The FBI Is Finally Catching Up To Cyber Criminals and You Can Too

Considering the fast evolution and prevalence of cyber-crime in today’s digital age, the FBI is doing its part to combat threats in the cyber world. In the recently released FBI FLASH distributed by their cyber-security division, they provide a number of recommended mitigations to take in the event that cyber actors have compromised and stolen sensitive business information and Personally Identifiable Information (PII). I was excited to read this because not only is it one of the better FBI FLASHES I have read in a while, but it also provided cutting edge insights and valuable information that reflects EXACTLY what my team at Column Information Security practices with our clients. Here is a recap on how to protect your organization:

According to the FBI FLASH, the following mitigation measures should be implemented within 72 hours of detection:

  1. Prepare your Environment for incident response:
    • Establish an out-of-band communication protocol to send out your organization’s intrusion response plans and procedures. Recently, hackers have been using compromised corporate email to send messages during a breach urging users to ignore the actual response plan, which makes an alternate communication protocol critical.
    • Ensure all device logging is enabled and aggregated to a centralized solution.
    • Disable your remotes, both VPN and (say it isn’t so!) RDP, until a password change has been completed.
    • Implement full SSL and TLS inspection capability on perimeter and proxy devices. This may seem counter intuitive, but if your data is encrypted, then your monitoring and logs will not be able to see the data they need in order to find the culprits.
    • Monitor compromised accounts and devices to prevent reacquisition attempts.
  2. Implement a network-wide password reset with local host access only, no remote changes allowed, including:
    • All domain accounts
    • Local accounts
    • Machine and system accounts
  3. Harden your systems.
    Protecting your credentials is of the utmost importance in safeguarding your data, intellectual property and time from cyber attackers. What many business people may not understand is that once a hacker gains access to what we in IT call “privileged accounts,” they are able to use these accounts to create more accounts. This means that even if you find the hacked account and shut it off, it can still move throughout a network, and spring back like the many heads of the hydra. In short, you do not want the bad guys gaining access to privileged accounts. Protecting credentials is at the core of Column Information Security’s practice. Through our strategic Identity Management roadmap, we are able to help organizations harden systems and safeguard against cyber-attacks. Mirroring some of the FBI suggested mitigations, here’s what we recommend:

    • Implement Least Privilege: Utilizing industry leading identity and access management (IAM) software, like the IAM solution available from Column Information Security, you can put the ability to restrict user rights and access into the hands of those who truly know who should have access to what files, the manager of that business area. This takes the burden off the IT department and is all done through a simple shopping cart interface much like those researched and designed by the world’s top websites.
    • Restrict Local Accounts: These are those “privileged” accounts we mentioned earlier. Restricting access can be done by utilizing specialized scanning software to find these super-accounts and begin restricted access by adding them to what is called a “PIM” or privileged identity management software. This helps prevent what is called “passing the hash” or intercepting an encrypted password and passing it from one server to the next, which leads to our next point…
    • Limiting Lateral Movement: Once a machine is compromised, hackers can use that machine to take over the entire network. Many networks are vulnerable to this type of attack. The best way to control this, and make it easier to defend your systems once under attack, is to use proper firewall rules, structure and maintain Active-Directory correctly and use proper Group-Policy settings. And, you guessed it, Column Information Security has a solution to help you with limiting lateral movement as well.
    • Admin Access Segregation: Going back to those “Admin” accounts where admins have access to do pretty much anything with the account, it’s important to minimize risk here by restricting where admins can use these accounts, and what they can use them for. If these accounts are managed properly with PIM software it becomes MUCH harder for cybercriminals to gain access to these accounts and even when accounts are compromised, it makes it much harder to compromise the entire network. Working with us, we would set up restraints so that your IT team cannot even see the actual Admin account password, but still has access to use the account when necessary for a set amount of time.
    • Log and Monitor Privileged Admin Account Usage: Monitoring privileged user actions is paramount for security and compliance reporting. This is yet another capability of the PIM and Network scanning software we offer at Column Information Security. When utilized correctly, these solutions allow you to view a screenshot of how the Admin accounts are used. Over time, your machine will learn how the accounts are used and will flag anything it deems out-of-the-ordinary.

Although implementing many of these security solutions may sound daunting, the best offense against cyber-attacks is still prevention. By ensuring the right information security and identity management systems are in place before an attack, you make certain you’re in compliance; that audits are a breeze; you free up your IT team to focus on critical functions instead of password resets; and, save your network in case of attack.


ABOUT THE AUTHOR

Blair Bonzelaar is a Chicago-based Cyber Security and Risk Management Expert working within Column Information Security’s Advisory Services Practice. Mr. Bonzelaar came to Column after leading teams in the banking sector and helping to launch several successful startups.

© Copyright 2020 Column Information Security

Terms & Conditions and Privacy Policy