Many leaders in enterprise information security and IT operations organizations are taking stock of the potential for risk due to cyber operations between Russia and western countries that show support for Ukraine. News organizations reporting that President Biden may be considering options for proactive cyber operations against Russian critical infrastructure have heightened the level of risk for US critical infrastructure and businesses that depend on continuity of IT systems.
While the best time to prepare for a disaster is a year ago, the second-best time is today. Some preparedness steps will necessarily take weeks or months to roll out, but there are always some useful actions that can be done quickly, given resources and focus on those tasks. Here are our top recommendations for immediate actions:
Check your critical system backups and test to make sure that your backup data can be restored to new IT systems if needed. Make sure that shared data storage, local workstation documents, current router and firewall configurations are backed up, as well as configurations for cloud assets. If possible, take a copy of a recent backup and store it on removable media at an offsite location.
Why this is timely: The most recent threat intelligence indicates that Russia has targeted business IT systems throughout Ukraine with data wiper malware which destroys data and does not keep encrypted copies for ransom extortion. Historically, threats against Ukrainian IT systems have later affected global systems. Preparing for data restoration is a wise mitigation against this threat.
Distributed Denial of Service (DDoS) Protection
Review the critical systems connected to the Internet that would cause your business operations to be degraded if they were unavailable. Examples to consider include VPN servers that remote employees connect to for work, websites that drive e-commerce and B2B data transfers. If you don’t already have a commercial DDoS protection service in place to protect those assets, start the process of getting vendor quotes. Usually, protections can be put in place in a matter of hours or days, but it is much easier to do before an attack than in the middle.
Why this is timely: Besides data wiping, Russian cyber operations against Ukraine have also included DDoS attacks against government and private business websites. Anything that faces the Internet such as VPNs can be made unavailable by DDoS attacks. Russia has spent a long time amassing remote control of network devices such as SOHO routers, firewalls and other network appliances throughout the US and the world. These devices can easily be used for DDoS attacks coming from IP addresses in the US. Commercial solutions to protect from DDoS are widely available and usually straightforward to implement.
Review and Practice Incident Response Plans
Not all threats can be known ahead of time. Just because data wiping and DDoS are the most recently seen threats does not mean that anyone can predict with certainty what will happen next. The best-prepared teams have thought through many possibilities. They have a plan to respond quickly to contain and mitigate damages before it spreads exponentially in scope and cost. Make sure everyone on your team knows their roles, has recently reviewed the IR plans, and that all the IR software licenses and tools are up to date and ready for use without delay. If your IR plan involves a 3rd party security provider, check with your provider to understand how long a delay you should expect if a significant number of businesses are affected by wide spread attacks. Be sure to have an alternate plan if your IR provider is not immediately available, even if that plan is as simple as disconnecting segments of your network. Brief your leadership on what to expect if you have to implement the worst-case scenario response plan.
Why this is timely: Even the best thought-through plans can get stale over time, and if team members cannot remember the plan, it provides limited value in an emergency. Refreshing and updating the plan and alternate plans helps staff maintain calm and efficiency to respond quickly. A swift response can avert more damage than a slow and uncoordinated response.
Prioritize Public-Facing Servers
If Russia or any country wishes to create the biggest impact and wide-spread damage targeting the most companies at once, the most likely scenario is that they will deploy an exploit against an unpatched vulnerability on common business systems. It is reasonable to believe that most cyber-enabled governments of the world have access to undisclosed 0-day vulnerabilities, and that they have already done the work of scanning the Internet and mapping out servers that they could hit at will, but have reserved for the most strategic moment to deploy. Of course, make sure that your public-facing servers are patched, but expect the possibility of compromise and make sure that a compromise of one server can’t spill over into a compromise of the entire internal enterprise network. Segment the public-facing servers in a DMZ so they can’t initiate connections inside, and carefully monitor those servers for anomalous processes and anomalous outbound network connections. Even analyzing a few days’ worth of process logs and network logs should reveal the normal pattern of activity for those servers. Set up automated alerting to let your security team know if the processes that service network requests from the Internet suddenly start new child processes or initiate outbound connections to anything other than the servers they normally connect to.
Why this is timely: This is the single most likely vector for attacks that seek to cause widespread damage. Anticipating this vector and being prepared to minimize damage is the best chance for a successful and quick recovery.
The Binary Defense threat intelligence teams continue to actively monitor the ever changing security landscape and will communicate additional advice as any critical information is discovered.
For Binary Defense MDR and SIEM customers, the SOC is operating at a higher level of vigilance while looking for any abnormal scenarios related to these evolving situations.