TR-68 - Best practices in times of tense geopolitical situations

Overview

Geopolitical conflicts can be the effect of complex political situations. Tragically, they might result in wars or warlike operations. The situation can even get more complicated when surrounding countries, allies and partners threaten with consequences and sanctions. In the digital world, and keeping the above dynamic in mind, it is not unusual to see an increased activity when it comes to cyber attacks towards other countries’ government infrastructure, prominent targets or simply whatever looks like low hanging fruit.

This document aims to provide some best practices in order to be prepared for a situation where it is possible that organisations do end up seeing an increase in attacks, so that they would not become victims of such activities.

Best practices for companies and service providers, public and private sector organisations

Attack Surface reduction

In short: reduce the attack surface in order to limit exploitability. A service that doesn’t run cannot be exploited. The same can be said for services that are filtered.

  • Assess - know your infrastructure and check the documentation: what are your networks, hosts, services and ports that are accessible from the Internet?
  • Verify - reality check: scan the network and take note of all the exposed services.
  • Question - explain and justify the necessity to expose each and every service.
  • Limit - limit the exposure by disabling or filtering services that are not 100% necessary.

Example: You identified that your public Exchange server listens on port 80/tcp and 443/tcp. You have never intended to use Outlook Web Access -> Filter or disable the service. With this, known unpatched or unknown vulnerabilities can no longer be exploited through that vector.

Keep the infrastructure up-to-date

Know the software and extensions/plugins in use and keep them updated at all times.

During tense situations, ensure that your software supply-chain is reviewed and controlled or at least verified on a regular basis (such as using hashlookup service to verify the origin of specific known files). Providers or sources might be abused to pass specific messages or even having destructive results. Further, pinning package dependencies should be preferred, if possible with hashes to the exact version number you are deploying.

DDoS mitigation

Consult our DDoS Mitigation document.

Information Sharing

Benefit from and participate in Information Sharing communities, such as MISP

ENISA and CERT-EU joint publication

ENISA and CERT-EU encourage all public and private sector organisations to adopt a minimum set of cybersecurity best practices, as outlined in the Boosting your Organisation’s Cyber Resilience document

Best Practices for Individuals and employees

Be careful with requests, links or attachments received via email, for instance phishing links.

Keen in mind: don’t upload potential internal documents with sensitive content into the cloud, since this is against the terms of use of the services and those documents become (semi-)public in that case.

Also, don’t trust emails blindly, even if they come from a trusted partner or if they are a reply to an existing valid email thread (those could’ve been stolen by previous leaks).

Be attentive for social attacks of any kind, for instance by mail, websites, phones or letter post, asking e.g. for passwords.

Best Practices for the Politicly Persecuted

Make sure to apply Secure Communication strategies carefully.

Notes for aspirant activists

DDoS (distributed denial of service) attacks are often viewed by activists as the easiest way to “do something”. It is important to keep in mind that it can have unanticipated negative side effects, such as hitting the wrong infrastructure (e.g. hospitals) or degrading the network connectivity globally in the country/region/area where you’re trying to render aid.

Using anonymisation networks such as Tor to protect your identity during such an attack will most probably cause an overload on the network, jeopardising political activists in repressive surveillance societies, who use them to communicate among themselves.

Remember, that you only have partial information. Even if it is authentic, taking decisions individually and then acting offensively can backfire and can be of a significant risk for yourself.

Reporting possibilities

Use the existing reporting facilities. In case you encounter criminal activities, you could report it to the nearest police station.

In case you see content related to racism, revisionism, discrimination or content related to terrorism, these topics can be reported to https://stopline.bee-secure.lu.

For support in case of an incident you can contact CIRCL.

Observed data leaks can be reported to https://cnpd.public.lu.

Suspicious financial activities and financial operations can be reported to CRF Cellule de renseignement financier. For more details about the financial sector in Luxembourg, there is a Ukrainian crisis page at CSSF.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.2 - TLP:WHITE - third version - 7th March 2022
  • Version 1.1 - TLP:WHITE - Second version - 1st March 2022 (CSSF reference added)
  • Version 1.0 - TLP:WHITE - First version - 28 February 2022