- Use Cases
As the world watches the Russian military attacks on Ukraine, it’s difficult to think about normal business operations. However, the impacts of the Russian invasion will be farther reaching than the physical borders of Ukraine and surrounding regions. There’s a high likelihood that Russian President Vladimir Putin and those who support him will see any direct or indirect support of Ukraine as a counteroffensive that requires retaliation.
But Russian troops can’t be everywhere. Except when it comes to cyberspace.
It’s highly probable that the cyberattacks coming out of Russia will start to focus/have greater focus on any NATO nation voicing strong opposition to the Russian attempt to overtake Ukraine. In fact, the U.S. government has already warned of the potential for increased Russian cyber activity, according to the Washington Post. Anne Neuberger, the White House’s Deputy National Security Advisor for cybersecurity and emerging technology, proactively ran a tabletop exercise to ensure federal agencies were prepared for such an event.
Private businesses, too, should similarly be more alert, especially those in critical infrastructure including the financial sector, manufacturing, utilities, and healthcare.
Experts warn of ransomware, which is the easiest type of cyber campaign to launch, but other types of cyberattacks are, of course, possible.
Now is a good time for businesses to review processes and technologies that help prevent, detect, and mitigate the effects of cyber compromise. But a comprehensive overhaul of the cybersecurity program may neither be feasible nor necessary. In the short tem, though, there are a few steps businesses can take immediately.
Your people are often your first line of defense when it comes to identifying suspicious activity. When it comes to the non-technical users, ask them to be on the lookout for unexpected emails, emails with attachments or links, and emails containing seemingly “urgent” requests. These could be the gateway for phishing and/or ransomware. Provide additional guidance to users on how to spot and report suspicious activity, and consider quarantining email from unknown sources which include links and attachments. Bring users into the fold, and let them know how valuable their assistance can be.
IT, operations, and security teams must pay special attention to logs and other system monitoring tools for unusual behavior, including increased login attempts, increased outbound traffic, and excessive use of applications and other executables. Having a baseline is key. If you don’t already know your normal, get a historical perspective, a current perspective, and be on the lookout — keeping in mind that “normal” in the world of remote and hybrid work is not the same as it was two years ago. Tech teams will see tons of remote requests — this isn’t indicative of an attack. But knowing which requests are coming from legitimate and harmless insiders and which are externally motivated by threat actors is crucial to identifying a cyberattack.
What’s more, security teams should be cognizant of the fact that threat actors love to hide in plain sight, which is often referred to as “living off the land.” They may take control of dual use technologies and processes like PowerShell, PS Exec, or Mimikatz to carry out “fileless” or “living off the land” attacks. Or they may try to blend into normal traffic and commonly used communications to exact damage. To counter living off the land attacks you will need to know how your systems, processes, and applications are normally used and look for deviations, regardless of how stealthy they may be.
In concert with the above recommendation to build/understand baselines, knowing what you have will only take you so far. The ability to enforce action is key to winning any cyber war. Continuous monitoring is essential — for internal systems and controls and endpoints. From your firewall to application access, increase security and have processes in place to triage a critical alert. Your SIEM is going to be one of your best friends in this endeavor, but any orchestration tool that can aggregate and correlate data across systems — because there’s a lot of it — and provide prioritization will prove very helpful here.
Now is a good time, too, to fine-tune web and content filtering controls, review cloud configurations, and monitor app-to-app/host-to-host communication permissions.
If your organization hasn’t already moved toward multifactor authentication (MFA), single sign-on, or passwordless authentication, now is a great time to revisit these capabilities. Ensure that advanced access requirements are in place, especially for privileged users.
In addition to access and authentication for privileged users, consider implementing Zero Trust policies for access including least privilege, just-in-time access, MFA-by-default, and application-level microsegmentation.
With remote and hybrid work the norm in today’s working environment, businesses must consider the security state (hygiene) of users’ personal devices. Endpoint protection is critically important. However, agent-based tools only see where they’re deployed, and a users’ jailbroken mobile phone could thwart any attempts by the security team to apply adequate protection. Thus, security teams must layer defenses, starting by deploying endpoint protection (where/when possible), implementing advanced and privileged access management, encrypting devices and critical data, and backing up systems to protect against total system failure should your business be hit with ransomware or other form of cyber attack.
This list is far from exhaustive, and plenty of credible cybersecurity experts are freely sharing advice on social media for the greater good. Needless to say, if you can identify and patch critical vulnerabilities, do so! Lock down or remove remote access, where possible. And if you haven’t already, set the foundation of your cybersecurity program by knowing what assets you have and their associated security state, then take action against high or critical vulnerabilities.