A Russian cyber attack could threaten interconnected digital supply chains, making it critical to have a plan for how to respond. While there are many unknowns around exactly how a Russian cyber attack might target or disrupt businesses, there is a past and very recent precedent that shows us everyone needs to prepare now.
It is clear whole businesses have been disrupted in both IT and OT. From ransomware, phishing or whale-phishing, or the more subtle attacks where configuration changes are made deep inside infrastructure to cause poor performance, no performance or catastrophic performance in a critical business function. These essentially shut the business process down or impact the supply chain, hitting multiple businesses within it.
While the Russian government may not directly target US infrastructure, there can be collateral damage from outbreak of a cyber war. We’ve seen this with the Russian cyber attack’s NotPetya ransomware in 2017.
While the attack was intended to harm Ukraine, it quickly spread. Companies like FedEx, Merck, Nuance and Maesrk lost hundreds of millions. It’s estimated the attack was responsible for around $10 billion in damages, not accounting for supply chain impact of delayed or ruined inventory.
The Department of Homeland Security has already issued several warnings to US companies. We take this seriously; they know a lot more about what’s happening already or is about to happen very soon. It’s tough riding the rails of alarmist and preparedness, but it’s better to be prepared and not need it than need it and not be prepared.
Already, malware has been detected against organizations in Ukraine in the form of WhisperGate, aimed at rendering devices inoperable and HermeticWiper, which results in boot failures. With this in mind, it is important to focus on your current defense and keeping it resilient in light of current world events and how they can cascade into unknown threats.
What Threats Should I be Aware of?
The rise of ransomware is something we discussed last year. We reviewed prevention measures you should be taking in a separate post. Because of today’s intricately connected supply chains, it is not hard for ransomware to come cascading through it.
These vulnerabilities compound, especially if you or your supply chain works with Ukrainian businesses. It is especially here where, like with the NotPetya Russian cyber attack, you could be exposed even if you are not a direct target of this attack.
Being vigilant, enforcing best practices and ensuring that your company is following them are your best steps to take at the moment.
What Can I do to be Ready?
Your steps for how to respond to a cyber attack should follow four areas: Reduction, Detection, Response and Resilience. You need to look internally at your cyber preparedness should collateral from a Russian cyber attack find its way to your company’s doorstep.
To look at that further, we are reviewing some of CISA’s Shield’s Up guidance below with additional comments.
How to Reduce the Threat of a Cyber Attack
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
- Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Reduction of attack surfaces and entry points is critical, and your best defense is prevention. Make sure you have validated that your secure remote access is secured with multi-factor authentication methods. Weak authentication measures are an easy way for a breach to occur. Review your least-privileged access control policies and ensure they are being properly enforced. You should not be permitting any inherent trust.
Further, you don’t want to leave your devices unpatched. Vulnerability exploits will be leveraged against you. Be sure you know all your devices on your network, their configurations and that they have the latest available patches. Understanding all asset configuration settings and values are key to restoration and should be part of any restoration plan.
Having great automated documentation that is checked every day is key to understanding changes in the infrastructure that should be linked back to approved change control, as well as access control tickets and logs. Know who did what and when. Know the outcome of those changes so they can be validated and tracked again tomorrow and the day after for all assets.
How to Detect a Cyber Attack
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Now is the time to ensure your logging and monitoring systems are in place and you are ready to detect and assess unusual behaviors that could indicate a threat or intrusion. You want to make sure your logging and monitoring capability is thorough. It should be monitoring both your devices and your people, so you have a full picture of who is doing what and where, in addition to a common clock that tells you the exact sequence of events.
How to Respond to a Cyber Attack
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
At the point of response, you do not want any confusion. You must be ready to act decisively. Your team needs to be identified, aware of their roles and well practiced. Time is critical at this point, here even small mistakes or confusion can cost you greatly. Any response must be controlled, planned, audited and have a clear and complete set of logs of all human activity, dates, times and responses from that activity.
This provides clear guidance to more than the person remediating the attack, it also shows all resources from internal, contracted third party and government, about what was done, how, by whom and the order of events and their associated actions. Of course, the control of access to affected assets is critical to forensic understanding of the adversary and your response execution.
How to Increase Resilience Against a Cyber Attack
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
As the threat of ransomware has grown, and as this type of attack has already been used in a Russian cyber attack, it’s critical that your resilience measures are capable of restoring your critical data and keeping your backups isolated from network connections that could also result in their corruption.
These backups should not only contain critical application files and system-level ability to completely wipe and restore assets from bare metal to current production level operation, but also having a secondary store and audit of asset level settings, values and configurations. This is a key part of validating that a system has been properly restored to approved production-level operation.
Before an asset is simply restored, it is completely and forensically backed up, not your typical daily backup. When restored, the asset is then also validated for expected configuration and security/operational settings and values. There you may also understand the weakness previously available, which allowed the attacker in. This helps to plan for remediation after restoration and close monitoring after.
We Can Help You
If you want to make sure you are safe or prepared, we can help. You can talk to us here to learn how you can enforce these cybersecurity measures for your company and be sure that you have the proper measures in place to reduce the possibilities of a breach. More importantly, should you have a breach, you have the necessary information and ability to go from zero to hero, or bare metal to operational, in a validated and efficient timeframe with a high degree of confidence. We look forward to your discussion.