Defends and Mitigation

Defending against and mitigating spearphishing attacks, such as those mentioned above, it’s important that the government implement multilayer cybersecurity strategies in both technical defence and human defence. A technical defence would include disabling macros, email filtering, patch management, network segmentation, sandboxing, EDR solutions, and MFA. These are standard measures but very effective.

 

Email security

Advance thread detection: It’s necessary that they deploy AI/ML-based email filtering such as Proofpoint, Mimecast, Egress Intelligent Email Security, and Microsoft Defender for Office 360 apps to filter and flag all emails that contain malicious attachments and suspicious links, spearphishing emails. The use of DMARC, SPT, and KDIM would be ideal tools to prevent email spoofing.

Attachment Sandboxing: Given Kazakhstan's past experiences with these attacks, it's crucial for them to implement a strategy that analyses all attachments in a secure environment. Tools such as Cuckoo Sandbox and FireEye would be perfect recommendations before delivering to users while ensuring all emails from untrusted sources with attachments are flagged or blocked.

Document security

 

Disable macros by default: Blocking Microsoft Office macros for documents from an external source via endpoint protection tools or group policy would have prevented the breach from happening and therefore would be an excellent prevention strategy for future safety.

Patch management: Prioritising updates for document editors like Adobe Acrobat and Microsoft Office while ensuring operating systems and network infrastructure are all patched and updated regularly.

PDF/office hardening: It is useful to disable JavaScript in PDF readers and limit the office files execution policies.

Endpoint and Network Protection

Endpoint detection and response: Deploying EDR tools such as CrowdStrike, SentinelOne, and Microsoft Defender to have real-time monitoring of behaviours.

Application whitelisting: Set up an application whitelist to avoid the unauthorised execution of macros and scripts.

Network segment: Creating different segments of the network depending on their roles and responsibilities will separate a diplomatic network from the broader government IT system to restrict lateral movement.

MFA, or multi-factor authentication, is a key security measure that can be used to protect all sensitive information and remote access systems. MFA can be set up to protect email and document archives, among other things.

Human-Centric Defences:

Humans are big vulnerability, That attackers try to exploit in other to get access to co-operate systems hence why its necessary that all employees  receives cybersecurity training to help them identify suspicious emails and documents, such as urgency tactics and mismatched sender addresses.

Additionally, we must train employees to avoid enabling macros and to verify document sources via secondary protocol over the phone, if possible.

Regular phishing simulation exercises to test and improve employees’ responses and knowledge of the prevention tactics of these attacks. It is also important that a proper incident report culture is practiced among government employees, including clear and anonymous reporting protocols that are easily accessible for reporting suspected phishing attempts.

Threat Intelligence & Monitoring

Deploying a monitor indicator of compromise (IoCs) such as malware signatures and command-and-control (C2) domains would have stopped this attack from the ATP28. Subscribing to threat intelligence feeds is crucial for staying updated on emerging attack starts.

Incident responses and recovery

It is important that a Security Incident Response Plan (SIPR) tailored to diplomatic breaches be established to quickly respond to phishing incidents, such as isolating compromised accounts and revoking credentials. It’s also crucial to maintain backups by maintaining offline data and encrypting backups of critical data to allow recovery after malicious attacks or wipe attacks.