11.03.2022 IT Cybersecurity Security Tech

CIRCL released a technical report to face cyber attacks in times of tense geopolitical situations

Geopolitical conflicts can be the effect of complex political situations. Tragically, they might result in wars or warlike operations. The situation can even get more complicated when surrounding countries, allies and partners threaten with consequences and sanctions. In the digital world, and keeping the above dynamic in mind, it is not unusual to see an increased activity when it comes to cyber attacks towards other countries’ government infrastructure, prominent targets or simply whatever looks like low hanging fruit.

The report aims to provide some best practices in order to be prepared for a situation where it is possible that organisations do end up seeing an increase in attacks, so that they would not become victims of such activities

Attack Surface reduction
In short: reduce the attack surface in order to limit exploitability. A service that doesn’t run cannot be exploited. The same can be said for services that are filtered.

  • Assess – know your infrastructure and check the documentation: what are your networks, hosts, services and ports that are accessible from the Internet?
  • Verify – reality check: scan the network and take note of all the exposed services.
  • Question – explain and justify the necessity to expose each and every service.
  • Limit – limit the exposure by disabling or filtering services that are not 100% necessary.

Example: You identified that your public Exchange server listens on port 80/tcp and 443/tcp. You have never intended to use Outlook Web Access -> Filter or disable the service. With this, known unpatched or unknown vulnerabilities can no longer be exploited through that vector.

Keep the infrastructure up-to-date
Know the software and extensions/plugins in use and keep them updated at all times.

DDoS mitigation
Consult the DDoS Mitigation document.

Information Sharing
Benefit from and participate in Information Sharing communities, such as MISP

ENISA and CERT-EU joint publication
ENISA and CERT-EU encourage all public and private sector organisations to adopt a minimum set of cybersecurity best practices, as outlined in the Boosting your Organisation’s Cyber Resilience document

Best Practices for Individuals and employees

  • Be careful with requests, links or attachments received via email, for instance phishing links.
  • Inspect URLs with free tools such as Lookyloo or URL Abuse
  • Inspect attachments with free Sandbox tools such as Joe Sandbox or via VirusTotal
  • Inspect office document with pandora
  • Submit phishing link via SPAMBEE

Keen in mind: don’t upload potential internal documents with sensitive content into the cloud, since this is against the terms of use of the services and those documents become (semi-)public in that case.

Also, don’t trust emails blindly, even if they come from a trusted partner or if they are a reply to an existing valid email thread (those could’ve been stolen by previous leaks).

Be attentive for social attacks of any kind, for instance by mail, websites, phones or letter post, asking e.g. for passwords.

Best Practices for the Politicly Persecuted
Make sure to apply Secure Communication strategies carefully.

Notes for aspirant activists
DDoS (distributed denial of service) attacks are often viewed by activists as the easiest way to “do something”. It is important to keep in mind that it can have unanticipated negative side effects, such as hitting the wrong infrastructure (e.g. hospitals) or degrading the network connectivity globally in the country/region/area where you’re trying to render aid.

Using anonymisation networks such as Tor to protect your identity during such an attack will most probably cause an overload on the network, jeopardising political activists in repressive surveillance societies, who use them to communicate among themselves.

Remember, that you only have partial information. Even if it is authentic, taking decisions individually and then acting offensively can backfire and can be of a significant risk for yourself.

Reporting possibilities
Use the existing reporting facilities. In case you encounter criminal activities, you could report it to the nearest police station.
In case you see content related to racism, revisionism, discrimination or content related to terrorism, these topics can be reported to https://stopline.bee-secure.lu.
For support in case of an incident you can contact CIRCL.
Observed data leaks can be reported to https://cnpd.public.lu.

Suspicious financial activities and financial operations can be reported to CRF Cellule de renseignement financier. For more details about the financial sector in Luxembourg, there is a Ukrainian crisis page at CSSF.