When it comes to securing cyber operations, often times it is easy to look at industrial sectors or other critical infrastructure, but what about other areas labeled civil society?

To that end, CISA, in partnership with the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and international partners, last week released Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society.

The joint guidance provides civil society organizations and individuals with recommended actions and mitigations to reduce the risk of cyber intrusions.

Additionally, the guide encourages software manufactures to actively implement and publicly commit to Secure by Design practices that are necessary to help protect vulnerable and high-risk communities.

Civil society, comprised of organizations and individuals – such as nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalist, dissident, and diaspora organizations, communities involved in defending human rights and advancing democracy – are high-risk communities (HRCs).

Schneider Bold

Furthermore, the lack of reporting in threat telemetry and intelligence feeds, coupled with HRCs’ limited accessibility to enterprise-level solutions, hinders commercial and government organizations’ accurate measurement of threats posed to HRCs.

However, industry reporting indicates a consistent pattern of state-sponsored cyber actors targeting specific segments of civil society. Notably and frequently non-governmental organizations (NGOs), think tanks, human rights activists, and journalists end up targeted by state-sponsored actors:

  • According to Microsoft, in 2023 NGOs and think tanks were the second highest targets of state-sponsored actors, following the Information Technology Sector.
  • As of November 2023, CrowdStrike reporting revealed five state-sponsored groups are known to target think tanks, eleven groups represent potential threats to NGOs, two groups target dissidents, and one group targets nonprofit organizations (NPOs).
  • Cloudflare observed malicious cyber activity against civil society organizations is “generally increasing.” In Quarter 2 of 2023, NPOs were the focus of attacks more than any other industry when looking at malicious traffic to NPO websites as a proportion of total traffic. In Quarter 3 of 2023, NPO and independent media organizations placed second behind the metals and mining industry, with 17.14 percent of all traffic to NPOs representing distributed denial-of-service (DDoS) attacks. Similarly, the European Union Agency for Cybersecurity (ENISA) found targeted individuals within civil society were the second most-targeted sector globally between July 2022 and June 2023.

As a part of the joint advisory, the agencies encourage civil society organizations to implement best practices as defined by CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). These cybersecurity controls provide a minimum set of practices and protections informed by the most common and impactful threats and behaviors.

Additionally, to mitigate state-sponsored actors performing reconnaissance and gaining initial access to enterprise networks via phishing and compromised credentials, prioritize the following:

  1. Keep software updated on user devices and IT infrastructure. Software updates fix known flaws. Installing them promptly means actors cannot leverage these flaws to access systems.
  2. Implement phishing-resistant multifactor authentication (MFA). Set up phishing- resistant MFA makes it more difficult for actors to compromise user accounts, and often make legitimate user sign-ins simpler at the same time.
  3. Audit accounts and disable unused and unnecessary accounts. Remove needless accounts to reduce access vectors that actors can use to get into the system.
  4. Disable user accounts and access to organizational resources for departing staff. Disablement of accounts can minimize exposure of the system, removing options actors can leverage for entry into the system.
  5. Apply the Principle of Least Privilege. Audit accounts with extensive or high-impact permissions (admin access) and remove any unnecessary permissions to reduce the damage that an actor can inflict through a compromised an account. Avoid using admin user accounts for regular daily tasks. Usage of admin user accounts should be regularly monitored to detect unauthorized and malicious activity.
  6. Exercise due diligence when selecting vendors, including cloud service providers (CSP) and managed service provider (MSPs). This reduces supply chain risks. Use only reputable vendors that verbalize how they embrace Secure by Design practices. See the Software Manufacturers section for CISA’s Secure by Design Pledge and recommended practices.
  7. Review contractual relationships with all service providers, prioritizing providers of critical services first. Ensure contracts include:
    — Security controls tailored to meet the specific needs of customers
    — Appropriate monitoring and logging of provider-managed customer systems
    — Continuous monitoring of the service provider’s presence, activities, and connections to the customer network, ensuring compliance with cybersecurity performance objectives and Secure by Design principles
    — Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative network to an up-to-date recipient
  8. Manage architecture risks by:
    — Auditing and reviewing connections between customer systems, service provider systems, and other client enclaves; particularly those exposed to the Internet, such as cloud services, email servers and virtual private network (VPN) servers
    — Using a dedicated VPN to connect to MSP infrastructure; all network traffic from the MSP should only traverse this dedicated secure connection
  9. Implement basic cybersecurity training to cover concepts such as account phishing, email and web browsing security, and password security. Ensure training addresses state- sponsored cyber actor targeting of personal emails and devices, and that staff should protect their personal emails accounts and mobile devices from compromise by applying the recommendations to individuals.
  10. Develop and exercise incident response and recovery plans. Ensure plans cover at least the systems critical and important to the organization and include who to contact or report the incident to for assistance.

Click here for more on “Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society.


Pin It on Pinterest

Share This