Protecting Against Potential Russian Cyber Attacks

Guidance for U.S. State, Local, Tribal, and Territorial (SLTT) Entities

What You Should Do Today

Join the MS-ISAC or EI-ISAC

Level of Effort: 5 minutes to sign up online

Why: The MS-ISAC is the nation’s focal point for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) governments. In cooperation with the Cybersecurity and Infrastructure Security Agency (CISA), the MS-ISAC offers a 24x7x365 security operations center, incident response services, cyber threat intelligence, advisories and notifications, and several products and services, many of which are provided at no cost to SLTTs. The EI-ISAC provides similar services, tailored to the specific technical needs of the U.S. election community.

How: Sign up to join the MS-ISAC or EI-ISAC  

Cost: No cost for SLTTs (State, Local, Tribal, and Territorial Entities)

What You Should Do Tomorrow

Stop malicious internet activity with a service provided by the MS- and EI-ISAC

Level of Effort: 15 minutes to redirect Domain Name System (DNS) resolution. No other configuration or maintenance is required.

Why: Each DNS request from an organization will be passed through our Malicious Domain Blocking & Reporting (MDBR) service, which will automatically block requests for malicious domains. This prevents hosts from connecting to known or suspected malware, phishing, ransomware, or command and control systems, protecting your environment.

How: The process to get started is automated, sign up for MDBR

Cost: No cost for SLTTs that are MS- or EI-ISAC members

What You Should Do in The Next Week

Turn on multi-factor authentication (MFA) for any system that offers it

Level of Effort: For Software as a Service (SaaS) (e.g., Google Workspace, Microsoft 365, and others) it may be as fast as 10 minutes to implement. Others may be more involved. Some user training may be required.

Why: Attackers continue to steal credentials (username and password) from users through phishing attacks and other social engineering tactics. Brute force attacks (using a computer to rapidly try multiple username and password combinations until a match is found) is also a common tactic. MFA protects an organization by up to 96% against these attacks.

How: Do a quick inventory of all systems in use and determine what offers MFA. Whether it is sending users a text message (SMS), or more preferably the use of an app (such as a push to a mobile device or an app like Google Authenticator or Microsoft Authenticator), enable it for all users.

Cost: In most cases, there is no cost to enable MFA 

Obtain a recent vulnerability scan of externally facing IT assets and install all possible patches and updates

Level of Effort: Minimal, but this depends on the size and complexity of the environment. Within a few hours, a scan could be done and results analyzed and prioritized for remediation efforts. Exercise caution when scanning operational technology (OT) environments as aggressive scanning may cause systems to become unavailable. Ensure everything that can be updated and patched within your environment has been.

Why:  Adversaries will be using historical vulnerability information available on the internet as well as launching their own scans to find exploitable vulnerabilities. Your organization should focus on finding and fixing these before the adversary does.

How: SLTTs can request a no-cost vulnerability scan via the CISA Cyber Hygiene (CyHy) program by emailing CISA at [email protected]. Due to the number of requests received by CISA, there may be a delay. SLTTs can also contact the Center for Internet Security (CIS) for vulnerability scanning.

Cost: No cost for use of CISA CyHy. CIS will offer vulnerability scanning of SLTTs' externally facing IT assets at no cost while in this heightened state of alert. Contact CIS at [email protected] 

What You Should Do in the Next Two Weeks

Enable logging on any device that is capable and configure a log collection system

Level of Effort: Minimal – most infrastructure devices and systems have a native logging capability. IT administrators may be able to enable this across all devices using centralized management tools such as Group Policy Objects (GPOs) or others. A system must be set up to collect and store these logs, which could be as simple as a desktop computer with an external hard drive to start.

Why: Logs are what incident response and forensic teams will need in order to recreate an attackers’ footsteps in your network. Logs will help put the puzzle together of who the adversary was, how they got in, how long they were in, and what they did while inside. Logs also help identify previously undetected events or suspicious activity that did not trigger a signature-based defense system.

How: Set up a system (can be a desktop or server running Windows or Linux, although we recommend Linux) and use an open-source tool such as rsyslog to listen for and store logs sent to it. Configure devices to send logs to your syslog server (generally over UDP port 514, but some can be customized). Confirm logs are being received and stored on the system or external hard drive.

Cost: Minimal. You may be able to repurpose a computer for this and external storage if necessary. Use an operating system such as Ubuntu (no cost) and rsyslog (no cost) to get started.

What’s Next?

If you’ve already completed the suggestions above, here are two other important recommendations.

Develop or update an incident response (IR) plan

Level of Effort: Minimal – create a document that describes your organization’s plan for responding to and recovering from a cyber attack.

Why: Responding to a cyber attack is stressful, even for well-resourced and experienced teams. Developing procedures and establishing contacts with law enforcement, the MS- and EI-ISAC, CISA, your cyber insurance provider, and others should not wait until an emergency. Having a plan to identify roles, responsibilities, and key decision points is critical to your success.

How: CIS has a checklist available to get you started: Cyber Incident Checklist. CISA also has a template written for federal civilian agencies, but it provides a good overview for SLTTs on sections you will want to consider adding to your plan: Cybersecurity Incident & Vulnerability Response Playbooks

Cost: None

Ensure systems are properly backed up and backups are protected from ransomware attacks

Level of Effort: Moderate to significant depending on size and complexity of the environment, amount of data requiring backups, and business recovery objectives.

Why:  Beyond the obvious need to have backups to restore in the event of a system crash or data corruption, having backups that can withstand a ransomware attack is critical and requires some additional considerations.

How: For more information on backup best practices, see the EI-ISAC security spotlight on backups here: Election Security Spotlight – Backups and the co-authored ransomware guide by the MS-ISAC and CISA here: Ransomware Guide.

Cost: Minimal to significant

Resources from the Cybersecurity & Infrastructure Security Agency

For resources from our colleagues at CISA, please also see their Shields Up webpage.

Cyber Incident Support 

Our expertly trained Cyber Incident Response Team (CIRT) is here to help. If your SLTT organization experiences a cybersecurity incident we encourage you to report an incident.

For further questions or concerns the MS-ISAC Security Operations Center (SOC) is available 24x7x365 to assist via phone or email.

Phone: 866-787-4722

Email: [email protected]

Learn more about joining the MS-ISAC here.

Learn more about joining the EI-ISAC here.

Download

Guidance for Private Sector Organizations

What You Should Do Today

Stop malicious internet activity with Domain Name System (DNS) filtering services

Why: Improve your ability to detect and protect against threats from email and web vectors. Attackers will use these opportunities to manipulate human behavior through direct engagement.

How: Most popular web browsers employ a database of phishing and/or malware sites to protect against the most common threats. A best practice is to enable these content filters and turn on the pop-up blockers.

In addition, consider subscribing to DNS filtering services to block attempts to access these websites at the network level. Many commercial DNS filtering services are available. CIS uses Akamai to deliver its Malicious Domain Blocking and Reporting (MDBR) services. You may also consider Quad9 – a free service that provides end users with robust security protections.

What You Should Do in the Next Week

Turn on multi-factor authentication (MFA) for any system that offers it

Why: Attackers continue to steal credentials (username and password) from users through phishing attacks and other social engineering tactics. Brute force attacks (using a computer to rapidly try multiple username and password combinations until a match is found) are also a common tactic. MFA protects an organization from up to 96% against these attacks.

How: Do a quick inventory of all systems in use and determine what offers MFA. Whether it is sending users a text message (SMS) – or more preferably, the use of an app like Google Authenticator or Microsoft Authenticator – enable it for all users.

Obtain a recent vulnerability scan of externally facing IT assets and install all possible patches and updates

Why: Adversaries use historical vulnerability information available on the internet as well as launching their own scans to find exploitable vulnerabilities. Your organization should focus on finding and fixing these before the adversary does.

How: The level of effort will depend on the size and complexity of your environment. Within a few hours, a scan could be done and results analyzed and prioritized for remediation efforts.

A large number of vulnerability scanning tools are available to evaluate the security configuration of enterprise assets. Some enterprises have also found commercial services using remotely managed scanning appliances to be effective.

Operational Technology (OT) environments may have different use cases with regards to protection and recovery than IT environments. The Cybersecurity Infrastructure Security Agency (CISA) provides some useful guidance on protecting Industrial Controls Systems.

Remember to exercise caution when scanning OT environments as aggressive scanning may cause systems to become unavailable. Ensure everything that can be updated and patched within your environment has been.

What You Should Do in the Next Two Weeks

Enable logging on any device that is capable and configure a log collection system

Why: Logs are what incident response and forensic teams will need in order to recreate attackers’ footsteps in your network. Logs will help put the puzzle together of who the adversary was, how they got in, how long they were in, and what they did while inside. Logs also help identify previously undetected events or suspicious activity that did not trigger a signature-based defense system.

How: IT administrators may be able to enable this across all devices using centralized management tools such as Group Policy Objects (GPOs) or others. A system must be set up to collect and store these logs, which could be as simple as a desktop computer with an external hard drive to start.

Most infrastructure devices and systems have a native logging capability. There are a number of commercial options available to help with periodic scans of logs to ensure such logging is in place.

If necessary, set up a system (can be a desktop or server running Windows or Linux, although we recommend Linux) and use an open-source tool such as rsyslog to listen for and store logs sent to it. Configure devices to send logs to your syslog server (generally over UDP port 514, but some can be customized). Confirm logs are being received and stored on the system or external hard drive.

What’s Next?

If you’ve already completed the suggestions above, here are two other important recommendations.

Develop or update an incident response (IR) plan

Why: Responding to a cyber attack is stressful, even for well-resourced and experienced teams. Develop procedures and establish contacts with law enforcement, your cyber insurance provider, and others before you have an emergency. Having a plan to identify roles, responsibilities, and key decision points is critical to your success.

How: Create a document that describes your organization’s plan for responding to and recovering from a cyber attack.

There are many resources available that provide helpful guidance on creating an IR plan. A comprehensive summary of the National Institute of Standards and Technology’s (NIST) IR plan is located here.

Ensure systems are properly backed up and backups are protected from cyber attacks

Why: Beyond the obvious need to have backups to restore in the event of a system crash or data corruption, having backups that can withstand a cyber attack is critical and requires some additional considerations.

How: Organizations should establish backup procedures based on data value, sensitivity, or retention requirements. This can help determine how frequently and how extensive backups should be.

We recommend establishing a testing team to execute a backup process – which should be done once per quarter or whenever a new backup process or technology is introduced. The team should evaluate a random sample of backups and attempt to restore them on a test bed environment. The restored backups should be verified to ensure that the operating system, application, and data from the backup are all intact and functional. In the event of malware infection, restoration procedures should use a version of the backup that is believed to predate the original infection.

Review the CIS Critical Security Controls (CIS Controls)

Why: The CIS Controls identify practical actions to defend against the most prevalent real-world cyber attacks facing enterprises today. They identify common problems and barriers (like initial assessment and implementation roadmaps), and offer positive, constructive action for defenders. They can also be mapped to a variety of regulatory and compliance frameworks.

How: The CIS Controls are led by CIS with contributions from an international community of volunteer experts and institutions from every corner of the cybersecurity world. You can download CIS Controls v8 here.

Additional Resources

For resources from our colleagues at CISA, please also see their Shields Up webpage.

Salesforce’s Trailhead learning platform features a training module dedicated to CIS Controls v8.

The Cybersecurity & Infrastructure Security Agency (CISA) provides useful guidance to help organizations understand how to respond to an attack.

The National Institute for Standards & Technology (NIST) provides additional guidance for organizations protecting OT environments. NIST also maintains a helpful library of cybersecurity resources on its website.

If you need to assess potential commercial solution vendors for any of your needs, Gartner and other analysts can provide helpful guidance on the options and relative strengths of each.