Make sure all staff have at least MFA
In an infamous hack earlier this year, the US State Department was targeted by Chinese attackers who found code-signing certificates embedded in a memory dump that ended up in a public repository. The memory dump was from a Microsoft employee with access to sensitive levels of information.
But attackers will also go after individuals in your organization who report to other levels. Once again, the use of social media and LinkedIn is a key way to investigate who is related to whom and to target individuals in the organization who may have a relationship with one another. Thus, ensuring that all staff have multifactor authentication and don’t just rely on a username and password to gain access to resources is key.
Recently CISA has released a document on phishing guidance that points out that mere antivirus is not enough. They go on to indicate that multifactor authentication is the primary mitigation for a tactic to obtain login credentials.
Another common attack is malware phishing, in which the bad actor sends a malicious link to a target and tricks them into launching an attack. Mitigations for this type of attack include application-allow listings, and running an endpoint detection and response agent. But don’t just have this sort of protection on workstations, consider these protections on phones and devices as well.
Consider additional protection such as DNS tools that pre-scan the websites and links that your users are going to. These tools do not have to break the bank and can even be obtained at low cost or no cost to your organization. Ensure that even those who work from home set up their home routers to point to such DNS filtering tools as OpenDNS and instruct users on how to set up categories that they wish to block.
Web policies need to be hardened too
If you want to go even farther in ensuring that your firm is protected, you can consider web policies that will block users from all websites unless they have a business need to the organization. I’ve seen this done successfully in school environments where the staff and children in the school are younger and have no need for full access to the internet.
Restricting sites may seem draconian for some firms, but if you can, consider flipping any deny policies you may have in place to an “only if allowed” mindset instead.
Finally, review the logging that all of your applications and third-party interactions have and their retention duration — often, it’s only upon review that you determine how the attacker gained access.
Microsoft was urged by CISA and others to expand and make more logging a default procedure after the attacks on the State Department earlier this year. They had initially promised to roll out the much-needed Mailitemsaccessed logging to all tenants by October of this year. Now, however, buried in a roadmap linked from a Microsoft blog, this promised tool to identify what an attacker has accessed won’t come out until September of next year.
Bottom line, don’t just harden the operating system these days, harden your authentication, harden your help desk, and harden those log files that you keep. You’ll need all of these hardenings in place to beat the bad guys.
