CISA says multiple attacks on cloud services bypassed multifactor authentication
- Implement conditional access (CA) policies based upon your organization's needs.
- Establish a baseline for normal network activity within your environment.
- Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
- Enforce MFA.
- Routinely review user-created email forwarding rules and alerts, or restrict forwarding.
- Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens.
- Follow recommend guidance on securing privileged access.
- Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
- Consider restricting users from forwarding emails to accounts outside of your domain.
- Ensure user access logging is enabled. Forward logs to a security information and event management appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods.
- Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
- Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.