National Cyber Awareness System:
01/06/2020 03:01 PM EST
Original
release date: January 6, 2020
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the
following information with the cybersecurity community as a primer for
assisting in the protection of our Nation’s critical infrastructure in light of
the current tensions between the Islamic Republic of Iran and the United States
and Iran’s historic use of cyber offensive activities to retaliate against
perceived harm. Foremost, CISA recommends organizations take the following
actions:
- Adopt a state of
heightened awareness. This includes minimizing coverage gaps in personnel
availability, more consistently consuming relevant threat intelligence,
and making sure emergency call trees are up to date.
- Increase organizational
vigilance.
Ensure security personnel are monitoring key internal security
capabilities and that they know how to identify anomalous behavior. Flag
any known Iranian indicators of compromise and tactics, techniques, and
procedures (TTPs) for immediate response.
- Confirm reporting processes. Ensure personnel know
how and when to report an incident. The well-being of an organization’s
workforce and cyber infrastructure depends on awareness of threat
activity. Consider reporting incidents to CISA to help serve as part of
CISA’s early warning system (see Contact Information section below).
- Exercise organizational
incident response plans. Ensure personnel are familiar with the key steps they
need to take during an incident. Do they have the accesses they need? Do
they know the processes? Are your various data sources logging as
expected? Ensure personnel are positioned to act in a calm and unified
manner.
Technical Details
Iranian Cyber
Threat Profile
Iran has a history of leveraging asymmetric tactics to pursue national
interests beyond its conventional capabilities. More recently, its use of
offensive cyber operations is an extension of that doctrine. Iran has exercised
its increasingly sophisticated capabilities to suppress both social and
political perspectives deemed dangerous to Iran and to harm regional and
international opponents.
Iranian cyber threat actors have continuously improved their offensive cyber
capabilities. They continue to engage in more “conventional” activities ranging
from website defacement, distributed denial of service (DDoS) attacks, and
theft of personally identifiable information (PII), but they have also
demonstrated a willingness to push the boundaries of their activities, which
include destructive wiper malware and, potentially, cyber-enabled kinetic
attacks.
The U.S. intelligence community and various private sector threat
intelligence organizations have identified the Islamic Revolutionary Guard
Corps (IRGC) as a driving force behind Iranian state-sponsored
cyberattacks–either through contractors in the Iranian private sector or by the
IRGC itself.
Iranian Cyber
Activity
According to open-source information, offensive cyber operations targeting a
variety of industries and organizations—including financial services, energy,
government facilities, chemical, healthcare, critical manufacturing,
communications, and the defense industrial base—have been attributed, or
allegedly attributed, to the Iranian government. The same reporting has
associated Iranian actors with a range of high-profile attacks, including the following:
- Late 2011 to Mid-2013 –
DDoS Targeting U.S. Financial Sector: In response to this
activity, in March 2016, the U.S. Department of Justice indicted seven
Iranian actors employed by companies performing work on behalf of the IRGC
for conducting DDoS attacks primarily targeting the public-facing websites
of U.S. banks. The attacks prevented customers from accessing their
accounts and cost the banks millions of dollars in remediation. [1]
- August/September 2013 –
Unauthorized Access to Dam in New York State: In response, in March
2016, the U.S. Department of Justice indicted one Iranian actor employed
by a company performing work on behalf of the IRGC for illegally accessing
the supervisory control and data acquisition (SCADA) systems of the Bowman
Dam in Rye, New York. The access allowed the actor to obtain information
regarding the status and operation of the dam. [2]
- February 2014 – Sands
Las Vegas Corporation Hacked: Cyber threat actors hacked into the Sands Las Vegas
Corporation in Las Vegas, Nevada, and stole customer data, including
credit card data, Social Security Numbers, and driver’s license numbers.
According to a Bloomberg article from December 2014, the attack also
involved a destructive portion, in which the Sands Las Vegas Corporation’s
computer systems were wiped. In September 2015, the U.S. Director of
National Intelligence identified the Iranian government as the perpetrator
of the attack in a Statement for the Record to the House Permanent Select
Committee on Intelligence. [3]
- 2013 to 2017 – Cyber
Theft Campaign on Behalf of IRGC: In response, in March 2018, the U.S. Justice
Department indicted nine Iranian actors associated with the Mabna
Institute for conducting a massive cyber theft campaign containing dozens
of individual incidents, including “many on behalf of the IRGC.” The
thefts targeted academic and intellectual property data as well as email
account credentials. According to the indictment, the campaign targeted
“144 U.S. universities, 176 universities across 21 foreign countries, 47
domestic and foreign private sector companies, the U.S. Department of
Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the
State of Indiana, the United Nations, and the United Nations Children’s
Fund.” [4]
Mitigations
Recommended Actions
The following is a composite of actionable technical recommendations for IT
professionals and providers to reduce their overall vulnerability. These
recommendations are not exhaustive; rather they focus on the actions that will
likely have the highest return on investment. In general, CISA recommends two
courses of action in the face of potential threat from Iranian actors: 1)
vulnerability mitigation and 2) incident preparation.
- Disable all unnecessary
ports and protocols. Review network security device logs and determine
whether to shut off unnecessary ports and protocols. Monitor common ports
and protocols for command and control activity.
- Enhance monitoring of
network and email traffic. Review network signatures and indicators for focused operations
activities, monitor for new phishing themes and adjust email rules
accordingly, and follow best practices of restricting attachments via
email or other mechanisms.
- Patch externally facing
equipment.
Focus on patching critical and high vulnerabilities that allow for remote
code execution or denial of service on externally facing equipment.
- Log and limit usage of
PowerShell. Limit
the usage of PowerShell to only users and accounts that need it, enable
code signing of PowerShell scripts, and enable logging of all PowerShell
commands.
- Ensure backups are up to
date
and stored in an easily retrievable location that is air-gapped from the
organizational network.
Patterns of
Publicly Known Iranian Advanced Persistent Threats
The following mitigations and detection recommendations regarding publicly
known Iranian advanced persistent threat (APT) techniques are based on
the
MITRE ATT&CK Framework.
[5]
|
Iranian APT Technique
|
Mitigation and Detection
|
|
|
Mitigation
·
Manage the access control list for
"Replicating Directory Changes" and other permissions associated
with domain controller replication.
·
Consider disabling or restricting NTLM.
·
Ensure that local administrator accounts have
complex, unique passwords across all systems on the network.
·
Limit credential overlap across accounts and
systems by training users and administrators not to use the same password
for multiple accounts.
Detection
- Windows: Monitor for
unexpected processes interacting with Isass.exe.
- Linux: The AuditD
monitoring tool can be used to watch for hostile processes opening a
maps file in the proc file system, alerting on the pid, process name,
and arguments for such programs.
|
|
|
Mitigation
- Consider utilizing
the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands
after being processed/interpreted.
Detection
- Windows: Monitor for
unexpected processes interacting with Isass.exe.
- Linux: The AuditD
monitoring tool can be used to watch for hostile processes opening a maps
file in the proc file system, alerting on the pid, process name, and
arguments for such programs.
|
|
|
Mitigation
- Network intrusion
prevention or data loss prevention tools may be set to block specific
file types from leaving the network over unencrypted channels.
Detection
- Process monitoring
and monitoring for command-line arguments for known compression
utilities.
- If the communications
channel is unencrypted, compressed files can be detected in transit
during exfiltration with a network intrusion detection or data loss
prevention system analyzing file headers.
|
|
|
Mitigation
- Set PowerShell execution
policy to execute only signed scripts.
- Remove PowerShell
from systems when not needed, but a review should be performed to
assess the impact to an environment, since it could be in use for many
legitimate purposes and administrative functions.
- Disable/restrict the
WinRM Service to help prevent uses of PowerShell for remote execution.
- Restrict PowerShell
execution policy to administrators.
Detection
- If PowerShell is not
used in an environment, looking for PowerShell execution may detect
malicious activity.
- Monitor for loading
and/or execution of artifacts associated with PowerShell specific
assemblies, such as System. Management.Automation.dll (especially to
unusual process names/locations).
- Turn on PowerShell
logging to gain increased fidelity in what occurs during execution
(which is applied to .NET invocations).
|
User Execution
|
Mitigation
- Application
whitelisting may be able to prevent the running of executables masquerading
as other files.
- If a link is being
visited by a user, network intrusion prevention systems and systems
designed to scan and remove malicious downloads can be used to block
activity.
- Block unknown or
unused files in transit by default that should not be downloaded or by
policy from suspicious sites as a best practice to prevent some
vectors, such as .scr., .exe, .pif, .cpl, etc.
- Use user training as
a way to bring awareness to common phishing and spearphishing
techniques and how to raise suspicion for potentially malicious events.
Detection
- Monitor the execution
of and command-line arguments for applications that may be used by an
adversary to gain Initial Access that require user interaction. This
includes compression applications, such as those for zip files that can
be used to Deobfuscate/Decode Files or Information in payloads.
- Anti-virus can
potentially detect malicious documents and files that are downloaded
and executed on the user's computer.
- Endpoint sensing or
network sensing can potentially detect malicious events once the file
is opened (such as a Microsoft Word document or PDF reaching out to the
internet or spawning Powershell.exe) for techniques such as
Exploitation for Client Execution and Scripting.
|
|
|
Mitigation
- Configure Office
security settings enable Protected View, to execute within a sandbox
environment, and to block macros through Group Policy. Other types of
virtualization and application microsegmentation may also mitigate the
impact of compromise.
- Turn off unused
features or restrict access to scripting engines such as VBScript or
scriptable administration frameworks such as PowerShell.
Detection
- Examine scripting user
restrictions. Evaluate any attempts to enable scripts running on a
system that would be considered suspicious.
- Scripts should be
captured from the file system when possible to determine their actions
and intent.
- Monitor processes and
command-line arguments for script execution and subsequent behavior.
- Analyze Office file
attachments for potentially malicious macros.
- Office processes,
such as winword.exe, spawning instances of cmd.exe, script application
like wscript.exe or powershell.exe, or other suspicious processes may
indicate malicious activity.
|
|
|
Mitigation
- This type of attack
technique cannot be easily mitigated with preventive controls since it
is based on the abuse of system features.
Detection
- Monitor Registry for
changes to run keys that do not correlate with known software, patch
cycles, etc.
- Monitor the start
folder for additions or changes.
- Tools such as Sysinternals
Autoruns may also be used to detect system changes that could be
attempts at persistence, including listing the run keys' Registry
locations and startup folders.
- To increase
confidence of malicious activity, data and events should not be viewed
in isolation, but as part of a chain of behavior that could lead to
other activities, such as network connections made for Command and
Control, learning details about the environment through Discovery, and
Lateral Movement.
|
|
|
Mitigation
- Network intrusion
detection and prevention systems that use network signatures to
identify traffic for specific adversary malware or unusual data
transfer over known tools and protocols like FTP can be used to
mitigate activity at the network level.
Detection
- Monitor for file
creation and files transferred within a network over SMB.
- Monitor use of
utilities, such as FTP, that does not normally occur.
- Analyze network data
for uncommon data flows (e.g., a client sending significantly more data
than it receives from a server).
- Analyze packet
contents to detect communications that do not follow the expected
protocol behavior for the port that is being used.
|
Spearphishing Link
|
Mitigation
- Determine if certain
websites that can be used for spearphishing are necessary for business
operations and consider blocking access if activity cannot be monitored
well or if it poses a significant risk.
- Users can be trained
to identify social engineering techniques and spearphishing emails with
malicious links.
Detection
- URL inspection within
email (including expanding shortened links) can help detect links
leading to known malicious sites.
- Detonation chambers
can be used to detect these links and either automatically go to these
sites to determine if they're potentially malicious, or wait and
capture the content if a user visits the link.
|
|
|
Mitigation
- Anti-virus can
automatically quarantine suspicious files.
- Network intrusion
prevention systems and systems designed to scan and remove malicious email
attachments can be used to block activity.
- Block unknown or
unused attachments by default that should not be transmitted over email
as a best practice to prevent some vectors, such as .scr, .exe, .pif,
.cpl, etc.
- Some email scanning
devices can open and analyze compressed and encrypted formats, such as
zip and rar that may be used to conceal malicious attachments in
Obfuscated Files or Information.
- Users can be trained
to identify social engineering techniques and spearphishing emails.
Detection
- Network intrusion
detection systems and email gateways can be used to detect
spearphishing with malicious attachments in transit.
- Detonation chambers
may also be used to identify malicious attachments.
- Solutions can be
signature and behavior based, but adversaries may construct attachments
in a way to avoid these systems.
- Anti-virus can
potentially detect malicious documents and attachments as they're
scanned to be stored on the email server or on the user's computer.
|
|
|
=======================================
For
a great satire on email, please see the following:
https://www.youtube.com/watch?v=HTgYHHKs0Zwscoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
===============================================
Good
Netiquette And A Green Internet To All!
|
|
|
|
|
++++++++++++++++++++++++++++++++++++++++++++++++++++
air
gapping
|
Air
gapping is a security measure that involves physically isolating a
computer or network to prevent it from connecting directly or wirelessly to
other systems that can connect to the Internet. Air gapping is used to
protect many types of critical systems, including those that support the
stock market, the military, the government and industrial power industries.
To prevent unauthorized data extrusion
through electromagnetic or electronic exploits, there must be a specified
amount of space between the air-gapped system and outside walls and between
its wires and the wires for other technical equipment. In the United States,
the U.S. National Security Agency TEMPEST project provides best practices for
using air gaps as a security measure.
For a system with extremely sensitive data,
a Faraday cage can be used to prevent electromagnetic radiation (EMR) escaping
from the air-gapped equipment. Although such measures may seem extreme, van
Eck phreaking can be used to intercept data such as key strokes or screen
images from demodulated EMR waves, using special equipment from some distance
away. Other proof-of-concept (POC) attacks for air- gapped systems have shown
that electromagnetic emanations from infected sound cards on isolated
computers can be exploited and continuous wave irradiation can be used to
reflect and gather information from isolated screens, keyboards and other
computer components.
As of this writing, the Defense Advanced
Research Projects Agency (DARPA) is awarding grants for prototype hardware
and software designs that will keep sensitive data physically isolated. The
grants are made possible under the Guaranteed Architecture for Physical
Security (GAPS) program.
Enhancing air-gapped security
measures
The problem with physical separation as a
security technique is that, as complexity increases in some system or network
to be isolated, so does the likelihood that some unknown or unauthorized
external connection will arise.
Perhaps the most important way to protect a
computing device or network from an air gap attack is through end user
security awareness training. The infamous Stuxnet worm, which was designed to
attack air-gapped industrial control systems, is thought to have been
introduced by infected thumb drives found by employees or obtained as free
giveaways.
The software-defined
perimeter (SDP) framework is another tool network engineers can use to create
a type of "virtual air gapping" through policy enforcement. SDP
requires external endpoints that want to access internal infrastructure to
comply with authentication policies and ensures that only authenticated
systems can see internal IP addresses. |
In my books, noted below, I often lament about the lack of civility, deterioration of written communication and abuse of the power of the Internet. Electronic communication, in my opinion, breeds negativity and behavior which does not exist in direct communication.
The following is an except from my first book which addresses angry email replies.
Enjoy the article and check out the website!
==================================================
======================
For a great satire on email, please see the following:
https://www.youtube.com/watch?v=HTgYHHKs0Zwscoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
===============================================
Good Netiquette And A Green Internet To All!
Special Bulletin - My just released book,
is now on sales at Amazon.com
Great
Reasons for Purchasing Netiquette IQ
·
Get more
email opens. Improve 100% or more.
·
Receive
more responses, interviews, appointments, prospects and sales.
·
Be better
understood.
·
Eliminate
indecision.
·
Avoid
being spammed 100% or more.
·
Have
recipient finish reading your email content.
·
Save time
by reducing questions.
·
Increase
your level of clarity.
·
Improve
you time management with your email.
·
Have
quick access to a wealth of relevant email information.
Enjoy
most of what you need for email in a single book.
=================================
**Important note** - contact our company for
very powerful solutions for IP
management (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ
has a website with great
assets which are being added to on a regular basis. I have authored the
premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to
Improve,
Enhance and Add Power to Your Email". My new book, “You’re Hired! Super
Charge
Your Email Skills in 60 Minutes. . . And Get That Job!” has just been
published and will be followed by a trilogy of books on Netiquette for
young people. You can view my
profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a
member of the International Business Etiquette and Protocol Group and
Minding Manners among others. I regularly consult for the Gerson Lehrman
Group, a worldwide network of subject matter experts and I have been
contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over
the past twenty-five years, I have enjoyed a dynamic and successful
career and have attained an extensive background in IT and electronic
communications by selling and marketing within the information
technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
