured LDAP and DNS).
As regards the assets inside the network, however, it will be necessary to pay close attention to any anomalies found in: • patch management systems; • asset management systems; • remote management systems; • security systems (antivirus, firewall, etc); • systems assigned to administrators; • centralized systems for logging, backup, file sharing, storage; • systems for managing a domain (eg Active Directory, LDAP, etc); • network devices (routers, switches). How to mitigate the dangers These are the suggested mitigation actions: • reduction of the external attack surface o perform in-depth asset management of all systems directly or indirectly exposed on the Internet by verifying their Operating System and installed software (and related patch-level), services running, scheduled tasks, firewalling rules that allow them to be exposed, protection (AV, EDR, WAF, HIPS, NIPS, Firewall, CDN, etc) and relative level of updating and correct configuration, availability of everything necessary for the complete reinstallation of the system (golden-image, source code, database structure, etc. ); o ensure that the most restrictive best practices in terms of security are implemented on all components of these systems, also disabling all unnecessary features / packages; o perform the reclamation of all DNS records no longer used; o implement the following measures on its authoritative DNS: disabling recursion, limiting recursion to only the necessary clients, implementing response rate limiting; o verify the actual need for exposure of the identified systems and, if not necessary, proceed with the removal of the same; proceed with the patching of all the identified components paying particular attention to use only verified sources for finding the update software; o if it is not possible for application limitations the patching activity, evaluate the possibility of disconnecting the service / asset, implement virtual patching systems, segregate non-updatable components in a dedicated DMZ allowing them only the communications strictly necessary for the functioning of the hosted service, raise the logging and monitoring capabilities of these systems to the maximum level; o verify the communication flows available to the exposed assets, reducing them to essential communications only and raising the level of logging and monitoring of these flows; o inhibit, if not strictly necessary, the outgoing traffic of the assets exposed on the internet. • reduction of the internal attack surface o verify / implement network segmentation making sure that the client-to-server and server-to-server traffic management rules only allow traffic strictly necessary for the correct functioning of the applications, making sure that such flows are defined, documented, approved and monitored; o verify / implement a segregated network for all the management of network equipment, storage, virtualization infrastructures; o verify all accesses to the Internet by removing, where possible, those that are not strictly necessary, and making sure that they offer logging capabilities and the setting of traffic blocking rules; o verify that all the components of the network are correctly registered and managed; o strengthen the checks carried out by anti spam systems to reduce the delivery of possible phishing emails; o perform internal training sessions for its staff, in particular highlighting the risks associated with opening files and links received via e-mail systems, text messages, instant messaging. • stringent control of access to systems / services o implement multi-factor authentication for external and internal services; o verify / implement the password policy (min.12 alphanumeric characters, uppercase lowercase, special characters), and the lockdown policy, also verifying that the passwords entered are not contained in public data breach (e.g. using the HIBP service) and evaluating the opportunity to force an overall password reset for all users; o remove the permissions linked to generic groups (eg Everyone, Domain Users, Authenticated Users) making sure that each user belongs to the correct authorization group; o ensure that a dedicated service account is used for each different service and that these are properly documented; o reduce the permissions granted to service accounts to the minimum level necessary for the proper functioning of the applications, removing where possible the permissions to local and interactive logon, access to network shares or unnecessary critical data; o periodically test (depending in particular on the specific temporal depth) the functionality of the backups. • monitoring of logs, network traffic and activities performed by administration accounts o raise the monitoring levels in particular for accounts with administrative privileges and for service accounts, carefully checking the logs relating to successful / unsuccessful logins, access to network shares, interactive and network logons performed via remote session; o monitor network flows by identifying connections made to ports not provided for by applications; o monitor events that may represent scanning or enumeration activities; o ensure that the logging and collection systems of the same are always adequate in the event of architectural changes and that they cover all the systems present on the network; o identify and raise the monitoring level of the network / service components that can represent pivot points for the passage between different segments; to monitor their networks using all available indicators of compromise. • internal organization for the preparation and management of cyber crises: "Individuals and organizations are sent to analyze their organizational structure in order to verify that it is adequate for the preparation and management of an IT incident with a high impact on their operations, by all points of view, both technological and business "; • planning of the revision of its IT infrastructures from a Zero-Trust perspective: "In addition to the revision of its internal plans relating to the management of IT incidents (eg. Incident response plan) and business continuity (eg. Disaster recovery plan, Business continuity plan) , we recommend, where not already in place, the start of a review of its IT infrastructures that leads to the adoption of Zero-Trust paradigms capable of significantly increasing their resilience "; • support internal and external info sharing. This last point is crucial above all from a national perspective, since it involves a communicative interconnection that allows sharing dangers and best practices, identifying any outbreaks (sad word that will recur in this new context) and calming their extent. to this end, the CSIRT reminds that "The sharing of information represents an important multiplier in terms of protection of the cyber space and therefore all subjects are invited to monitor the institutional channels of CSIRT Italy and to share with it through the reporting forms and mail info@csirt.gov.it any information deemed of interest ".
Source: Italian Cybersecurity Agency IT point