Microsoft Special Report on cyberattack activity in Ukraine: Reccomended actions

The report provides strategic recommendations to organizations worldwide, including an overview of the intrusion techniques and actions to mitigate the risk of cyberattacks.

In ECIT, we are following the situation closely, and we believe sharing this knowledge with our customers and stakeholders is key to increasing resilience against cyberattacks.

As the conflict persists and more countries provide more military assistance to Ukraine or take more punitive measures against the Russian government, Russian nation state threat actors may be tasked to expand their destructive actions in retaliation against targets outside of Ukraine in retaliation. Microsoft recommends that all organizations that are directly or indirectly associated with the conflict in Ukraine proactively protect themselves from the threats described in the report and actively monitor for similar actions in their environment. ECIT supports this recommendation.

Microsoft is referring to several common tactics, techniques, and procedures the attackers use to execute their intrusions. These observations are turned into actionable guidance for network defenders and security teams.

Observed intrusion techniques include:

• Exploitation of public facing applications or spear-phishing with attachments/links for initial access.
• Credential theft and use of valid accounts throughout the attack lifecycle, making “identities” a key intrusion vector. This includes within Active Directory Domain and through VPNs or other remote access solutions.
• Use of valid administration protocols, tools, and methods for lateral movement, relying on compromised identities with administrative capability.
• Use of known publicly available offensive capabilities, sometimes obfuscated using actor specific methods to defeat static signatures.
• “Living off the land” during system and network discovery, often utilizing native utilities or commands that are non-standard for the environments.
• Use of destructive capabilities that access raw file systems for overwrites or deletions.

Based upon these observations, Microsoft recommend taking the following actions:

1. Minimize credential theft and account abuse

Protecting the identities of your users is a key to secure your network and resources from attackers. Enable multi-factor authentication and identity detection tools, and customers are urged to apply least privilege access and secure the most sensitive and privileged accounts and systems.

2. Secure internet-facing systems and remote access solutions:

Internet facing systems should be secured against external attacks by ensuring they are updated to the most secure levels, regularly evaluated for vulnerability, and audited for changes to the integrity of the system. Anti-malware solutions and endpoint protection should be enabled for detection and prevention of attackers. Legacy systems should be isolated to prevent them from being an entry point for persistent threat actors. Remote access solutions should require two-factor authentication and be patched to the most secure configuration.

3. Leverage anti-malware, endpoint detection, and identity protection solutions:

A combination of defense-in-depth security solutions, paired with trained and capable personnel, can empower your organization to identify, detect, and prevent intrusions impacting your business.

4. Enable investigations and recovery:

In the case you detect or are notified of a threat to your environment, it is critical to have auditing of key resources to enable investigations. Customers are urged to have and exercise an incident response plan to prevent any delays or decrease dwell time for destructive threat actors. Customers are urged to have a backup strategy that accounts for the risk of destructive actions and prepare to exercise recovery plans.

5. Defend against destructive attacks:

Destructive attacks observed in Ukraine have similar characteristics and mitigations to Ransomware scenarios that Microsoft has identified worldwide in recent years. Microsoft can help safeguard your organization against destructive attacks by leveraging features within Defender such as for example Attack Surface Reduction (ASR)
and Controlled Folder Access (CFA).

6. Review and implement “best practices” for defense in depth:

Microsoft has developed useful resources and best practices for customers of Microsoft solutions that provide actionable guidance for security-related decisions. Microsoft’s Security Best Practices covers topics such as governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.

Microsoft Security Best Practices is a collection of best practices that provide clear actionable guidance for security related decisions. This is designed to help you increase your security posture and reduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers. ECIT recommends that you spend time familiarizing yourself with these best practices.

Contact ECIT if you need assistance

At ECIT, we are always at hand to help you identify risk areas and implement risk mitigation, as well as providing assistance with incident response plans. Contact our security experts if you need any assistance regarding security assessments or security measures.