By now you’ve seen the warnings, or if you haven’t your CISO has. US-CERT and the FBI have issued warnings that the government of North Korea has been attempting a series of largely successful cyber-attacks against interests in the United States and elsewhere in the world.
These attacks have the ultimate goal of sowing chaos and distrust in the west as well as to prepare for a cyber-war.
Right now the North Koreans are in the process of examining as many networks of all types as they can so that the attackers know exactly where to hit and what to do when they get there.
The more organizations that they record, the more effective their ultimate cyber-attack will be. When the attack happens, the organizations whose networks have been penetrated will effectively be at Ground Zero for the cyber-war.
Fortunately, there are steps you can take now that will reduce the impact of those cyber-attacks if and when the come. If you’re proactive, you may be able to prevent any information regarding your enterprise from ending up in the wrong hands. But there are several critical you need to know to protect your organization’s network.
First, you have to assume that the North Koreans have already penetrated your network. That does not mean that you should drop your efforts to prevent penetration, but you have to take steps that assume they have broken in. Second, you have to prioritize the threat, which is high, meaning that you’ll need to spend the money and allocate the resources necessary to protect your company.
1. Stay up to the minute on threat intelligence, and make sure you know those threats affect you. Stu Sjouwerman, founder and CEO of Knowbe4 suggests checking WikiLeaks on a daily basis for reports of new releases of NSA hacking tools. When you find them, make sure your network is protected against those vulnerabilities. It’s important to know that many of those hacks depend on long patched vulnerabilities, so you will need to make sure that your network has been thoroughly patched.
2. Prevent exfiltration. Even if the North Koreans or other bad guys are inside your network, it does them no good if they can’t get the data that they came for. This means that you have to set your firewall or other security device to reject attempts to send data to destinations suspected of having a connection to the bad guys, including North Korea and China. The recent US-CERT alert provided a list of those suspicious IP addresses. But you can’t stop there. According to Georgia Weidman, founder and CTO of Shevirah, it’s now common for attackers to bypass firewalls and exfiltrate data through mobile devices, Internet of Things devices and the like.
“I’ve done a demo for years using an infected mobile phone to attack other systems in the network and exfiltrating the connection via text messages (mobile modem) so it never crosses the perimeter. Every way devices communicate that isn’t being monitored is a big threat for data loss,” Weidman said. This means that you must lock down your mobile phones and other external devices.
3. Use application whitelisting, so that any application that’s not on the list cannot run. This would prevent malware from running even if it’s in your network. You can perform application whitelisting on servers and on endpoints, but you may not be able to run it on IoT devices. So it’s an important to keep those secure using other means.
4. Keep patching religiously. “That doesn’t mean just the OS,” Sjouwerman said. He said that it’s critical to also make sure that all applications are patched, because hackers can easily penetrate a system via a compromised application. Sjouwerman recommends using a tool to verify application update status such as Flexera Personal Software Inspector for personal use. There’s also an enterprise version called the Flexera Software Vulnerability Manager. You must also patch your network infrastructure equipment, including switches, firewalls and network appliances. The Flexera products ease the burden for applications by scanning every application on your computer or on the network and comparing them to a massive database. Then Flexera updates or patches as required. But you must still have someone with the specific task of patch management for network devices and infrastructure.
5 Really train your staff to detect and respond appropriately to cyber-threats. This means repeatedly training your staff in detecting a phishing email and in what to do when they find one. Nearly all of the recent major breaches affecting enterprises have begun with a phishing attack. While there are security appliances that can find some of those phishing emails, attackers are getting very sophisticated in how they create their attacks. So it takes a sharp eye, but it’s worth the effort. Weidman said that the one thing that makes her penetration testing difficult and which would make an attacker’s attempts difficult is a prepared victim. She described the people who don’t become victims. “People who don’t fall victim to phishing attacks at all,” she said. “I know I’m dreaming but if a target really had it together about phishing and not just email—but SMS, social media like Twitter, messaging apps like WhatsApp, etc. that would be a big deterrent.”
This sounds like a lot of work and it is. In fact, Sjouwerman says that to be really effective, one third of the total IT budget must be allocated to security if you really want to protect your enterprise.
But it’s important to remember that the current threat from North Korea isn’t after your money or even your intellectual property. The current target is your network itself. The plan is to turn your network against you and use it as a weapon in a cyber-war.