Ir para conteúdo

Version 1.0


A.    Framework

The beginning of the year was marked by the occurrence of a series of cyber-attacks with relevant impact and media projection in our country. Some of these attacks were claimed by the Lapsus$ collective, which is characterised by the absence of political ideology and financial motivation, focusing on actions of gratuitous vandalism.

Therefore, the European Network of CSIRTs (European Network of Cyber Security Incident Response Teams) and ENISA (European Union Agency for Cyber Security) have strengthened the sharing of information on malicious activities in cyberspace and on indicators of compromise (IoC) related to this conflict. This information sharing allows defining a framework of new threats to citizens (e.g. the recruitment of digital "warriors" for offensive actions in the framework of this conflict) and to companies and Public Administration (e.g. the implementation of retaliatory actions to countries that have applied economic sanctions).

In Portugal, to date, no incident directly related to the war in Ukraine has been identified. However, it is important to consider the threats posed to cyberspace of national interest arising from Portugal's membership in NATO and the European Union, as well as the country's non-neutrality.

The aim of this document is to gather a set of recommendations for citizens, companies and Public Administration to help anticipate, detect, react, and recover from hypothetical situations of cyber security incidents related to the identified threat framework.

This document will be updated according to the alert status and knowledge acquired at any given time.



B.    Recommendation to all citizens

Over the last few months, a set of calls for collective mobilisation and active participation of Portuguese citizens in cyber-attacks on Russia has been circulating on social networks. The CNCS advises against citizens participating in this type of action. The fact that there is an armed conflict may not ensure any legal protection for national citizens to carry out cyber-attacks.

Conducting cyber-attacks in this context may prove contrary to ongoing diplomatic efforts or cause damage that could be imputed to Portugal, which would require these acts to be treated by the authorities as criminally relevant.



C.    Threats and Attack Methodologies in the Current Context

Taking into consideration the present context, the CNCS warns of the possibility of attacks on cyberspace of national interest in the framework of the following threats and attack methodologies:

a)    Distributed Denial of Service (commonly known as DDoS)
Distributed Denial of Service is a type of attack that aims to exhaust the target's computing resources in order to degrade it or make it unavailable (e.g. sending a large number of requests to a web application).

b)    Account compromise
Account compromise occurs when a user, without being aware of it, shares his/her account access data with a third party or a malicious agent gains access to such data through intrusions carried out by itself or by a third party. An example of this mode of action is the capture of email credentials or access data to other online services (e.g. username and password).

c)    Compromising the supply chain
This type of threat materialises when an organisation is attacked via a digital product/service from a supplier that is compromised. The compromised product/service enables an attack on the customer, the main final target. When there is a supply to many customers, the scope of the attack can be very high.

d)    Ransomware
This threat materialises through a malicious code that is installed on a victim's device with the aim of encrypting its data making it unavailable. To reverse the situation, the malicious agent demands a ransom, usually in cryptocurrencies, to make the data available again. Sometimes this extortion is also accompanied by the threat of publishing the data if the ransom is not paid.

e)    Vulnerabilities - Surface of attack
The higher the amount of online services made available to the community, the higher the attack surface. These services are available to all without the implementation of access or intrusion prevention measures. This exposure, besides being a vulnerability in itself, exposes an organisation to the vulnerabilities that some of these services may contain.

f)    Cyberespionage
Digital espionage seeks to perform intrusions and exfiltrate sensitive data to relevant governmental and industrial entities, sometimes leading to acts of sabotage. It is carried out for geopolitical and strategic purposes, often acting in the long term and with sophisticated methods of concealment.

g)    Phishing/Smishing
In the context of phishing  (by email) and smishing (by SMS) users receive messages on current issues (e.g. pandemic, European conflict, economic sanctions) or related to widely used online services, which promote the collection of information, through the improper sharing of credentials for accessing accounts, or the infection of equipment by malicious code through clicks on URLs or attachments.



D.     Recommendations for companies and Public Administration bodies

In order to prevent and mitigate the effects of this framework of threats and attack methodologies, the CNCS recommends that organisations apply the following measures:

a)    Risk Assessment: Each organisation has different priorities and weaknesses, so it should carry out a risk assessment to determine the possible problems that could affect it.

b)    Activation of Multifactor Authentication (MFA): Protect your organisation by using more than one authentication factor when accessing your online accounts and working remotely. Consider, for instance, implementing tokens such as smart cards and FIDO2 (Fast IDentity Online) security keys.

c)    Password management: keep your passwords secret and secure (use a phrase of 12 characters or more, without obvious terms), preventing someone with malicious intentions from accessing your password-protected platforms. In addition, the CNCS encourages all organisations to use offline password management software wherever possible.  

d)    Software Update: ensure that all softwares in the organisation is properly updated. Also ensure that all actions related to endpoints and server security patches are carried out on a regular basis. It is also important to encourage employees who use their personal devices for professional purposes to update them and be careful what they install on those devices.

e)    Incorporate cyber security into the supply chain: implement security measures with respect to third party access to your internal networks and systems. If you apply these measures, should a third party be compromised and used as an intermediary to compromise your organisation, you will improve your organisation's ability to respond to possible attacks.

f)    Protection of cloud services:implement appropriate security measures on the cloud platforms used in the organisation (e.g. apply the best care to passwords and encrypt sensitive information).

g)    Data backup (backup copies): given the high proliferation of ransomware attacks, it is highly recommended to increase the frequency of critical data backups. It is important to ensure that access to backups is controlled, limited and registered, and that the 3-2-1 rule is complied with, i.e. making three copies: two are made on different media and the third is kept offline..  

h)    Network segmentation: Apply network segmentation, which will enable the organisation to have visibility, control over network traffic, and prevent the compromise of one segment from affecting others.

i)    Centralisation of logs: in order to allow for a quick detection and response to an incident, it is desirable that the logs of all systems are channelled to a central system that correlates them.

j)    Fight against phishing: raise awareness among all employees about not clicking on links or attachments from suspicious emails and SMS, nor sharing their data when replying to such messages.

k)    Email security: prevent malicious emails from entering by activating anti-SPAM filtering. If possible, follow the technical recommendation regarding SPF, DKIM and DMAR, available here.

l)    Content Delivery Network (CDN): Protect your organisation from distributed denial of service attacks by using a content delivery network. This measure will allow the distribution of content on different servers.

m)    Blocking access: block or severely limit Internet access to servers or other devices that are rarely used, as threat actors can exploit these to establish backdoors.

n)    Training and awareness-raising: Promote a responsible, aware, and healthy use of cyberspace through employee training and capacity building on cyber security matters.

Please note: any citizen should adopt cyber hygiene best practices in order to protect themselves and the organisations they relate to. In particular, the CNCS advises a set of good practices ready to be applied by each individual citizen, available here.



E.    Benchmarks made available by the CNCS

As a medium-term measure, the CNCS has defined a minimum capacity building model aimed at improving cyber security in terms of processes, people and technologies in national organisations, with a special focus on PMEs, the Minimum Cyber Security Capabilities Roadmap

A National Reference Framework for Cyber Security was also defined, allowing organisations to reduce the risk associated with cyber threats, providing the basis for them to fulfil the requirements of network and information systems security in an in-depth manner. This document responds to the need to implement measures of identification, protection, detection, response, and recovery against threats and presents a set of recommendations so that organisations can define a strategy that involves their entire structure.



F.    In the event of a cyber security incident

If you are the target of a cyber security incident, in order to speed up the reaction, we advise you to contact CERT.PT by e-mail at cert@cert.pt or through the following form, in order to share relevant information and coordinate mitigation and resolution actions with the entities involved, liaising with other national and international authorities.

If you suspect you have received a malicious attachment and wish to have it analysed, you can use the CNCS Sandbox4All platform, available here.

Internally, it is advisable that each organisation has a structure in place for the management of cyber security incidents. This structure should have the following defined:
    -> A crisis management team;
    -> A communication plan;
    -> An incident response team (or hiring/pre-contracting this service);
    -> A recovery and service replacement team.
    
When faced with a cyber security incident, it is important to carry out a forensic analysis, where one should be able to identify:
    -> Date of the facts
    -> Mode of intrusion
    -> Occurrences after intrusion;
    -> Recovery of the systems in a safe manner;
    -> Mitigation measures to be applied;
    -> IoC to share.
Last updated on 07-09-2022