02.05.2023

Council of Europe meeting

Advice and guidance regarding Council of Europe meeting in Reykjavík 2023

Iceland will host the fourth Council of Europe Summit held in Reykjavik 16-17 May 2023 and multiple heads of state have announced their attendance.

Syndis predicts an increase in network attacks in the days leading up to, and during the meeting. Hostile actors are expected to use the occasion to launch multiple network attacks against Icelandic infrastructure, institutions and businesses. Increased vigilance and preparedness is thus essential to reduce the risk of serious security events and disruption of services. We expect attacks intended to disable websites through overloading them with requests from multiple sources (DDoS attacks) as well as attacks aiming to disable entire networks through ransomware to transfer control to hostile actors.

We encourage all institutions and businesses to review their incident response processes and intensify monitoring of security events to be able to avert attacks and respond quickly if needed. Syndis maintains a Security Operations Center (SOC) which continuously monitors its customers’ security events 24/7 and will increase staffing during the week leading up to the summit to be able to respond quickly and effectively. Furthermore, Syndis will intensify monitoring of Threat Intelligence from its international partners in order to learn of impending attacks.

However, preparedness is key and to assist infrastructure providers, institutions and businesses prepare, we have collected good information security practices and precautions in the following blog post.

Essential security controls and processes

  • Maintain a comprehensive Business Continuity Plan which considers common attacks such as DDoS and ransomware attacks. Note that testing the plan is critical to minimising service disruption and cost.
  • Involve your infrastructure service providers to ensure systems and data is backed up, that restoring of data has been tested, and the backups can withstand a ransomware attack.
  • Proper segmentation of backup copies from production environments can prevent ransomware from making your backups useless.
  • Ensure you have appropriate defences in place to withstand a Denial-of-Service attack (DDoS) and review the process of activating the DDoS protection. This process should be tested regularly to ensure it works as expected, when needed.
  • Review access controls and password policies to prevent attackers from utilising accounts with weak passwords or passwords which may have become public through earlier data breaches. Focus on accounts with passwords which do not expire or have elevated privileges, such as administrators and service providers. Bear in mind that service providers commonly reuse passwords between customers so they could be known through a data leak unrelated to your organisation.
  • Ensure that multi-factor authentication is active and preferably tied to the server it is assigned to. Employ multi-factor authentication for all applicable Internet-facing services and focus on systems providing administrative access or privileges such as RDP, Terminal Services, Citrix, VMware and VPN.
  • Provide and refresh security awareness training which covers methods used to bypass multi-factor authentication such as tricking users to divulge one-time passwords or approve push notifications. We also recommend using this event to encourage staff to accept and realise their own responsibility for maintaining their organisation’s cyber security and the security of their own personal data on the internet.
  • Minimise the amount of infrastructure exposed to the Internet thus reducing the attack surface available. Please see our technical recommendations for methods to do so. Ensure that your organisation’s surface to the Internet is fully patched with the latest applicable security updates. We recommend performing an external vulnerability scan to confirm successful patching of all exposed services.
  • Organisations employing security event monitoring service providers should request that their providers increase staffing to be able to discover events earlier and respond more quickly. Also ensure that your own internal responders are prepared to respond to alerts and initiate appropriate procedures without undue delay.
  • Individuals considered likely targets of sophisticated attackers should consider enabling “Lockdown mode” on their devices as this setting considerably hardens the device against attacks with little loss of functionality. This setting is available on Apple devices (Settings / Privacy & Security / Lockdown Mode / Turn On) and can be fine-tuned to exclude various components. We do not recommend excluding any part of the Lockdown function. Other platforms may provide similar functionality.
  • During the event in Harpa, we recommend enabling VPN whenever connecting to the Internet through either the mobile networks or a local WiFi. Consider even enabling “Flight Mode” whenever not using your device as we expect wireless communication to be monitored.
  • Ensure that your device (phone, tablet, laptop) is running the latest version of the operating system and update all applications used for communications.

Helpful email templates

Below are email templates which can be used to initiate actions:

Example email - security updates and hardening:

Dear <service provider contact>,

Please confirm by replying to this email that ’s critical systems have been updated with the latest security patches and security configuration and hardening is in accordance with industry best practices.

Regards, <your name>

Email example - status of backups

Dear <service provider contact>,

Please confirm that all our critical data and systems are being backed up, and confirm that restores of backups have been tested and are known to work. Please also confirm that backups are sufficiently protected from ransomware attacks.

Regards, <your name>

Example email - personnel security awareness

Dear coworker,

Iceland will host the fourth Council of Europe Summit 16-17 May 2023 and multiple heads of state have announced their attendance. In the days leading up to, and during the summit we expect a sharp increase in network attacks. We encourage you to be on your guard and report all suspicious activity to <security function>. For instance unexpected emails, phone calls and text messages with instructions or invitations on social media.

Regards <CISO>

External attack surface - technical recommendations

Syndis has found that the root cause of many network intrusions is insufficient knowledge of one’s attack surface. After being involved in the aftermath of numerous network compromises, and from our 10 years experience of security assessments this has become obvious. Note that your attack surface is not only the assets exposed to the internet but even domain registrations and DNS information. Too often, this attack surface is unnecessarily large. Syndis recommends discovering and documenting the attack surface and consider if all exposed components are a business requirement. Whatever remains, should be kept up-to-date with latest security updates and hardened according to best practices. The methodology Syndis recommends to uncover an organisation’s attack surface is one that mimics the methods and tools of motivated adversaries. Such adversaries view an organisation from a more holistic perspective which centres around uncovering assets, systems, data leaks, and other information that relate to any particular organisation before they conduct targeted attacks.

The Syndis toolbox

All the tools we reference are free of charge but we recommend that organisations that have access to other tools and services such as web security scanners, static code analysis tools, and vulnerability scanners direct them towards their mapped attack surface.

ViewDNS Reverse Whois Lookup

Amass In-depth Attack Surface Mapping and Asset Discovery

If available, the zone records from your DNS servers can simplify discovering any subdomains of your top-level domains.

Otherwise, one can use the same tools your potential attackers would use and they can even be tuned to harvest information from various sources on the Internet. Please refer to each tool’s documentation on Github for more information:

Organisations need to know which top-level domains are used by the organisation and the IT department should be able to identify those. However, if this is not fully known we recommend using tools like the two examples below to discover them.

Amass In-depth Attack Surface Mapping and Asset Discovery

Subfinder Fast passive subdomain enumeration tool

theHavester E-mails, subdomains and names Harvester - OSINT

Bbot OSINT automation for hackers

ffuf Fast web fuzzer written in Go

Upon discovering all subdomains using either zone records or the above tools, the next step is to discover which services and software are present.

This can be done using the httpx tool below, which discovers web APIs, websites and services present, and what software is used to deliver those services.

httpx Fast and multi-purpose HTTP toolkit written in Go

When done, you can use a screenshot utility such as Go Witness to document the results:

Go Witness Web screenshot utility written in Go

At this point most, if not all, externally facing applications and websites have been identified for each top-level domain.

The next step is to use a vulnerability scanning tool against the results with a tool like nuclei: .

nuclei Fast and customizable vulnerability scanner based on simple YAML based DSL

For good measures, we recommend scanning your complete external IP range to discover any open ports or old/unknown services not behind a subdomain/DNS name. Syndis recommends the following tools:

Masscan TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes

Nmap Nmap - the Network Mapper

Naabu A fast port scanner written in go with a focus on reliability and simplicity

Note that there are tools like bbot which can perform all the steps but they are more complex to use and usually have a steep learning curve. They are worth experimenting with, but perhaps not the best place to start.

After having discovered open ports not without a subdomain/DNS name, the final step is to also run a vulnerability scan against them. Both Nmap and nuclei are good choices here.

Nmap Nmap - the Network Mapper

Besides free vulnerability scanners there are multiple commercial scanners available which may be more convenient to use and offer better reporting.

As a complement to the manual process above, you can also use services like Shodan to quickly get an overview of which services your organisation has on the Internet and if they are considered vulnerable. However, Shodan will not give the full picture so it should only be used in conjunction with the manual process above.

Shodan A search engine for Internet-connected devices

Organisations should stay on top of password leaks. There are a number of services which provide lookups from databases of leaked passwords. You should use services like Dehashed to search for your email domains.

Dehashed Data-Mining and Deep Web Asset Search Engine

Organisations should ensure that all remote network access and other access to cloud services and other internal resources are protected with multi-factor authentication. For cloud services the following should be reviewed:

  • Privileged accounts should be protected with multi-factor authentication.
  • Critical accounts should be monitored for unusual activity

Unrestricted, unauthenticated access from the Internet should not be allowed unless strictly necessary. The following resources should be reviewed with regard to unrestricted access:

  • Buckets
  • Applications
  • Services

The simplest way to review access is using command-line tools provided by each cloud provider.

Please note that the tools and recommendations above are not exhaustive and feel free to use your own favourite tools.