By now you’ve seen the warnings, or if you haven’t your CISO has. US-CERT and the FBI have issued warnings that the government of North Korea has been attempting a series of largely successful cyber-attacks against interests in the United States and elsewhere in the world.
These attacks have the ultimate goal of sowing chaos and distrust in the west as well as to prepare for a cyber-war.
Right now the North Koreans are in the process of examining as many networks of all types as they can so that the attackers know exactly where to hit and what to do when they get there.
The more organizations that they record, the more effective their ultimate cyber-attack will be. When the attack happens, the organizations whose networks have been penetrated will effectively be at Ground Zero for the cyber-war.
Fortunately, there are steps you can take now that will reduce the impact of those cyber-attacks if and when the come. If you’re proactive, you may be able to prevent any information regarding your enterprise from ending up in the wrong hands. But there are several critical you need to know to protect your organization's network.
First, you have to assume that the North Koreans have already penetrated your network. That does not mean that you should drop your efforts to prevent penetration, but you have to take steps that assume they have broken in. Second, you have to prioritize the threat, which is high, meaning that you’ll need to spend the money and allocate the resources necessary to protect your company.
1. Stay up to the minute on threat intelligence, and make sure you know those threats affect you. Stu Sjouwerman, founder and CEO of Knowbe4 suggests checking WikiLeaks on a daily basis for reports of new releases of NSA hacking tools. When you find them, make sure your network is protected against those vulnerabilities. It’s important to know that many of those hacks depend on long patched vulnerabilities, so you will need to make sure that your network has been thoroughly patched.
2. Prevent exfiltration. Even if the North Koreans or other bad guys are inside your network, it does them no good if they can’t get the data that they came for. This means that you have to set your firewall or other security device to reject attempts to send data to destinations suspected of having a connection to the bad guys, including North Korea and China. The recent US-CERT alert provided a list of those suspicious IP addresses. But you can’t stop there. According to Georgia Weidman, founder and CTO of Shevirah, it’s now common for attackers to bypass firewalls and exfiltrate data through mobile devices, Internet of Things devices and the like.