The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Shields Up advisory in response to the evolving Russia-Ukraine conflict. The agency noted, “The Russian government has used cyber as a key component of their force projection over the last decade,” and warned that Russia might consider actions aimed to disrupt outside of Ukraine.
Should you do anything at this time to protect your firm? There’s no need to scramble and make drastic changes to your network. Rather, use these events as a reason to review your network and plan for future changes. Here’s a list of actions to take:
Review and update incident response plans
Review your incident response plans. Are they up to date? Do they account for the type of disruptive attacks we’re seeing Russia carry out in Ukraine?
Follow published hardening advice for destructive attacks
Review the Hardening to Protect Against Destructive Attacks guidance from Mandiant. As Mandiant and CISA point out, start first by examining all remote access to your network and set up multi-factor authentication (MFA). NO ONE should be logging in remotely without some sort of additional authentication besides a mere password, whether that’s a two-factor application or a token that provides a number that you must enter.
Use external sources of threat information
Whether it’s through a tool colleagues on a forum or chat session, have a means to share information and get advice you trust. Look for industry-specific information. If you currently do not have such a resource, look to government channels such as Infragard in the United States, and your local computer security resource from your country. Other resources that are available to all is the guidance and information from CISA as well as Australian Cyber Security Centre as well as the UK National Cyber Security Centre to name just a few resources.
Assess risk to internet and network connectivity
If you are in an area of risk, internet and network connectivity may be at risk. Already we’ve seen rumors of attacks against banks and businesses in Ukraine. Remember that the Maersk ransomware attack was originally targeted against Ukrainian businesses. The NotPetya ransomware targeted companies in Ukraine, specifically going after government, financial and energy institutions in June 2017.
Review risk of business, infrastructure ties to Russia
If any of your cloud deployments are on servers in Russia, you may want to consider moving that data to a different datacenter. If you use software developers or IT support from Russia or surrounding countries, consider the impact to your network as well. Review and analyze your options accordingly.
Review the basics, catch up on patching
It’s been a troubling few months of patching side effects and some of you may have skipped patching. Review the list of known exploited vulnerabilities as identified by CISA to ensure that you have at least patched for these.
Consider using your firewall to block access to only those locations and sites that truly need access to your network. For cloud services this can be an extreme task, but for on-premises servers that are not providing services to all, review who really needs access and why. Pare down the access on your domain controller to those that truly need access to the site.
Log relevant information
Log all the information that will provide you with actionable information should an attack happen. If you feel at higher risk and you have a Microsoft 365 subscription, you can turn on the higher E5 security subscription for some, not necessarily all users in your organization. If you’d like additional logging, investigation and protection for specific users, you can do so with Microsoft 365 subscriptions.
Test backup and restore processes
When restoring systems, ask yourself if you could restore a large number of services at the same time. Do you have a checklist listing the steps of recovery and have you actually testing the restoration process? Can you estimate how long it will take to restore a single server as well as your entire network?
Assess IT and security staff readiness
Have you had exercises with your IT staff to see if they are ready for such a project? With the pandemic, many IT resources have been stretched thin and budgets may have been slashed. Review the impact of resources and staff on your Incident response plans to determine if priorities need to be shifted. Even if you are a small or medium sized business, review what options and resources you have.
Use this time as a “what if” game to ensure that you are ready for risks to your own organization. Use tabletop games such as Backdoors and Breaches to generate sample risks to your organization to determine how you would react to these issues. The game cards represent realistic threats to your organization such as social engineering, web server compromise and credential stuffing.
Assess network weaknesses
Scan your external network and consider analyzing your weaknesses with a penetration testing team or external consultant. If you work for a U.S. federal, state, local, tribal and territorial government, or public and private sector critical infrastructure organization, you can request CISA cybersecurity assessment services at no cost. Otherwise, you can at least identify risks through public search engines that look for vulnerabilities in your external network. Review what attackers can see about you from tools such as Shodan and Censys.
Bottom line: Review your risks and attack weaknesses. Complex attacks often start with a simple hole that an attacker can use to wiggle in, perform lateral movement and investigation and lay in waiting until they want to attack you.