TL;DR
Earlier in February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning advising American companies to be extra cautious about potential hacking attempts from Russia as tensions with the country rise, particularly during the Russia-Ukraine crisis. As the situation since the invasion of Ukraine by Russia on Thursday, February 24th continues to evolve, Assura is urging all organizations not aligned with the Russian actions to continue to take measures to strengthen protection, detection, response, and reconstitution of their technology infrastructures.
At this time, CISA and Assura continue to monitor cyber threats associated with the Russian invasion of Ukraine. “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine,” said the CISA alert.
Overview
As the second warning to come from CISA this year, both focusing on the cybersecurity threat from Russia, reminds us, the difficulty in working to detect and prevent attack coming from Russian-affiliated actors is the wide scope of the activities. While GRU affiliated state supported actors are unlikely to reach out to smaller organizations and companies, Russian-supported or supporting attacks can come from an array of sources ranging from criminal enterprises, such as the REvil and Trickbot, to patriotic hackers acting alone. Targets of opportunity, building botnet infrastructure, and ransomware as a service are all in the wheelhouse as Russian and United States tensions rise
Based on this situation, CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. Recommended actions include:
Reduce the likelihood of a damaging cyber intrusion
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
- Sign up for cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. Some are available for free but may not be available with enough immediacy to be useful during the current crisis so it may be best to engage the private sector. Cyber hygiene is also most effective when it done on a recurring basis.
Take steps to quickly detect a potential intrusion
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging to better investigate issues or events.
- Confirm that the organization’s entire network is protected by advanced (i.e., Next Generation) antivirus/antimalware software and that signatures and detection engines in these tools are kept current.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal, and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization’s resilience to a destructive cyber incident
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
Assura’s Take
Reducing the likelihood of a damaging intrusion, taking steps to detect a potential intrusion, ensuring the organization is prepared to respond if an intrusion occurs, and helping to maximize the organizations resilience to a destructive cyber incident can be a daunting lift for overburdened IT personnel. To that end, there some basic steps organizations should be taking at this point. In addition to increased monitoring and standing up incident response teams, experts recommend making sure they are up to date on their patches, deploying multifactor authentication (MFA) everywhere they can and bringing in trusted cybersecurity experts to augment skill sets that they don’t have on staff.
State-backed Russian threat actors are some of the most skilled in the world at exploitation of the lack of security awareness and vulnerable systems within organizations across all sectors. The hazard they pose cannot be understated. Organizations that fail to prepare for an onslaught of cyber attacks do so at their own peril.
If you’re an Assura client and have questions about what is available to you to assist during this time, please reach out to your Virtual ISO or Concierge. Otherwise, please feel free reach us via our contact page at: https://www.assurainc.com/contact/.