It is too soon to tell for certain what the long-term effects of the Russian invasion of Ukraine will be, but the current trajectory is towards increased sanctions and a de-facto decoupling of the Russian economy from the West.
Businesses are now quickly divesting themselves of any assets they have in Russia and Belarus. There is also a high risk that assets in Ukraine may be lost or seized by Russia, depending on how the war ends. This also has implications for cybersecurity. Organizations must act now before it’s too late.
The threat of a full-scale cyber war between Russia and Western nations is still a possibility as the Russian economy crumbles under the sanctions. So far, the Russian cyber warfare unit has concentrated its efforts on destructive attacks inside Ukraine, but this can change. There is also a continued risk that nuisance attacks from hacktivists can develop into more destructive attacks, which in turn can trigger responses from state-sponsored actors and escalate the conflict in cyberspace.
To help all organizations meet these challenges and protect their IT environment from cyber attacks, Truesec has produced a list of the top 10 recommendations all organizations should follow to quickly harden their cyber resilience. When applicable, we also include links to other publications in our Knowledge Hub that will provide further insight into each subject.
Our mission at Truesec is to prevent and mitigate data breaches. This advice is free and represents our contribution to making the world safer for all of us.
If Your Organization Is Exposed to Russia, Belarus, or Ukraine
1. Immediately Backup Data Exposed to the War and Russia
Immediately back up all data located in Russia, Belarus, and Ukraine, so it is available on a physical site outside of these countries. All data located in any of these countries can become unavailable at a moment’s notice. Consider using cloud storage as an emergency backup solution.
2. Separate Your IT Environment From Parts in the Affected Countries
Separate networks in Russia, Belarus, or parts of Ukraine controlled by Russia from the general network as soon as possible from the rest of the network. Consider blocking or otherwise restricting and monitoring all personnel accounts in Russia, Belarus, or Russian-controlled Ukraine.
Consider resetting all passwords after successfully separating your network from assets in Russia and Russian-controlled Ukraine. Note that this does not imply that you should automatically distrust Russian staff, but people may be coerced.
3. Inventory Your IT Environment’s Exposure
Organizations that have assets including servers and personnel in Russia, Belarus or Ukraine needs to make an inventory of what exposure they may have if the information ends up in the wrong hands. Identify data that was available to staff in Russia especially since the war began. Assess damage of potential data leaks.
Inventory all software licenses and determine if you have any software from Russian companies. It will probably be difficult to renew such licenses as payment will be impossible. Having Russian software in your IT or supply chain may also become a security risk.
Consider the need for extra vetting of personnel with ties to the conflict zone if you think your organization has data that could help either part in the conflict. For more information, see our article about threats from a malicious insider.
For All Organizations
4. Ensure You Have a Proper Detect and Disarm Managed Service
The most effective way to quickly minimize impact from cyberattacks is to ensure that you have a strong capability to detect and disarm malicious activities and malicious code in your IT environment. 24/7/365 monitoring and response readiness is key to minimizing impact from a cyber-attack. No matter how hardened your network and perimeter defences may appear, no IT environment is impenetrable, and the optimal posture is to assume breach. With proper monitoring, you can mitigate and eradicate threat actors before they cause harm. Of all pragmatic security measures this is generally the most efficient and fastest solution to implement.
Proper monitoring requires a mixture of host-based, network-based, and cloud-based sensors, depending on the network’s structure. The chosen solution must allow custom detection rules to minimize false positives. It is also crucial that 24/7 monitoring is done by trained personnel. The time between an initial breach and full internal compromise can be as short as one hour; therefore, quick response time is crucial. For more information, read more about cyber threat detection.
5. Backup All Critical Resources
Backup critical resources, such as business-critical systems, databases, configurations, firmware, software, service contracts, product keys, and configuration information. This is critical to be able to resume operations quickly after a cyber attack. Verify that the backup is stored offline/offsite in a tamper-proof environment; threat actors will always attempt to destroy backups too.
6. Understand Your Network’s Attack Surface
Inventory all internet-facing applications, with particular attention to critical industrial control system (ICS) devices. Immediately disconnect any internet-facing device that doesn’t need to be exposed. Consider using an attack surface scan service to get a threat actor’s perspective on your environment.
To understand ICS exposure, resources such as Shodan are a great tool to use. Check the IP range that belongs to your organization and make sure nothing related to the ICS system is exposed.
The Austrian Energy CERT has made a good list of Shodan queries that you can use to evaluate your organization’s exposure.
7. Ensure You Have Proper Patch Management
State-sponsored threat actors use known vulnerabilities more often than zero-days to breach networks. Unpatched vulnerabilities in publicly exposed systems are the most common attack vector for cyber attacks. Once a vulnerability in a popular software has been disclosed, it may be only a matter of hours until worldwide scanning is initiated to search for vulnerable systems.
You should benchmark your vulnerability and patch management program against the two-day rule. The rule simply states that once a patch is available for a publicly available system, it should be applied within two days for internet-facing applications and systems.
8. Always Enforce Multi-Factor Authentication (MFA)
Solutions should be implemented to ensure that all internet-facing authentication services require MFA, prioritizing systems that authenticate using internal credentials. If legacy systems do not support MFA, the service should be moved behind a VPN service with MFA or migrated to a more modern product that supports MFA.
It is also important to understand that there should be no exemptions to this rule. A single unprotected login can be enough for cyber adversaries to exploit and gain entry. There are many tools that cybercriminals can use to find such weak spots.
9. Prepare for DDoS Attacks
Ensure that critical functions that depend on high connectivity have sufficient bandwidth and protection to withstand a sustained denial of service (DDoS) attack. This is especially important for financial institutions as such organizations have now been targeted multiple times in Ukraine. For more information on how to harden your systems against DDoS attacks, read about Increased Risk of DDoS attacks.
10. Prepare for Incidents
It is essential that you have a plan for your organization’s incident response and ensure everyone involved have understood the processes, communication protocols and knows their role. When a cyber attack strikes it is too late to start planning your response.
Many companies rely on their internal networks and websites for communication with their staff and the outside world. A serious cyber attack or even relatively low-effort DDoS attack can cripple an unprepared organization’s ability to communicate.
Ensure you have prepared alternative methods of communication with your staff and the outside world in case your network goes down. Use Twitter or social media to communicate with the outside world and your personnel. Use encrypted communication apps like Signal for sensitive internal communication. Set up chat rooms and connections in advance. Avoid Telegram as it is not fully secure.
Finally, we recommend Truesec’s free guide on incident readiness.