In addition, organizations should focus on relatively low-cost strategies that can have a positive impact on security in the near term, such as intrusion detection and mitigation strategies, advised ICS-CERT’s Cyber Intrusion Mitigation Strategies paper.
Also, organizations should disable credential caching on all machines because attackers often employ the “pass the hash” technique, which uses cached password hashes from a compromised machine to gain access to other machines on the network, the paper explained.
Another area that organizations should focus on is increasing logging capabilities because logs can yield valuable information about compromises, command and control server communication, exfiltrated data, remote access logons, and other data.
If a compromise is discovered, organizations should preserve the forensic data. For those firms that do not have the internal staff to perform an investigation, they should consult with trained forensic investigators for advice and assistance prior to implementing any forensic or recovery efforts, the paper advised.
Over the long term, organizations should implement strict role-based access control, network segmentation, and application whitelisting.
ICS-CERT encouraged asset owners to take the following additional defensive measures: minimize network exposure for all control system devices; keep software up to date with a patch management plan; develop, review, and maintain an up-to-date incident response plan; keep patches up to date whenever possible; and when remote access is required, use secure methods, such as virtual private networks, recognizing that they are only as secure as the connected devices.