FBI and CISA Roll Out Best Practices to Serve as a Cornerstone of Organizations’ Cybersecurity Strategies

• Feds offer advice on how to build and maintain a strong cybersecurity posture in the face of advanced hacker attacks
• Network best practices should act as a cornerstone of anyone’s cybersecurity strategy, regardless of industry or organization size
• FBI and CISA do not recommend paying ransoms as “payment does not guarantee files will be recovered”
• Advisory also includes a table containing signatures for some of the most common pieces of malware used today

A recent joint advisory co-authored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) provides valuable advice on how to build and maintain a strong cybersecurity posture in the face of advanced hacker attacks.

Although the notice is primarily aimed at educational institutions – amid a growing wave of ransomware attacks targeting schools across the US – the document includes a treasure trove of mitigation techniques for the most common cyber threats (and their attack vectors) targeting not just schools but pretty much every kind of organization.

In fact, the feds say the tactics and techniques described in the document have been frequently used against business and industry as well, especially in ransomware attacks.

The document talks at length about malware in general (i.e. Trojans, ransomware), Distributed Denial-of-Service (DDos) attacks, video conference disruptions, social engineering scams targeting unwary users, open/exposed ports, end-of-life software, and more. Mitigation techniques are offered for each headcount, with the authors encouraging educational providers to maintain business continuity plans to minimize disruptions in case of a cyber-attack, as well as to identify potential gaps.

“Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies,” according to the document.

Much of the Mitigation section is devoted to Network best practices – which should act as a cornerstone of anyone’s cybersecurity strategy – urging system administrators to:

• Patch operating systems, software, and firmware as soon as manufacturers release updates
• Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts
• Use multi-factor authentication where possible
• Disable unused remote access/RDP ports and monitor remote access/RDP logs
• Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind
• Audit logs to ensure new accounts are legitimate
• Scan for open or listening ports and mediate those that are not needed
• Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans

A set of User Awareness best practices included in the document urges educational institutions to alert employees and students to existing threats such as ransomware and phishing scams, teach them how they are delivered and show them what to do (who to contact) when they see suspicious activity or when they believe they have fallen victim to a cyberattack.

In the Ransomware department, “The FBI and CISA do not recommend paying ransoms,” the notice states.

“Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law,” according to the advisory.

The FBI and CISA point to the network best practices as a cornerstone in mitigating ransomware attacks, but they also recommend that organizations:

• Regularly back up data, air gap, and password protect backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location

Regardless of industry, these Video-Conferencing best practices should now apply to any organization relying on a remote workforce:

• Ensure participants use the most updated version of remote access/meeting applications.
• Require passwords for session access
• Encourage students to avoid sharing passwords or meeting codes
• Establish a vetting process to identify participants as they arrive, such as a waiting room
• Establish policies to require participants to sign in using true names rather than aliases
• Ensure only the host controls screen sharing privileges
• Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants

The advisory also includes a table containing signatures for some of the most common pieces of malware used today. The authors note that “the listing is not fully comprehensive and should not be used at the exclusion of other detection methods.”

Finally, users are encouraged to contact their local FBI field office at www.fbi.gov/contact-us/field to report suspicious or criminal activity related to information found in the joint advisory. Again, this should apply to any organization that falls victim to a cyber-attack, regardless of industry or size. The feds recommend that victims include the date, time, and location of the incident if they can, plus the type of activity, the number of people affected, the type of equipment used for the activity, the name of the submitting organization and a designated point of contact.

A PDF version of the joint advisory can be found here.

Organizations should also consider investing in services like Managed Detection and Response (MDR) and technological defenses like Endpoint Detection and Response (EDR) technologies. These can compensate for these new challenges and help organizations face new threats, without taxing their security budgets.