CERT Vanuatu recommends the implementation of the below Essential mitigations to mitigate threats to ICT systems. Specifically, to combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.
Configure Microsoft Office macro settings
In most cases, Emotet’s initial infection of a network was via an embedded macro in a Microsoft Office or PDF document. Implementing this security control will assist in reducing the likelihood of initial access via this method.
CERT Vanuatu recommends organisations review the use of macros within their environments, reviewing the guidance Microsoft Office Macro Security. Where possible, CERTVU recommends blocking macros from the internet and only allow macro’s to execute from Trusted Locations where write access is limited to personnel whose role is to vet and approve macro.
Patch Operating Systems
Emotet commonly deploys Trickbot which has been observed using EternalBlue to move laterally from the initial access point within a network to other hosts.
Maintaining a regular patch process and applying patches to product, restricts the availability of exploits that Emotet can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.
Daily backups
CERT Vanuatu recommends maintaining isolated offline backups of your network to allow recovery in the event of widespread Emotet infection, or the deployment of ransomware.
Implement additional security controls
CERT Vanuatu publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents. To specifically combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.
Email Content scanning
Emotet is most commonly spread via emails containing malicious attachments. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To compliment this, antivirus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.
Network Segmentation
Emotet and Trickbot have techniques that can be used to move laterally within an organisations network. Organisations should partition networks into smaller sections in order to separate and segregate communications between specific hosts and services. Appropriate segmentation and segregation will limit the extent that a successful Emotet infection has on a network.
Update security appliances and scan for malicious indicators
Apply the latest Indicators of Compromise (IOCs) to your organisation’s gateway and firewalls for both inbound and outbound traffic. If possible, add and scan for indicators on systems in organisations using antivirus or host based security tools.