Dealing With Kimsuky: How to Protect Federal Endpoints and Networks From Advanced Persistent Threats

December 04, 2020 By Egon Rinderer

Federal remote workers rely on virtual desktop infrastructures like Remote Desktop Protocol (RDP) to gain access to and visibility of the agency network server. Protecting those endpoints from the growing number of potential cyber threats is a priority for IT teams — and is particularly important in light of a recent alert from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and U.S. Cyber Command Cyber National Mission Force (CNMF). The alert described how North Korean advanced persistent threat group Kimsuky has been exfiltrating information against worldwide targets to gain intelligence on various topics of interest to the North Korean government.

In a recent Homeland Security Today article, I discuss this alert and how the Advanced Persistent Threat (APT) group has been able to gain intelligence from worldwide targets for several years, and give advice on how federal agencies can protect their data and systems from Kimsuky and other APTs.

Kimsuky has been implementing many different tactics to exfiltrate sensitive information — one of which is using web hosting credentials, stolen from individuals outside of their target victims, to host their malicious scripts and tools.

As federal IT teams look for more advanced security solutions to protect them from advanced threats, they should consider:

  • Educating users on safe browsing, phishing, and spear phishing
  • Monitoring alerts related to this actor to catch suspicious activity
  • Using a quarantine capability to immediately revoke network access for any affected hosts

By focusing on factors like these, IT teams can gain a more comprehensive view of the security landscape to help them make better decision.

IT teams should consider leveraging Tanium’s endpoint management and security platform that gives comprehensive, real-time visibility across end users, servers and cloud endpoints. The platform approach also has the ability to work across the largest, most complex networks to identify assets, protect systems, detect threats, respond to attacks, and help organizations recover.

Tanium has the ability to minimize the impact of threats with automated hunting, early detection, and rapid investigation and remediation. With products like Tanium Threat Response and Tanium Protect, IT teams can catalog authorized remote software tools and block any unauthorized software or endpoints.

Agencies need to be prepared for increasing cyber threats by implementing security processes and approaches that will ensure the network and endpoints are protected. To read the full article, visit: Homeland Security Today.