The conflict in Ukraine brings the possibility of increased cyberattacks targeting the public infrastructure of NATO nations and their allies, and could easily extend to corporations and other entities within those countries as well.
The US CISA (Cybersecurity and Infrastructure Security Agency) has provided technical guidance and reporting methods at https://www.cisa.gov/shields-up which is an excellent resource for all organizations.While most businesses realize that cyberattacks are a fact of life, and that they are always being targeted by cybercriminals and even nation state actors, this development may lead to changes in the threat landscape which will raise the stakes considerably. It’s never a bad time to review attack surfaces and threat models, but this emerging threat makes it critical to do so now.
Our teams pulled together the recommendations below with the goal of suggesting practical, relatively easy to perform actions that companies of different security postures could take immediately, based on the overall maturity of their existing security program. We did this because we recognize that not all companies have the same security capabilities. Some companies may be standing up a basic level of security protections or have institutional resistance and architectural issues that make it hard to implement basic security practices.
Others may have a modest but effective security program in place, but struggle with staffing and resources or not have the budget for sophisticated tooling.
Still others may have robust, mature security programs which have been battle-tested and work well – but who are looking for advice on how to address the specific threats that this situation may bring to them.
Given this, we provide several suggestions for each of the above rough classifications. By doing so, we hope to avoid saying “just patch” or “just have sophisticated network threat detection systems in play”, when we know that these tactics, while effective, are not always easy to accomplish, or may simply be out of reach for a given environment.
If You Have a Limited Security Program or Controls In Place
Specifically offline, tested backups, of the critical data you would need to recovery your business in the event of a disaster are a baseline essential to have.
If your business is compromised and targeted with wiper malware or ransomware, having access to these backups may be the difference between being able to eventually recover or not being able to recover the business at all.
Prioritize those critical files that are unique to your business and necessary to rebuild regular business operations. Start there. If you have that in place already, continue with the next most critical level of data, which would be difficult, but not impossible, to replace, to allow you to recover with greater speed. (link to more info on Labs)
- Threat surface
Start by identifying the edges of your environments and ensure that devices at the edge (routers, switches, firewalls) are at the most recent patch levels available from their vendors, if possible.
If there are architectural issues that prevent this, work with your vendors to identify mitigations and preventative measures that can help protect these assets.
After that, do the same for the publicly accessible portions of your network infrastructure, such as mail servers, app servers, and web servers.
Finally, look to your technology stacks – are your applications running on supported and regularly updated languages and frameworks? Are any plugins or extensions you use up to date? This can, depending on the scope of your application portfolio, be quite a heavy lift, but even if you cannot upgrade, identifying which components are out of date will give you a map of places attackers will attempt to gain access.
- Change control and Integrity Monitoring
A logical next step is to monitor for unauthorized changes to your main systems, which can be accomplished with many free tools often included with operating systems.
This can be as basic as taking a snapshot of files and their checksums on the filesystem of a front-end server and then running the same command again a day later – and comparing the results using simple tools to spot inconsistencies. Be sure to specifically monitor temporary directories and other world-writable areas.
- Monitoring, especially metrics you may already have such as disk space, cpu usage, network utilization and similar statistics can be leveraged as a simple means of spotting anomalous activity.
If you have more sophisticated monitoring used by application teams or system engineering teams, now is a great time to get access and brainstorm with those teams about how existing monitoring could be extended to detect hostile activity.
- Brainstorming, in the form of table-top/threat-modeling/response scenario planning, is a great way to identify your weak points and find out where your response may fail. Work out rough plans for the following major incident types: Ransomware, DDoS, Malware/wiper, web app compromise, and reported data leaks.
Don’t get lost in the specifics, the goal here is to get teams working well together and combining the knowledge they have, with a focus on how you can recover from each scenario.
- Leverage managed services where appropriate
Should you have access to additional budget to prepare for possible attacks in the short term, consider identifying providers who can provide “managed, as a service” offerings to filter web traffic and block DDoS. These can be brought online rapidly and can be used to great effect.
If You Have a Moderate Level of Maturity In Your Security Program
- External scanning of internet facing assets
To further improve your threat surface, conduct or purchase external scanning of outward facing assets, to detect anomalous open ports and further understand your environment. This can be done via one of many scanning services, or manually using standard tools such as nmap and a VPS located in a cloud provider.
- Keep up to date on signatures and policies
Ensure that whatever detection and prevention tools you have at your network edges are using up to date signatures and policies, and ensure that these policies are in “enforcing” mode when possible.
Many companies are currently providing block lists of known threats for free – using these and keeping them updated will provide a layer of protection informed by expert analysis of the situation.
- Harden access at the server/service level
At the server or service level, continue to harden access where you can. A plethora of technologies exist that can help mitigate a compromise by preventing data execution or by blocking access to resources that a compromised application should never normally request.
- Harden access at the account access level
Harden access methods by implementing some form of MFA and strong password/passphrase requirements for critical systems at a minimum. Remove administrative rights from regular user accounts and require the use of un-privileged accounts for administrators in day-to-day use. Separate administrative accounts should be used to perform actions where their higher privileges are necessary, and access and actions should be logged and audited.
When it comes to compromised credentials, having multiple layers of control, detection, and prevention is critical. User credentials _will_ be compromised, even in the best run organizations. Phishing is a highly effective attack method, and almost always works.
- Review permissions, ACLs, and access policies
Almost every environment has services or accounts which have more permissions than they strictly need to do their jobs, and reviewing and tightening these following a policy of “least privilege” is one of the best ways to limit the damage a successful attack can do.
- Extended monitoring
Monitor inbound and outbound network traffic and restrict both inbound and outbound traffic to only authorized ports where possible. Consider the use of proxies to restrict outbound access and detect phone-home behavior from malware. Apply whatever filter lists your vendors can provide to detect C&C (Command & Control) communications and other suspicious activity.
- Endpoint protection
Compromise of employee devices such as laptops and smartphones can frequently allow attackers to pivot deeper into the environment. As such, we recommend ensuring that endpoint protection and antivirus signatures are up to date and configured with strong policies.
If You Have a Robust and Sophisticated Security Program
If you are lucky enough to have a robust program that is already doing all the above, you’re in much better shape than many. The main elements here are to keep doing what you’re doing, and continue to improve your processes using up to date intelligence.
- Ensure logs and alerts are handled rapidly and your SOC is sufficiently staffed
There is not much point in having excellent logging and monitoring if no one is looking at the logs in a timely manner. Contact your SIEM vendors to find out if they have specific signatures or searches that are applicable in the current situation.
- Threat hunt
The unfortunate fact of the matter is that sophisticated attackers may have already compromised your network. Hunting them, using up to date indicators of compromise, and continuously monitoring for anomalous activity, may allow you to identify hostile actors in your environment. Redouble your efforts in this space.
- Red/Blue/Purple Team
If you are lucky enough to already have Red teaming capabilities, they should be tracking threat intel sources (both purchased feeds and analysis, as well as the many open source feeds) to allow them to mimic attacker behavior and test your defenses.
- Use traps and deception
If you have the capability to do so, setting traps for hostile actors or using deception techniques can be an excellent way to detect, and block, attackers. Examples include setting up honeypot servers which appear to be part of your infrastructure but are in fact highly instrumented traps for hostile activity, or placing tempting, but faked data on accessible servers and monitoring who accesses them. This is a very free-form and dynamic tactic, but can be very fruitful if done with some care.
A Few Final Notes
Despite the obvious concern over state-sponsored activities, it’s important to understand that many cybercriminals are using this situation as an opportunity to extend and intensify their own attacks. Secondly, many cybercriminal gangs have declared allegiance to one side of this conflict or another. Quite often, cutting-edge malware and delivery mechanisms come out of the cybercriminal underground.
There is no single solution for any of this. Multiple layers of controls, excellent situational awareness and monitoring, and most importantly, a perspective of “assume breach” and extensive disaster recovery and incident response planning are the pillars of defense.