Best advice for responding to today’s biggest cyber threats

If you are like me, you follow world events and news such as Okta being breached by a group of teenagers to see if you need to change your defenses. This may not be a time to roll out new technologies or major changes to your network, as this will introduce other types of risk. Instead, consider taking these steps in response to current events.

Block traffic selectively

Blocking traffic from Russia and Belarus may help you limit noise from your log files, and if you run a customer-facing website, from trolls and spam comments, but blocking their location will not slow a dedicated attacker. They will merely hop on another VPN and come in from another location. If you do want to reduce traffic, review your business needs and limit to those countries and locations that you do business with.

Review how you use multi-factor authentication

The Okta breach made some of us rethink how multi-factor authentication (MFA) is implemented. We tend to roll out push-style MFA to make it easy on the users, but often this lures users into approving prompts without thinking about what is happening. Consider the risks of the users and for what they use MFA.

Microsoft is urging folks to move away from prompt-based two-factor authentication to matching an item. Already rolled out to their consumer-based Microsoft account MFA, the company is now using a prompt of a number to match.

Keep communications on threats relevant to users and leadership

Sending too much communication to staff and management about what should or should not be done is just noise. The sky is not falling, and that noise will only encourage people to tune out the important messages. Send communications only when it is relevant to your firm and can be actionable to your end users.

You still need to keep senior leadership informed about what is going on and perhaps what you are seeing in your log files. Use fact sheets on news items and security events, and prepare briefs to show where you have taken action, where you are researching actions to take, and what resources you might need to maintain or complete a goal.

Find appropriate information and technical resources

Find resources regarding how attacks occurred and determine if your firm has the necessary resources to protect itself. For example, recent events in Ukraine used ransomware and disk wiping software to do the most damage. Do you have the resources to restore or redeploy systems? Do you have resources to withstand DoS attacks?

Ensure that someone on your staff watches social media sites for information on attacks and methodologies. Twitter often has insight and information into events. Even if you don’t tweet, you can set up an account watch what others say. Start with a recommended list of tweeters, and then look at who they follow and add them to your list. The SANS Internet Storm Center is also another excellent resource for information about incidents and events.

If you have a Microsoft’s 365 E5 license, you can review threats on the Threat Analytics website. The console provides actionable information regarding the attacks Microsoft is investigating. You can drill down in the console to review recommendations for mitigation and prevention.

Susan Bradley

You will often see recommended Attack Surface Reduction (ASR) rules to block and protect machines. You can often enable ASR rules without any major side effects, but it’s recommended to roll these rules after testing. I highly recommend that you start an analysis of the impact of such rules in your network.

Susan Bradley

To stay up to date on global threats, pay attention to government advisories. In particular, review two documents that were released as a result of potential Russian cyber activity: the White House’s Fact Sheet: Act Now to Protect Against Potential Cyberattacks and the Cybersecurity & Infrastructure Security Agency’s (CISA’s) Shields Up advisories. If you are part of a government network or critical infrastructure, the Information Sharing and Analysis Center (ISAC) for your industry will also have relevant information on recent threats.