CISA Urges Endpoint Hardening After Iranian Cyberattacks

The new alert follows increased attack activity targeted at U.S. enterprises.

Iran Cyber Mirsad Sarajlic

In the wake of last week's Iranian-based cyberattack against U.S.-based medical manufacturer Stryker, the Cybersecurity & Infrastructure Security Agency is urging organizations to harden endpoint management system configurations using the recommendations and resources provided in a new alert. 

CISA also announced that it is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation, to identify additional threats. In the alert, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software, such as:

  • Use principles of least privilege when designing administrative roles.
  • Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
  • Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
  • Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
  • Configure access policies to require Multi Admin Approval in Microsoft Intune.
  • Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.  

Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity:

More in Cybersecurity