National Cyber Warfare Foundation (NCWF) Forums


Defending your systems from a nation state - mature security postures


1 user ratings
2020-07-29 12:10:05
blscott
Blue Team Tools
Mature cybersecurity postures are likely still lacking defenses against nation-state threat actors. This guide is to help you continue your cybersecurity maturity path to the best possible defense.

Network security
* Control your DNS - leverage DNS protection technologies to monitor and shield your network via the DNS protocol. Not only do you need to add the capability, but you also need to close the risk down by no longer allowing any DNS traffic outside of your DNS security solution. Malware can utilize its own DNS infrastructure, therefore add your solution and close down all alternatives to prevent DNS solution bypasses.
* Segment IoT/ SCADA/ physical security systems from your computing networks. Most will consider simply using vLANs. Please reconsider, the only real protection is to the physical segment. For the systems mentioned here, it should be your only option. vLANs work for keeping accounting/financial systems "isolated" on your network but that is a semantic solution only.
* Audit your defense-in-depth controls - shifting sands open new exposures. Ensure you have a minimum of two layers of security for each of your controls.

Critical system security
* Protect Internet-facing systems with load balancers, redundancy, and attack filtration.
* Verify backups and backup cycles. Store backups offline. Ensure backups are stored in more than one physical location.
* Backup firmware. Critical systems may face malware that infects firmware. Back up a copy of firmware from all components of your critical systems. Update where possible.

Workstation
* Move all user data into network shares with full access logging.
* Have a fast recovery system in place. It should use SSD or other fast storage media. It should use images rather than installs.
* Have a base image for all workstation types and update those base images as you would the workstations themselves (patches, updates, etc).

Access controls
* Ensure the least privilege strategy is in place. Have daily use operate under the least authorization necessary. Have user's who need higher privileges use temporary accounts, etc.
* Audit your security alert notifications, feed sources, and rules to ensure they all al functioning.

Training and exercises
* Test your security systems and response mechanisms as a whole. Nearly everyone only tests in parts and assume all the parts will work together well. Even the most rehearsed teams break down during real events. Find out what to fix before it is too late.
* Continuously test/assess your organization\'s staff. Deliver training to those who fail tests/assessments.
* Make sure your organization\'s entire staff is clear on what to do or what will be done in a crisis,

Documentation/ Standard Operating Procedures (SOPs)/ Run Books
* CCPA/GDPR mandate up-to-date documentation and training for all of your staff.
* Take a realistic look at your documentation and determine if it would make a real difference in a time of crisis.
* Make sure your documentation takes into account missing key personnel. Most matured documented security postures rely on a specific list/hierarchy to operate/flow. Crises never allow this. Update your documents/strategies that are robust enough to handle key roles not being filled by the expected person.

Final thought
We have seen hundreds of organizations and their response during a crisis. One thing we have learned is that when the organization empowers its team members, their empowerment saves time/money/ and averts disaster more than the possible downside risk of an empowered staff member making a bad choice. If you are concerned about empowerment, then you are saying you are doing a poor job of training. Fix it.



Comments
new comment
Nobody has commented yet. Will you be the first?
 
return to home



Copyright 2012 through 2020 - National Cyber Warfare Foundation - All rights reserved worldwide.