Five tips to combat cyberattacks amidst a land war
Article by Axonius, Katie Teitler.
As the world watches the Russian military attacks on Ukraine, it’s difficult to think about normal business operations. Yet the impact of the Russian invasion will be farther reaching than the physical borders of Ukraine and surrounding regions.
There’s a high likelihood that Russian President Vladimir Putin and those who support him will see any direct or indirect support of Ukraine as a counteroffensive that requires retaliation.
But Russian troops can’t be everywhere. Except when it comes to cyberspace.
It’s highly probable that the cyberattacks coming out of Russia will start to focus or have a greater focus on any NATO nation voicing strong opposition to the Russian attempt to overtake Ukraine.
In fact, the U.S. government has already warned of the potential for increased Russian cyber activity, according to the Washington Post. The White House’s deputy national security advisor for cybersecurity and emerging technology, Anne Neuberger, proactively ran a tabletop exercise to ensure federal agencies were prepared for such an event.
Private businesses, too, should be more alert, especially those in critical infrastructure, including the financial sector, manufacturing, utilities, and healthcare.
Experts warn of ransomware, which is the easiest type of cyber campaign to launch, but other types of cyberattacks are, of course, possible.
So what should businesses do?
Now is a good time for organisations to review processes and technologies that help prevent, detect and mitigate the effects of cyber compromise. But a comprehensive overhaul of the cybersecurity program may neither be feasible nor necessary. In the short term, though, there are a few steps businesses can take immediately.
1. Step up security awareness
An organisation’s people are often the first line of defence to identify suspicious activity. When it comes to non-technical users, ask them to be on the lookout for unexpected emails, emails with attachments or links, and emails containing seemingly ‘urgent’ requests.
These could be the gateway for phishing and/or ransomware. Provide additional guidance to users on how to spot and report suspicious activity, and consider quarantining email from unknown sources which include links and attachments. Bring users into the fold, and let them know how valuable their assistance can be.
2. Know what’s normal
IT, operations, and security teams must pay special attention to logs and other system monitoring tools for unusual behaviour, including increased login attempts, increased outbound traffic, and excessive use of applications and other executables.
Having a baseline is key. Those who don’t already know their normal should get a historical perspective, a current perspective, and be on the lookout — keeping in mind that ‘normal’ in the world of remote and hybrid work is not the same as it was two years ago.
Tech teams will see tons of remote requests. Although this isn’t indicative of an attack, knowing which requests are coming from legitimate and harmless insiders and which are externally motivated by threat actors is crucial to identifying a cyberattack.
What’s more, security teams should be cognizant that threat actors love to hide in plain sight, which is often referred to as ‘living off the land.’ They may take control of dual-use technologies and processes like PowerShell, PS Exec, or Mimikatz to carry out ‘fileless’ or ‘living off the land attacks. ‘
Or they may try to blend into regular traffic and commonly used communications to exact damage. To counter living off the land attacks, a business needs to know how its systems, processes and applications are normally used and look for deviations, regardless of how stealthy they may be.
3. Step up monitoring and logging
Supporting the recommendation to build/understand baselines knowing what a business has will only take IT so far. The ability to enforce action is key to winning any cyberwar.
Continuous monitoring is essential: for internal systems and controls and endpoints. From the firewall to application access, increase security and have processes in place to triage a critical alert.
The SIEM will be one of an organisation’s best friends in this endeavour. Still, any orchestration tool that can aggregate and correlate data across systems and provide prioritisation will prove very helpful here.
Now is also a good time to fine-tune web and content filtering controls, review cloud configurations, and monitor app-to-app/host-to-host communication permissions.
4. Check access and authentication
If an organisation hasn’t already moved towards multifactor authentication (MFA), single sign-on, or password-less authentication, now is a great time to revisit these capabilities. Ensure that advanced access requirements are in place, especially for privileged users.
In addition to access and authentication for privileged users, consider implementing Zero Trust policies for access, including least privilege, just-in-time access, MFA-by-default, and application-level micro-segmentation.
5. Protect personal devices
With remote and hybrid work the norm in today’s working environment, businesses must consider the security state (hygiene) of users’ personal devices. Endpoint protection is critically important. However, agent-based tools only see where they’re deployed, and a users’ jailbroken mobile phone could thwart any attempts by the security team to apply adequate protection.
Thus, security teams must layer defences, starting by deploying endpoint protection (where/when possible), implementing advanced and privileged access management, encrypting devices and critical data, and backing up systems to protect against total system failure should your business be hit with ransomware or another form of cyber attack.
This list is far from exhaustive, and plenty of credible cybersecurity experts freely share social media advice for the greater good. Needless to say, those who can identify and patch critical vulnerabilities should do so!
Lock down or remove remote access, where possible. And for businesses that haven’t already, they must set the foundation of their cybersecurity program by knowing what assets they have, their associated security state, and take action against high or critical vulnerabilities.
Article by Axonius, Katie Teitler.