2024/32 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Get a free account at the MISP for EU ISACs / ENISA Threat Landscape 2024 published / Follow the Money? / Protecting Session Tokens in critical / Remember Cyber Awareness Month

2024/32 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Get a free account at the MISP for EU ISACs / ENISA Threat Landscape 2024 published / Follow the Money? / Protecting Session Tokens in critical / Remember Cyber Awareness Month

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.

• Weekly [TLP:RED] for Publicly Elected Officials (Repeat – 1): When a cyber incident occurs, immediately call your lawyer to ensure you have someone to talk to under client / attorney privilege.
• Weekly [TLP:RED] for Essential Services Managers (Repeat – 1): The higher the cyber-risk is on the risk register, the more likely an upgrade to your systems will be funded.
• Weekly [TLP:RED] for IT Leaders (Repeat – 1): Put “VIPs” in a dedicated and separately protected network segment – their use of technology assets cannot be trusted to follow policy.

Summary

Hi everyone, I hope you are doing well. Three cities / regions joining from Estonia, Ireland, and Italy, on Friday morning (plus colleagues from ENISA) and again a wide-ranging discussion of subjects on our mind. What I found particularly interesting at the beginning was a quick revisit of the MISP for EU ISACs (Users – MISP for EU ISAC (isacs.eu)) and the fundamental challenge of time-delays to the real incident which can only be managed through direct contact with each other (i.e., the ECSO Signal Group or our own Whatsapp group – both never really ignited) – we struggle to launch these parallel support workstreams in real incident situations though – something we have often discussed. I can add you directly to the MISP that if you are a public administration. There is no cost involved and you would have direct immediate notifications of entries (versus my filtered weekly updates). Currently also testing the API for integration with your local systems.

We also took a quick look at an exemplary city financial report (see https://www.dublincity.ie/sites/default/files/2023-10/Dublin%20City%20Council%20Annual%20Report%20and%20Accounts%202022.pdf). The idea was to reflect on how we can align our cyber thinking to the key budget categories (i.e., Housing & Building, Roads Transportation & Safety, Water Services etc.) By aligning to the financial categories, we can then take the next step and identify the IT services enabling these, and the financial impact of them perhaps being compromised. “Follow the money” is often quite effective in getting attention of elected officials and service owners regarding the importance of securing their spaces. The challenge might be that as members of public administrations (compared to the commercial world) we really do not face personal consequences when a breach happens?

Personal liability is also easily avoided by having robust controls and risk management in place of course. And when buying services making sure they have a minimum standard of cyber security certification (put it in the tender!). A small reminder also of the ENISA EU Certification Scheme (https://certification.enisa.europa.eu/certification-library/eucc-certification-scheme_en) that essentially acts as guideline for national supplier certifications that are mandatory in our tendering processes.

One colleague then also shared a story on a potential breach through a threat actor stealing a session token and how the Defence in Depth solution picked up on this rapidly and allowed for swift remediation (although a manual check was still needed before blocking). Check out Microsoft Entra ID Token Protection at https://techcommunity.microsoft.com/t5/microsoft-entra-blog/how-to-break-the-token-theft-cyber-attack-chain/ba-p/4062700 and https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/.

A story we did not get to share was around how one colleague is detailing the “Comply-Secure-Contain” approach with key incident scenarios to secure themselves against, i.e., Standard Ransomware Attack, Data Exfiltration Attack with Ransomware as Cover, Data Exfiltration Attack with Accidental Change of Data, Overwrite Wiper Attack, and Encryption Wiper Attack. Specifically, each scenario is being agreed with senior leadership and then detailed as per the example below to set the foundation for longer term planning:

Data Exfiltration Attack with Ransomware as Cover: A well-funded attack group gains access to an enterprise solution and successfully exfiltrates GDPR related data. When complete, the attackers launch an encryption-based ransomware attack against the solution to cover their tracks. They can delete evidence of the true nature of the intrusion and obscure their identity, hampering attribution.

1. Attackers breach a supplier organisation and compromise the account of an employee. The employee has been given access to several systems within the public administration.
2. The attackers use the employee’s access to exploit a misconfiguration in a digital certificate template and generate a certificate with elevated privileges for the user.
3. These privileges are used to alter security settings on key networking infrastructure to allow a non-organisational app to be connected into the network and gain access to the enterprise solution. A misconfiguration allows multifactor authentication controls to be bypassed.
4. The laptop is used to exfiltrate data and to deploy a ransomware encryptor onto a domain controller. The ransomware is detonated (using PsExec).

The key treatment / control here might be similar to the solution we saw developed in a public administration last week which resets the access passwords of third parties at every log-in complemented by MFA.

The important thing is that the agreement of the “Comply-Secure-Contain” approach with key incident scenarios develops greater understanding for the efforts needed to maintain basic cyber hygiene over a longer period. Sponsors buy-in should never be underestimated please – it takes a lot of work to get it but enables and protects your efforts. If you want to learn more about the approach and design your own, we can help build this – just reach out.

Remember also it is Cybersecurity Awareness Month and CISA has yet again launched some very helpful activities / tools see https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit with the aim of reinforcing the four key behaviours: 

• Use strong passwords and a password manager 
• Turn on multi-factor authentication  
• Recognize and report phishing  
• Update software  

This week I asked AI to create an image of our villain cat stealing a token 😊

Cheers, 

Oliver

Insights from AI

I was curious about the opinion of Microsoft CoPilot about how we can protect session tokens from being stolen. The AI responded as per below:

“Protecting session tokens from being stolen is crucial for maintaining the security of web applications. Here are some effective strategies:

1. **Use HTTPS**: Ensure that all communications between the client and server are encrypted using HTTPS. This prevents attackers from intercepting session tokens during transmission³.

2. **Secure Storage**: Store session tokens securely. Avoid storing them in local storage or URLs. Instead, use secure, HttpOnly cookies which are not accessible via JavaScript¹.

3. **Regular Audits**: Regularly audit browser extensions and third-party applications to ensure they do not have unnecessary access to session tokens¹.

4. **Token Expiry and Rotation**: Implement short-lived session tokens and rotate them frequently. This limits the window of opportunity for an attacker to use a stolen token².

5. **Multi-Factor Authentication (MFA)**: While MFA can be bypassed if a session token is stolen, it still adds an extra layer of security during the initial authentication².

6. **Monitor and Detect**: Use machine learning algorithms and other monitoring tools to detect unusual session activity that might indicate token theft⁴.

7. **Logout Mechanisms**: Encourage users to log out of applications when they are done, which invalidates the session token³.

Implementing these practices can significantly reduce the risk of session token theft and enhance the overall security of your web applications.

Source: Conversation with Copilot, 27/09/2024

(1) What Is Session Hijacking? How To Prevent It. https://www.keepersecurity.com/blog/2024/04/03/what-is-the-best-way-to-prevent-session-hijacking/.

(2) How to Prevent Session Token Theft: Comprehensive Guide. https://spin.ai/blog/prevent-session-token-theft/.

(3) Token tactics: How to prevent, detect, and respond to cloud token theft …. https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/.

(4) Session Token Theft: The Growing Threat of Cybersecurity. https://www.spiceworks.com/it-security/identity-access-management/guest-article/session-token-theft-the-growing-threat-of-cybersecurity/.”            

In the News

• 2025 Risk in Focus has arrived – Hot Topics for Internal Auditors https://www.iia.org.uk/media/1693561/risk-in-focus-2025.pdf.
• EU Call for applications – Cyber Resilience Act (CRA) Expert Group https://digital-strategy.ec.europa.eu/en/news/call-applications-cyber-resilience-act-cra-expert-group.
• ENISA Threat Landscape 2024 published https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024.
• Switzerland Canton hit by cyber-attack https://www.tdg.ch/informatique-letat-de-vaud-victime-dattaques-tres-virulentes-432535594705.

City ISAC Services (Member Funded)

We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.

Note that we are subscribed to the MISP for EU ISACs (Users – MISP for EU ISAC (isacs.eu)) and can add you directly to that if you are a public administration. There is no cost involved and you would have direct immediate notifications of entries (versus my filtered weekly updates). Currently also testing the API for integration with your local systems.

Project “PHALANX” – 2024 Multi-ISAC Tabletop

No specific updates: You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. The context will be “The City of Fantasia operates, subscribes to and manages services for its 600k citizens in the sectors of: Public Administration (Operate), Energy (Manage), Transport (Manage), Healthcare (Manage), Drinking Water (Manage), Wastewater (Manage), Emergency Services (Manage), Digital Infrastructure (Subscribe), and ICT Service Management (Subscribe). The City has a regional airport, an industrial harbour and three major industrial production sites (chemicals, automotive, and battery).” -> then a professional actor appears with a thunder run strategy to make citizen life very uncomfortable!

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/