The current situation in Ukraine amid Russia’s active cyber operations may create a potential risk to companies and networks outside of the area of “special military operations.” Computer network attacks – viruses and malware – carried out by human adversaries do not respect national boundaries. We have only to look back to 2014 and the proliferation of the NotPetya malware targeting Ukrainian networks. It spread across the globe, attacking companies like Maersk and even reached back into Russia. There is also risk in any response action taken by the Russians, their allies, partners and proxies to nations, organizations and companies that support the sanctions enacted by the EU, NATO and others.
There are a number of things that companies can do. Those at a higher risk would be any company supporting the Defense Industrial Base, banks or institutions participating in the sanctioning of Russia and Russians, critical infrastructure and port facilities. Every company and organization is vulnerable, but those that the Russians or proxies feel are complicit in operations against them could be a target.
They intend to degrade our ability to extend combat power outside of the United States, create a loss of confidence in financial and governmental institutions and cause destruction of data and networks to organizations participating in sanctions against them. The local doctor’s office probably doesn’t have to worry about this specific threat but the Department of Defense, European Union, Port of Savannah, British Petroleum, Raytheon and similar entities would.
Cyber security (network security and information security) is not an IT Department or CIO issue—it is a CEO issue and should be treated as importantly as operations and logistics.
Some things that organizations can do:
Update and Patch all reported Zero Day vulnerabilities, and critical vulnerabilities being actively exploited, as identified by the Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/known-exploited-vulnerabilities-catalog Defense Industrial Base companies can see an increase of intrusion activity in an attempt to disrupt their operations and support to Ukraine and our Military. Any company that can be attributed to participating in the sanctions – such as the banks, BP, etc. need to ensure they are updated and have implemented patches recommended by CISA. Current Activityhttps://www.cisa.gov/uscert/ncas/current-activity Current Alerts. https://www.cisa.gov/uscert/ncas/alerts and CISA resources for organizations https://www.cisa.gov/uscert/resources
Backup critical data and information. Conduct immediate backups and store both online and off site. We, at CrowdStrike have seen greater use of the Wiper Malware – encrypting company data, rendering it unusable and lost.
Obtain an Incident Response (IR) retainer and execute their IR plans – conduct rehearsals. If something happens, the first time you want to execute a recovery and incident response is NOT during a real incident. Rehearse what will happen, engage a company that runs Table Top Exercises and retain a company that conducts IR every day.
Expire all admin credentials, including service accounts and have them renewed. Assume you are breached. This is controversial and pretty nuclear. It is the only way you can ensure that your admin credentials have not been compromised like Solar Winds last year. It will take work and require every admin to set up new accounts but it could be a life saver. Service Accounts are critical to network function and not associated with a human—this makes them extremely vulnerable and unable to use Multi-Factor Authentication.
Utilize Multi-factor Authentication. Enable MFA on all accounts especially anything that allows remote access-like company Virtual Private Networks (VPN). Remote access to organizational resources expanded during the pandemic. This creates a large attack surface and presents lucrative targets. Colonial Pipeline was infiltrated by a valid VPN credential found on the Dark Web at a Data Leak Site.
Know your adversary. While this will probably apply to larger companies and governments, you want to understand your adversary and what is important to them—what they are looking to do and how they do it. Threat information and cyber intelligence sharing is critical. This is also a part of the recent Cyber Executive Order—removing barriers to threat information sharing. If your cyber security provider does not offer strategic threat intelligence, find one that does. Just like Sun Tzu said many years ago—“Know the enemy and know yourself in a hundred battles you will never be in peril.”
If you want to learn more or discuss your cyber security concerns, companies like CrowdStrike are here for you, fanatical about our customer with one mission in mind—To Stop Breaches.