Russia’s war in Ukraine: 3 cybersecurity takeaways for enterprises
Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
Offensive cyber actions are an integral part of modern armed conflict. The Russian invasion of Ukraine has been no exception.
Russia had already shown it could damage the fledgling democracy through cyberwarfare. Since at least 2013, suspected Russian attacks against Ukraine have included attacks against critical national infrastructure. For example, the NotPetya destructive worm of 2017, which remains Ukraine’s most destructive cyber attack.
Since the invasion, there has been a continuing onslaught of attacks against both the public and private sectors — but organizations have largely been able to repel them. This demonstrates that with planning, preparation and the necessary resources, attacks conducted by even the most sophisticated and persistent attackers can be defeated.
Cisco is proud to support the people of Ukraine, both through humanitarian assistance and in securing systems. Working together with Ukrainian authorities, we have been providing intelligence and resources to help defeat cyber attacks against the country for more than six years. Since the invasion, Talos has formed a Security Operations Center (SOC) to aggressively hunt for threats affecting Ukraine. It is also directly defending more than 30 Ukrainian critical infrastructure and government organizations.
Developed from our experiences, we have three tips to help organizations defend themselves:
Customize security and defenses against threats and attacks
A proactive defense customized to your environment makes attacks more difficult to conduct and easier to detect.
Remove network connections, services, applications and systems that are no longer required. Keep only those critical to the business. If your business has many applications providing similar functionality, agree on one and remove the remainder. If certain applications are necessary but rarely used, restrict access to the few who use it.
Similarly, restrict access to sensitive data only to those who really need it. Many functions may be better served by having restricted access to subsets or aggregates of data rather than full access to everything.
Defend your crown jewels
Know where your most precious data and system reside. These are the systems that would cause most damage to your organizations if they were compromised or unavailable. Ensure that access is limited to these systems, and that suitable protection is in place to mitigate threats. Importantly, make sure that critical data is not only regularly backed-up but that teams are able to restore the data in instances of damage.
Like any criminal activity, cyber attacks leave evidence at the scene of the crime. Even the most sophisticated of attackers leave traces that can be uncovered, and may choose to use mundane commodity tools to perpetrate their activity.
Don’t deprioritize or downplay the discovery of a relatively common or unsophisticated malicious tool or dual-use software. Attackers frequently establish a toehold within an organization using commodity tools before pivoting to use more sophisticated techniques.
If evidence of a breach is detected, trigger the incident response process to rapidly remediate the incursion. Identify which systems the attacker was able to access, where the attacker was able to persist, and most importantly, how the attacker was able to penetrate defenses. Fix any deficiencies before the attacker learns and improves their actions.
Remember that nobody can keep watch over all systems all the time. Prioritize monitoring your most precious data and systems so that any deviation from normal behavior can be quickly identified and investigated. Regularly conduct drills and rehearse response to potential incidents so that teams are well aware of the required steps and are aware of the various teams they need to coordinate with in the case of a genuine incident.
Traces of incursion will be found within system and network logs. Aggregating these logs so that they can be queried enables teams to actively search for possible signs of compromise. This allows attacks to be identified early before the attacker has had a chance to fulfill their objectives or cause any harm.
Use threat intelligence to improve security
Pay attention to reports of how attackers have conducted attacks. Consider how the malicious techniques and procedures used in previous attacks may be uncovered within your system and network logs. Actively search for this evidence of possible incursion.
Hunt down and investigate anomalous behavior. Seek out systems that are behaving differently from others. In most cases there will be an innocent explanation, but sooner or later you’ll discover something that needs rectifying.
Think like an attacker
Nobody knows your systems and networks better than the teams that maintain and operate them. Involve operations teams in threat hunting, ask them about potential weaknesses or how users have bypassed restrictions. Use their knowledge to improve defenses and concoct new threat hunting strategies.
Typically, attackers look to do the bare minimum to achieve their goal. If an attacker finds that their attempts to breach your organization fail, or they are quickly detected, they will be tempted to move on to an easier target.
A model for security resilience against threats
Passive defense is not enough to combat the complexity, sophistication, and persistence of today’s security threats. Security team must proactively hunt for hidden threats, even with security systems in place.
Remember, cyber security relies on the dedication and skill of security professionals. Invest in the training and well-being of your teams. Defending against attacks is a 24/7 activity, but defenders are human and need to have adequate down-time to rest and recover to have the mental agility to spot sophisticated incursions.
Ukraine has weathered the storm of Russian cyber aggression because defenders have prepared well, actively hunted attacks, and learned from previous incidents how to improve their security posture and hunting techniques.
These learnings provide a useful model that your company can apply to increase its security resiliency:
- Customized Defenses: Harden systems and identify key systems.
- Active Vigilance: Respond to all incidents, however minor.
- Hunt Proactively: Search for evidence of incursion.
Cyber attacks are conducted by criminals with a clear idea of what they want to achieve. Preventing and detecting attacks is not a haphazard activity to be discharged lightly. With the right focus and resources, even the most sophisticated and persistent attacks can be defeated.
Martin Lee is technical lead of security research within Talos, Cisco’s threat intelligence and research organization.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!