The world is facing unprecedented geo-political challenges that are impacting businesses everywhere. Amidst the financial strain brought on by the global pandemic, the conflict between Ukraine and Russia continues to surge on -- and so have fears of disruptive implications if the hostilities extend to the cyber theater.
Since the conflict began, governments have continued to warn organizations around the world to be on guard for a rise in nation-state sponsored cyber-attacks. On April 20th, the CISA, in collaboration with multiple cybersecurity agencies of other Five Eyes countries, released a joint cybersecurity advisory. The latest advisory, citing evolving intelligence, again warned businesses of potential cyber fallout of the Russia Ukraine conflict and updated the previously released TTPs that cyber defense teams should review.
21st Century Code Wars
Cyber-attacks, as part of Information Operations, are widely considered as the Fifth Dimension of Warfare and is now seen as an extension of nation-states’ military power, given their ability to disrupt critical infrastructure and systems countries rely on, such as its telecommunications, energy and transportation services.
From the earliest example of cyber-attacks against Estonia and Georgia -- the use of cyber to gain geo-political advantage is not new. Perhaps the most recent example of this has been between Israel and Iran -- a conflict that dates back a decade. One of the most serious incidents involved an attempted attack against an Israeli water facility in which hackers tried to increase chlorine levels into the region’s reservoirs. Hundreds of civilians would have been affected if the attack was successful.
Today, as the conflict in Ukraine continues, Russian state sponsored cyber actors have already deployed large-scale attacks on Ukrainian critical infrastructure. Take for example the attack on Ukrtelecom, the country’s largest national telecommunications. Although the attack was detected quickly, it caused severe internet outages throughout the country where connectivity dropped to 13%.
Navigating a Tumultuous Threat Landscape
Unfortunately, it may only be a matter of time until other nations and businesses outside of conflict boundaries find themselves in the line of fire. Against this backdrop, security leaders everywhere must act with urgency. The CISA Advisory includes specific details about relevant threat actors, their associations, attributed TTPs and comprehensive preventive measures business can take in response to this crisis. However, every business can be at a different point on their respective security maturity journeys, and for many it starts with asking these five simple critical questions:
- Is your perimeter continually assessed & protected? Be aware of and solve for the challenges presented by ephemeral and auto-scaling characteristics of your IaaS perimeter footprint. In today’s hybrid work environment, your perimeter also extends to wherever your employee endpoints operate from. Adapt to these new paradigms, quickly. Truly understanding your perimeter is easier said than done and starting on your journey toward building a real-time asset inventory can help. Your posture should include continuous assessment of the perimeter for remotely exploitable vulnerabilities. To help prioritize, leverage the known exploitable vulnerability catalog from CISA and the specific CVEs that these threat actors are known to exploit. Ideally, you already have a robust vulnerability management program in place to help track and remediate issues you find.
- Do you have sufficient logging & detection in place? If you haven't already, enable security relevant logging from ALL of your critical surface areas. You can't investigate what is not logged and verbose logging will be more valuable than gold in the middle of a critical incident. Review your detection posture. Your ability to proactively detect TTPs used by relevant state-sponsored actors can be the difference between a benign and a severe incident.
- What is your incident response maturity? Responding to high-impact incidents need close collaboration between external stakeholders and multiple internal stakeholders from IT, Legal, PR, Customer Support, your leadership team and even your Board of Directors. Proactively build those relationships and test your response muscle with relevant table-top scenarios. Proactively build playbooks and think through important cross-functional incident decision variables.
- What is your current MFA posture? Identity, as they say, is the new perimeter. Know what your critical applications are and assess MFA coverage. It is trivial to add MFA to your sensitive access points. It is also trivial to exploit weak factors like SMS and even easier to social engineer users into sharing 2FA codes. State-sponsored actors frequently leverage credential-based attacks as a primary entry point. Choose strong 2nd factors that are resistant to phishing and other techniques.
- What is the state of your organization’s security culture? Not all employees have the same security behaviors. Some are more vigilant than others at identifying and reporting common social engineering attacks like phishing and vishing. The cyberattack on Twitter in 2020 was a prime example of this. Employees should already be required to complete several compliance-driven cyber-awareness trainings throughout the year, but in most cases, they are unlikely to be effective. In the current threat landscape, implement intelligence driven targeted training to improve the organizational awareness against specific TTPs called out in the CISA advisory. Your employees can be your most effective security control.
Even though entities with large EU presence and certain industry verticals like Finance, Oil & Gas, Energy & Transportation need to be extra vigilant, any cyber-attack is unlikely to adhere to sectoral or other boundaries. If the interdependent nature of supply chain and 3rd party risks has taught us anything, it is that regardless of your industry vertical, you can be a target if your customers operate in these areas. Every security leader needs to make smart preparedness their core focus today and improve their ability to withstand and recover from an attack with minimal business disruption.