On January 6, 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to U.S. businesses and the cybersecurity community in light of the “current tensions” between Iran and the United States. In particular, the alert describes several of Iran’s previous cyber operations that targeted a variety of industries and organizations, including financial services, the energy and chemical sectors, government facilities, health care organizations, critical manufacturing, communications and the defense industrial base. The alert also sets forth “actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability.” According to the CISA, these recommendations are not exhaustive, and are intended to describe the actions that “will likely have the highest return on investment.” The CISA recommendations are as follows.
- Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
- Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.
- Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
- Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
Compliments of Thompson Hine, a Member of the EACCNY