What you need to know about CISA's 'Shields Up' Cybersecurity Guidance

Prior to Russia's invasion of Ukraine, CISA (the US Cybersecurity & Infrastructure Security Agency), issued cybersecurity recommendations for all organizations as they anticipate a greater number of cyberattacks coming from Russia in response to sanctions from Western governments.

Chief Information Security Officers (CISOs) and their teams are the first and last line of defense in protecting their organizations and users from threats. For the full details please take a look at the full shields up guidance and related links from CISA. CISA's recommendations consist of validating your security posture and preparing in three core areas:

CISA recommends that organizations implement the strong controls outlined in CISA's guidance. These security controls go beyond identity, however, identity and access management (IAM) plays a key role with recommendations such as:

• MFA: Ensure all remote access to your network requires multi-factor authentication, particularly for admin access. This also applies to anything hosted in the cloud (more on that below).

   

• Access Policies: Implement conditional access policies with a zero trust mindset.

   

• Block Legacy AuthN Protocols: Conditional access should block legacy authentication protocols as they are more vulnerable to exploits.

   

• Have an Identity Mitigation Plan: Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens.

Other recommended security best practices for CISOs and security teams include:

• Disabling Ports: Disable ports and protocols you're not using.

   

• Update Software: Ensure your software inventory is up to date, including patching and hardening.

   

• Incident Response Plan: Have an incident response (IR) plan in place.

   

• Test:  Test your backup software.

   

• Training: Focusing on training so employees know how to spot threats such as phishing attacks. That includes establishing "blame-free" victim reporting. This will help enable users to become part of the solution.

   

• Privileged Access Management: Follow recommend guidance on securing privileged access.

   

• Mobile Device Management and Unified Endpoint Management (MDM, UEM): At a minimum, use a trusted mobile and endpoint  device management solution whether devices are corporate or employee owned BYOD (Bring Your Own Device).

   

• Extra Precautions for Microsoft 365: In CISA's strong control outline, there are several extra recommended precautions if you're using Microsoft 365.

Monitor for unusual activity and enable logging across your environment. Advanced attackers rarely perform abnormal actions and piecing together multiple signals is critical. There are several types of signals you might consider evaluating, including but not limited to:

• API traffic: Modern architectures are built on APIs. Understanding all of your APIs and the activity that might deviate from the norm is critical. API intelligence solutions can help achieve this for your enterprise.

   

• Risk Signals During Authentication: Evaluating risk signals with user and entity behavior analytics (UEBA) and other signals to determine what normal authentication activity looks like can stop bad actors from pretending to be your employees.

   

• Create a Suite of Signals: There are many different types of threat signals (both from vendors and custom built) that companies may employ. Orchestration and Authorization—also called attribute-based access controls (ABAC) or externalized authorization management (EAM)—tools can help evaluate all of these signals together, and ultimately, restrict abnormal activity.

   

• Implement policies and use AI/ML detection: Many of the above signals can be AI-based, or policy-based. While policy-based signals can help you defend against threats you know about, AI-based signals can help you detect and mitigate against threats you don't see coming. Covering both fronts is ideal for reducing risk.

Perform the basic hygiene above and test your controls—including a response plan—against a worst-case scenario. Run an internal exercise that assumes compromise, where would you start? Do you have the right tools in place? If you discover gaps, CISA has published a list of free tools and services from government partners, private organizations, and the open source community. If you have yet to implement MFA, head over here to get started immediately.

The last two years have seen organizations shift resources from on premise networks to cloud environments in response to the ongoing global pandemic. Subsequently, threat actors began to target organizations cloud resources through phishing, brute force login attempts, and "pass-the-cookie" attacks—to exploit weaknesses in the organizations' cloud security practices and configurations.

CISA puts great emphasis on securing user access to an organization's resources. Whether in the cloud or on premises, compromised user credentials have become the most prevalent attack vector for attackers. Ping Identity secures users and organizations before and after access has been granted both to workforce and customers. Try it for yourself today.