Your business’ cybersecurity during international conflict is a major priority for the United States. The U.S. government urges businesses to be on high alert regarding cyberattacks while Russia and Ukraine are at war. Recently the Secretary of the Department of Homeland Security Alejandro N. Mayorkas released this statement:
“As the Russian government explores options for potential cyberattacks against the United States, the Department of Homeland Security continues to work closely with our partners across every level of government, in the private sector, and with local communities to protect our country’s networks and critical infrastructure from malicious cyber activity. Organizations of every size and across every sector should continue enhancing their cybersecurity defenses.”
U.S. responds to cybersecurity during international conflict with legislation
On March 15, President Biden signed into law legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment. All cyberattacks activity and/or cyberattack incidents must be reported to DHS’ Cybersecurity and Infrastructure Security Agency (CISA): report@cisa.gov or (888) 282-0870, or to an FBI field office. The report must be within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment.
The federal government says it is taking this action in order to quickly coordinate a response and hold bad actors accountable. It has also released a Fact Sheet: Act Now to Protect Against Potential Cyberattacks.
Businesses can visit CISA.gov/Shields-Up for best practices on how to protect their networks regarding cybersecurity during international conflict.
Highlights from our International Crisis & Cyber Crime – Keeping Your Business Safe webinar
On March 17, NetGain Technologies held the webinar “International Crisis & Cyber Crime – Keeping Your Business Safe.” NetGain’s cybersecurity expert Scott Logan and Artic Wolf’s Sales Engineer Jon Halar discussed everything you need to know about cybersecurity during international conflict.
Here are some highlights from the webinar:
How did we get to the current Russia-Ukraine conflict and how can the U.S. be pulled in from a cybersecurity angle?
SCOTT LOGAN: Long before the Russia-Ukraine conflict, Russia had been making cyberattacks on the U.S. The FBI and CISA announced (in January 2022) that there were 52 separate entities that were attacked with a Russia-based attack called ragnar locker (ransomware). It affected critical manufacturing, energy, financial services, government and information technology sectors. This was going on long before the Russia-Ukraine conflict.
After that cyberattack came out in January, the U.S. released a cybersecurity advisory that tried to raise awareness. It wasn’t the Shield’s Up campaign. It was a generalized, “hey, let’s be on guard.”
Pre-war Russia started to test some of their attack surfaces at Ukraine. Back in 2015, they briefly shut down a large portion of (Ukraine’s) power grid just to show they can. Pre-war they started to do some more focused attacks. These attacks were introduced by using a (malware) “HermeticWiper” in an effort to try and be destructive against assets they were able to get access to. These HeremeticWipers were basically DDoS (distributed denial-of-service) style of attacks, trying to cripple businesses.
What is a distributed denial-of-service (DDoS) cyberattack?
JON HALAR: A DDoS cyberattack is utilizing multiple computers and multiple origination points in order to overload or take something offline so it can’t respond to all of the requests at once. Cyberattacks pre-war were around data infiltration or ransomware where they were trying to get some type of monetary value out of corporations. In wartime, the purpose of the attacks is destruction, to shut down critical infrastructure and/or to shut down government’s ability to communicate effectively with the online network.
What is WhisperGate?
SCOTT: “WhisperGate” attacks started as the war began. WhisperGate attacks were not only bootloader that corrupted the local disk but it also had that discord based downloader that was bringing in the fake ransomware messaging … and so these businesses were getting this fake ransomware notice to try to con them into paying something to get their data back, when in actuality their data was gone, it was destroyed. So, these fake ransomware messages were just another attempt to cause more financial impact to the Ukraine provinces.
Once you put malware out there into the wild it has no geographical boundaries. This is what can happen when malware is introduced into what they think is a controlled environment, and it is not. It can actually bleed out. FedEx was the first element of attack in the U.S. that bled across. They had offices in the European market. And those bled into FedEx in Texas and then it bled out from there. Vendor relationships is how this can bleed over into the U.S.
JON: From a malware point of view … instead of targeting one business and one vertical, they can now target the supply chain of that vertical and impact the entire thing. So, we’re seeing more supply chain attacks from a malware perspective, where they’re coming in and almost shutting down industries in different countries where they’re attacking this at a vertical segment instead of an individual one-on-one basis. This is one of the most disruptive types of malwares out there because it can affect one to many.
What is Shields Up?
JON: Shields Up is a collaboration of the CISA and the FBI recognizing these threats abroad and saying there is no boundaries where these can go. We need to be preventive. That means that we’re patching things that we’re seeing on our networks and being proactive in combating these things. What Shields Up does is it gives you a centralized location to go … so you can understand what those zero grade threats are as we pull those in and quantify them so you can protect your organization. This is a rapidly changing environment. We’re seeing new attacks on a weekly basis. Shields Up is a great resource … it gives you a single source of truth that you can check in and see if you’re doing the right things.
Best Practices for Cybersecurity During International Conflict
1. 3-2-1 Backups
SCOTT: Backup, backup, backup is probably one of the most important things you can do. You can try to be as preventive and protective as possible, but you have to be recoverable. You have to assume that you're going to get attacked. If you have a method of being able to recover, then the cyberattack is not nearly as impactful to the organization. You have to have some level of backup.
What is 3-2-1 backup protection? Creating one primary backup and having two copies of your data. What's the two? Save your backups to two different types of media so they're stored separately. Keep one backup offsite or in the cloud.
JON: These are backups that can't be altered in any way (immutable backups). In the event that ransomware comes in and locks down the entire organization, those immutable backups are offsite. You can pull them back in and restore instead of having nothing and having to start from the very beginning again.
2. Breach Awareness
JON: It's paramount to really understand when a breach occurs at the organization so you can react quickly to it. The more that we're aware of these attacks the better that we can respond to it.
SCOTT: Breach awareness is kind of difficult. IT guys have to go to bed, right, they have to sleep. How are you supposed to keep eyes on your infrastructure on a 24/365 basis?
Programs are designed to deliver that… to keep eyes on your infrastructure. I'm talking about network traffic throughout. Efforts that exist at the firewall level that are trying to breach into your network and can be identified and maybe action can be determined against that particular threat. That's the type of breach awareness that most businesses simply do not have incorporated. They have down time in their IT watching and that's when the attackers hit. Hackers don't have a clock. They don't work 8-5. They work any time during the night and day, and they will initiate an attack anytime.
If you're not putting eyes to that infrastructure, then it is a possible threatening event within your infrastructure. You have to be protective of it. And that includes endpoints and servers as well. Having advanced threat recognition (at endpoints and servers) is extremely important in being able to determine if something bad is happening. If you can be alerted when something bad is happening, now you can be proactive in the prevention of that attack.
3. Multi-Factor Authentication (MFA)
JON: Next point is multi-factor authentication (MFA) ... a password is something you have, MFA is something you know and together you can protect yourself. That way, if your username and password have been scrubbed and it's out there, having a physical device that you also have to press OK on or type in a key gives that two-factor authentication to lock down things before (hackers) can get into the organization. Simply putting MFA on all of the different devices is key to locking down your security posture overall.
SCOTT: If you reached out to the FBI and said: “what is the one thing I can do to immediately improve the protection for my business?” They're going to tell you MFA. Because that is the best way to protect a point of authentication into your network. You are no longer dependent on just a single password to get into that device. Having that second leg of authentication requirement can avoid somebody from giving their information up via a phishing attack. With that second leg (of authentication), it's another layer that the attacker would have to know to be able to get into that network. MFA is certainly important for cybersecurity during international conflict.
4. Password Management
JON: That rolls right into password management... Utilizing the same password for one website and the same one for your laptop is easy … but it's easy for the bad guys as well. What we recommend is a password manager, so you have one password that protects the rest of them, and then utilizing unique passwords across the entire landscape (personal and business).
5. Active Updates and Patching
SCOTT: Then there's active updates and patching. You have to make sure that you're downloading and uploading the latest security updates and the latest firmware to be preventive. If you're not deploying those patches (and firmware) you are going to be subject to the attack.
6. Shadow IT
SCOTT: Shadow IT is something that's probably utilized across a lot of businesses in the effort of somebody controlling or configuring your firewall or primary core application. The more the IT team doesn't have understanding and/or control over these areas, they become areas of possible compromise. The IT team needs to know who has access to configure what within your enterprise. Eliminating, or at least minimizing, shadow IT controls is super important.
7. Cyberattack Preparedness
SCOTT: There's also cyberattack preparedness. You need to assume that you're going to be attacked. You need to exercise your disaster recovery capabilities. You need to exercise your incident response planning. Being prepared, being able to detect threats through advance threat programs, being able to verify your recovery through your backups, being able to evaluate your incident response planning are all super important at being able to be preventive in case of an attack.
8. End User Education / Social Awareness Training
JON: User education is really the most important one. Ask any IT folks: “what's the weakest point of your network?” They'll most likely say the end users. And they're right. We've seen click happy end users. They'll download things. They'll click email links. We need to make sure we're educating the end users on these attack vectors as well.
SCOTT: There are programs out there that can elevate the understanding or the awareness that your users have about cyber threat, what it looks like, how it feels, and what they're supposed to do. Those exercises are how you improve the awareness for your end users. Arctic Wolf has a managed awareness program that distributes phishing tests constantly throughout your enterprise. These programs are sometimes looked at as punishments. But they're really not. The idea is to educate and understand. The only way that you can improve the prevention of those types of cyberattacks is to increase your awareness.
Watch the complete version of the webinar, including audience Q&A here.
How Can We Help Improve Your Cybersecurity During International Conflict?
