How to Prepare as Russia-Ukraine Situation Escalates
With governments across the globe acknowledging that Russia’s long-feared invasion of Ukraine has begun, warnings of cyberattacks on U.S. businesses are also being issued.
NBC News reported the Department of Homeland Security (DHS) warned “every organization in the United States is at risk from cyber threats,” adding to the chorus of warnings previously issued by the Cybersecurity and Infrastructure Security Agency (CISA).
Last week, CISA issued a “Shields Up” risk declaration alert which highlighted several cybersecurity vulnerabilities that nation-state and cybercriminal actors may attempt to take advantage of.
How to Prepare as Russia-Ukraine Tensions Escalate
John Dickson, vice president at Coalfire, a provider of cybersecurity advisory services, said Russia’s escalation has made the prospect of some sort of cyberwar more tangible.
“This is most certainly the case for organizations that run components of our critical infrastructure or banks,” he said. “I think cyberattacks are a logical response from the Russians given the economic sanctions the U.S. and allies just announced. Cyberattacks are simply too attractive to pass up given our inability to attribute them to a source.”
Dickson explained he took an informal poll to gauge the thoughts of 20 CISOs; the responses indicated organizations are responding in variety of ways, including increased monitoring of key systems and standing up incident response teams just in case.
“In general, there’s a feeling that this is about to get real for security teams,” he said. We just rolled off a three-day weekend and are fully rested, which is good. I think the next few days—or weeks—are going to be choppy.”
Rick Holland, CISO and vice president strategy at Digital Shadows, a provider of digital risk protection solutions, added the past 14 months have been exhausting for cybersecurity professionals, from SolarWinds, Hafnium, the summer of ransomware, Log4j, and now the Russia-Ukraine tensions.
“Security leaders need defenders who are rested and prepared to deal with security incidents,” he said. “This mentality should start at the top; security leaders need to model the desired behavior. Leaders should take time off themselves and encourage the team to take time off to recover—set up mental health days where staff can take time without using their PTO.”
Holland explained that the likelihood of being targeted by Russian threats isn’t distributed equally; not all organizations are on the targeted attack hit list.
Like Dickson, he said specific industries are more likely to be targeted than others. For example, Russia could target the financial services and energy sectors in response to western sanctions.
“Everyone could become a victim of a NotPetya style wormable attack, but that is less likely than a targeted attack,” he said.
John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, said the escalation in the digital realm would likely follow the escalation on the ground in Ukraine.
“The primary targets will remain inside Ukrainian territory,” he said. “This can include multinational firms with a presence there, as it did during NotPetya. For now, it is not likely that targets outside that territory will be attacked unless the conflict expands beyond the so-called independent territories currently under threat of Russian incursion.”
Back to Basics
Dickson said in addition to increased monitoring and standing up incident response teams, there are other basic steps organizations can—and should–be taking at this point. This includes applying two-factor authentication (2FA) to everything, forcing administrator password changes for non-2FA systems and turning off everything else.
“Review the need for remote admin access and closely monitor what must remain up and running; review existing DDoS protection in place and consider buying more capacity,” he said. “Who knows how ugly it might get?”
Dickson also recommended accelerating your organization’s pen testing tempo and pulling forward as many tests as humanly possible.
“Dust off your disaster recovery and business continuity plans and familiarize yourself with relevant plan components, and brainstorm potential disruption scenarios,” he said. “I also recommend conducting a quick tabletop exercise tailored to a regional conflict scenario. Pull in key corporate leaders to identify gaps and identify additional risk.”
Bambeneck added that smaller organizations should be doing the same things they should be doing in other circumstances: Making sure they are up-to-date on their patches, deploying multifactor authentication (MFA) everywhere they can and outsourcing the security issues they can’t handle to trusted MSSPs.
“At this point, for organizations that don’t have a presence in Ukraine or nearby and that are not associated with the U.S. government or defense community, just keep tabs on the current news,” he said. “If the conflict spreads, additional steps may be needed.”
