As the Ukraine crisis unfolds, security leaders and practitioners have an important role in preparing organizations for the potential of Russian cyber threats. However, we must recognize the heartbreaking human tragedy under way and put our roles as cybersecurity leaders and practitioners in the proper context. We are defending networks in cyberspace. Meanwhile, there are men, women, and children hiding in Kyiv subways fighting for their actual lives.
I’m aiming to avoid hyperbole and knee-jerk reactions by offering pragmatic recommendations to help the security community better prepare for what could emerge from the events in Ukraine to impact business on a global scale. Here are my recommendations:
- Take care of team members.
Prioritize the mental health and well-being of the company's teams. We're witnessing tragedy on a global scale that will have a lasting impact. Set up rotations and have refreshed resources. If necessary, deprioritize other work so the organization can adequately respond to this conflict. Recovery time remains critical if the organization's cyber response becomes protracted. Treat this crisis as a marathon, not a sprint, and model self-care for other team members.
- Know the company’s threat model and where Russian actors rank.
It’s unlikely that Russia will target all industry sectors and nations: not everyone is on a hit list in Moscow. Most defenders should stay more concerned with commodity ransomware than Russian APTs. But if the company has business interests or business partners in Ukraine, the threat model changes. Watch out for Russian-aligned ransomware actors like Conti targeting Western interests.
Russia will likely target specific industries, so watch Western sanctions closely. The Russians could choose “tit for tat” targeting and go after the equivalent of any Russian company or individual sanctioned. Banks and the energy sector are likely targets in this scenario. We may also see unintended victims of Russian targeting. Think Maersk in 2017 and the NotPetya attack that cost hundreds of millions of dollars. A wormable attack could impact almost everyone: once the genie is out of the bottle, it’s not possible to put it back in.
- Communicate effectively up the chain-of-command.
Get ahead of the news cycle and shape leadership's view of the Russian invasion and its meaning to the organization. Leverage external reporting from threat intelligence providers and enrich it with internal context. Assess and explain the risks, the likelihood, impact, and the organization’s strategy going forward. With this, establish a standard cadence for briefing updates.
- Conduct tabletop exercises.
If Russian actors are in the organization’s threat model, and the company hasn’t already conducted tabletop exercises on DDoS and destructive wiper malware, schedule them ASAP. These are the most likely scenarios to play out. If the company has completed a recent tabletop exercise, pull out the after-action review and refresh the team. Hopefully, the company has implemented some of the previous lessons learned. Include senior leadership in the tabletop exercise.
CISA provides excellent templates that organizations can build upon: CISA Tabletop Exercise Packages (CTEPs). Customize the ransomware and ICS scenarios to help plan for cyber threats associated with Russian actors.
- Prepare a DDoS mitigation strategy.
Russia has employed DDoS attacks for many years. I'm not going to argue whether DDoS should be called an attack or not, I'm just going to suggest options. If a DDoS attack from Russian actor is in the company’s threat model, then:
- Assess the organization’s current mitigation capabilities. Does the company have on-premises gear, upstream ISP protection, or a DDoS mitigation service? Understand the solution and how much bandwidth protection it offers. I've not been able to find numbers on the size of this week's Ukrainian DDoS attacks, but they were reportedly substantial.
2. If the company doesn’t have a solution in place, reach out and start talking to providers. Define the organization’s requirements and evaluate vendors before an attack occurs.
3. Assess the likelihood of an attack and make a risk-based decision on whether to implement a DDoS mitigation solution. Calculate the downtime or lost revenue and compare that against the cost of the mitigation.
- Prepare a destructive wiper malware strategy.
Unlike ransomware where companies can conceivably recover data, destructive malware wipers go "scorched earth" and take out the entire infrastructure. Use intelligence produced from security researchers to guide a wiper malware strategy. Sandworm has become the most relevant to the current conflict. The MITRE ATT&CK framework has profiles of prominent actors who have leveraged wipers. Use these profiles to shore up defenses to this type of attack. Familiarize the team with Sandworm and look out for any new intelligence related to its activities.
In January, in response to WhisperGate, which targeted Ukraine, CISA provided guidance: "Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats.” It can help organizations protect against, detect, and respond to wiper malware.
- Leverage threat intelligence.
Threat intelligence can play a decisive role in navigating the threat landscape and what the Russian invasion of Ukraine means to the organization and the rest of the world. Before looking for any free or commercial third-party intelligence, start with the company’s data and telemetry. Internal data is unique and relevant to the organization. Develop intelligence requirements to help understand the Russian threat to the organization. Once requirements are defined, develop a collection plan that uses internal and external sources to answer the questions.
Governments are putting out helpful information about the current Russian threats. CISA has made recommendations through the ShieldsUp initiative. Follow CISA on Twitter to stay abreast of the agency’s regular threat updates and advice. The United Kingdom's National Cyber Security Centre (NCSC) also has guidance on how to bolster defense.
Establish and maintain relationships with peers/competitors for industry-specific threat intelligence. There are private trust groups where teams collaborate for the greater good. In the United States, the Information Sharing and Analysis Centers (ISACs) and the Information Sharing and Analysis Organizations (ISAOs) for each specific vertical sector are good places to go. The FS-ISAC and the various energy-related ISACs are good to join and stay active in.
Rick Holland, chief information security officer and vice president of strategy, Digital Shadows