By Jon King, CNM Cybersecurity & Privacy Director
and Janaki Desai, CNM Cybersecurity & Privacy Manager
Executive Summary
The Russian invasion into Ukraine has exacerbated the existing cybersecurity threat landscape, introducing greater opportunity for threat actors to cause harm to organizations. Although advanced threat actors will be actively working to take advantage of the situation, most organizations will not be directly targeted by nation-state actors and are best served by prioritizing their efforts to bolster and mature their core cyber hygiene and baseline governance practices. Ukraine’s geography and strategic location introduce further challenges to the existing global supply chain issues, emphasizing organization’s imperative to establish and reinforce policies and procedures around effective management and monitoring of third-party service providers and vendors up and down the supply chain. Additionally, conflict of any type in the information age mandates heightened awareness of misinformation and disinformation. Refreshed training on social engineering and misinformation helps reduce the likelihood that threat actors’ efforts will result in disruptions to operations.
Introduction
Russia’s invasion of Ukraine is not characterized as “Conventional warfare vs. Cyber warfare” – In this case, Cyber warfare is a complement to conventional warfare, not an alternative. As with any other form of warfare, collateral damage and opportunistic actors will present risks even to those detached from the conflict. We may not be operating on the same continent, but we are reliant on the same Internet.
Cyber Hygiene
The recent malware attacks on organizations in Ukraine highlight the need to implement baseline cybersecurity controls. To minimize risk of a data breach and exposure of an organization’s system environment, the following security measures should be employed.
- Logging and Monitoring – It is imperative that organizations collect and review audit logs for anomalous activity with focus on privileged and service accounts, network flow data, and network device configuration changes.
- Multifactor Authentication – There are many variations of multifactor authentication. The recommended approach is combining strong passwords with pin codes, security tokens, or biometrics.
- Network Traffic Filtering – A zero trust model, which assumes a breach is imminent, helps to strengthen network security by explicitly verifying all data points, using the principle of least privilege, and implementing network segmentation. A centralized device management strategy using a layered and device level access control approach can protect an organization’s network from threat actors.
- Patching – Staying up to date on the latest patches for systems and developing a patch management policy and procedure to include testing and automation is crucial in addressing known vulnerabilities and ensuring systems operate smoothly.
- Regular Antivirus/Antimalware Scans – Organizations that conduct regular and automated antivirus scans are more successful at identifying and removing malicious threats.
- Strong Spam Filtering – Strengthening spam filters will make the organization less susceptible to phishing attacks as less fraudulent emails reach end users.
- Vulnerability Scanning – A robust Vulnerability Management Program is vital to the evaluation and prioritization of security vulnerabilities and risk. Incorporating an automated vulnerability scanning tool can identify and mitigate risk to the organization and assist with continuous monitoring.
These baseline cyber hygiene and hardening best practices can be further complimented with more mature approaches by utilizing and applying threat intelligence to optimize preventive, corrective, and detective capabilities. Cyber hygiene practices should be used in conjunction with response and recovery plans to advance the program’s maturity.
Resilience Planning
As threat actors have adopted increasingly sophisticated tactics, organizations have developed improved information security and cybersecurity capabilities to protect processes from disruption. The increased threats facing organizations today mandate a unified and consistent approach to resilience planning that encompasses detecting and responding to incidents, maintaining minimum required business operations while systems are impacted, recovering from disasters that impact operations and systems, and – if required – reconstituting critical systems and data after destruction. Destructive malware targeting critical infrastructure in Ukraine illustrates the importance of maintaining a resilience planning program.
In addition to policy requirements to document and adopt a plan for disruptive events, organizations should work with business unit and team leaders to confirm that teams are well versed in the adjustments and changes to procedures required when systems are unavailable or offline. Checklist tests may also be used to confirm whether key aspects of a resilience plan are in place and actionable, such as maintaining an up-to-date physical copy of contact information for stakeholders and key third party service providers.
Organizations with more mature and stable resilience plans should also consider conducting technical exercises to identify likely indicators of compromise related to known threat actor activity and update their incident response playbooks. This type of exercise, often called a purple team or adversary emulation exercise, helps tune incident detection and response capabilities in support of overall resilience.
Baseline: Document a unified resilience plan and confirm that critical plan elements are in place
Mature: Conduct exercises to identify gaps in resilience plans and implement lessons learned
Third-party Service Provider & Supply Chain Risk Management
The real-world impacts of armed conflict impact business operations, disrupting supply chains and distribution channels. The Russian invasion of Ukraine also introduced potential impacts to European oil pipelines, in turn introducing potential disruption to European supply chains and distribution channels. These are in addition to the risk of cybersecurity events affecting third-party service providers and supply chain or distribution partners, highlighting the complex and multi-faceted impacts of Russia’s actions.
Addressing disruptions to complex supply chain systems represents entire fields of study, however beginning the processes early to allow for selection processes, due diligence and due care, and integration into third-party risk management and governance programs reduces the likelihood that organizations will inadvertently be exposed to unnecessary risks when a partner is ultimately affected by the conflict.
Baseline: Document and review third-party and supply chain risk management programs
Mature: Identify and begin reviewing third-parties capable of supporting contingency plans to maintain affected operations
Social Engineering and MDM
“New forms of disinformation have come to the fore over the last decade, enabled by … social media, creator platforms, search engines, and messaging services, [which] now provide state and non-state actors with powerful channels for distributing disinformation (Microsoft Digital Defense Report OCTOBER 2021)”. As tensions and conflict escalate, nation-states leverage propaganda and other forms of misinformation, disinformation, and malinformation (MDM) to establish points of leverage and footholds across the broader geopolitical landscape, as described by CISA. As observed with COVID-19, competing sources of information designed to take advantage of biases and closely held beliefs introduced opportunities for phishing campaigns, watering hole attacks, and other forms of social engineering.
While it is reasonable to expect the most advanced threat actors to revisit these tactics, most organizations will not be directly targeted by nation-state actors and are best served by prioritizing their efforts against the techniques exhibited by ransomware access brokers and affiliates, such as the TTPs described in the Department of Health and Human Services’ (HHS) ATT&CK for Emotet presentation. Looking forward, the response to MDM should mature from a focus on clearly identifying preferred and authoritative sources of information, to removal of intentionally misleading or inaccurate information, and now to defining strong communication channels and exposing our resources and stakeholders to media literacy content and training.
Similar to social engineering, MDM is designed to appeal to cognitive biases and emotions. In the same way that our best defense against phishing campaigns is the ability to recognize their efforts, the best defense against disinformation is the ability to recognize efforts to introduce disinformation. This study by the Harvard Misinformation Review and the accompanying free online game offer a mechanism to help improve our ability to recognize disinformation. Organizations should also provide guidance to users about securing social media accounts and sources of information about the organization itself in order to reduce the likelihood that a manufactured narrative may disrupt or impact operations. CISA has published a guide to using the TRUST model for planning for and responding to MDM influence campaigns. Although the TRUST model is primarily targeted at election officials, the core principles apply to leaders in all industries.
Baseline: Conduct security awareness training and provide contextual updates and refreshers as the security situation changes
Mature: Maintain an ongoing information security and MDM awareness program
Conclusion
The cybersecurity landscape continues to present challenges and opportunities to organizations, navigating that landscape as conflicts and major events exacerbate and add to existing trends has become a core function of effective management. By implementing and validating cyber hygiene practices, reviewing organizational readiness and resilience, actively managing the risks from third-parties and supply chains, and maintaining a culture of security and MDM awareness, leaders can continue to guide their organizations through challenging times.
Resources
CISA Shields Up Shields Up | CISA
CISA Cyber Essentials CISA Cyber Essentials | CISA
CISA Alert AA22-011A Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA
CISA Alert AA22-057A Destructive Malware Targeting Organizations in Ukraine
CISA Insight Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure (cisa.gov)
CISA Supply Chain Risk Management Essentials CISA SCRM Essentials | CISA
CISA Incident and Vulnerability Response Playbooks New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks | CISA
CISA Guide to the TRUST model Mis-, Dis-, and Malinformation Planning and Incident Response Guide for Election Officials (cisa.gov)
Harvard Misinformation Review Breaking Harmony Square Article Breaking Harmony Square: A game that “inoculates” against political misinformation | HKS Misinformation Review (harvard.edu)
Breaking Harmony Square Game: Harmony Square
With Google Phishing Quiz Jigsaw | Phishing Quiz
