This post is also available in: 日本語 (Japanese)
The White House and U.S. Cybersecurity and Infrastructure Security Agency (CISA) have recently warned that Russia could launch disruptive cyberattacks against organizations in the U.S., NATO member countries and allies that support Ukraine.
Unit 42 has documented related cyberattacks in Ukraine over the past month. Given that U.S. officials note that evolving intelligence points to potentially destructive cyberattacks, we feel it is essential to encourage all organizations, as soon as possible, to review your cybersecurity policies and incident response plans, as well as to enhance your security posture.
Below are recommendations that organizations can quickly employ to put protections in place now, as well as some long-term ongoing cyber hygiene best practices.
You should consider how best to balance the needs of your organization with the potential cyber risk. It’s important to avoid interruptions to your business while also implementing security tools and practices to improve your organization’s vigilance and resilience. This can help head off the possibility of retaliatory cyberattacks, as well as help prevent any other attack activity that may be taking place.
It's very common that newsworthy events are leveraged by threat actors as topics and lures in phishing and spear-phishing attacks. Leading up to the military action commencing in Ukraine, Unit 42 saw spear-phishing attacks against Ukraine organizations to deliver malware.
- Follow best practices for URL Filtering. Some examples:
- If subscribing to Threat Prevention, make sure to create a profile and enable the signatures.
- Strengthen phishing defenses.
- Enable URL filtering on firewalls.
- Disable Microsoft Office macros.
- Train employees to spot suspicious emails, texts and fake aid websites.
- Follow best practices for password security, such as CASMM with a goal to reach level 6-8, and implement multi-factor authentication (MFA).
- Set up Credential Phishing Prevention on your firewall to prevent credentials being used where they shouldn't.
- Don’t open, click or run suspicious emails, files, links or programs when you do not recognize the sender or the domain – especially when you were not anticipating receiving the message. Before entering credentials, it’s a good idea to pause and check that you’re on the page you intended to visit. Pay close attention to random MFA popups, and when you do not recognize a login attempt, do not click “allow MFA.”
- Keep all software up to date. Apply patches on any internet-facing services ASAP. Attackers are opportunistic and will leverage whatever they can to gain access to your systems. It is also important to update carefully and across the development lifecycle, i.e., test first in an isolated development environment. Doing so ensures that the updates are free from sabotage or unintended behaviors. (In one recent example, updates for the node-ipc package included modules that had unintended behaviors intended to protest the Ukraine and Russia conflict.) Whenever installing updates, do so from official websites only. Perform a software audit and remove software that you no longer use or can’t trust as this reduces the risk of supply-chain attacks.
- If you’re using Cortex XDR, update to the latest agent version and content. Also, see our recent post on Cortex XDR protections against Russia-Ukraine cyber activity.
- Limit and restrict user privileges on your network. Limit access using least-privilege principles to reduce any potential impact. Ensure critical systems on the network are isolated. For cloud environments, evaluate entitlements for all human and non-human identities.
- Review group policy settings for your domain. Ensure there are no suspicious or stale policies.
- Invest time and resources in backups now. Wipers and ransomware are on the rise and can encrypt your data even in the cloud. The only thing worse than no backup is a backup that doesn’t work. Make time to test restoring your backups. Consider encrypting backups, even those in the cloud.
- Review incident response and business continuity plans. Do your scenarios include those that are destructive in nature? Is your chain of command current?
- Have retainers in place. Have retainers for incident response, outside counsel and crisis communications teams negotiated in advance, so you are not caught off guard if an incident occurs. Have them already? Check in with your retainer vendors and advise them of heightened alert status.
Here are a few suggestions to strengthen your cybersecurity posture and harden your defenses:
- Migrate to cloud solutions for small businesses: Follow cybersecurity best practices in the cloud and protect websites with anti-DDoS protection.
- Adopt a Zero Trust approach to securing your organization.
- Avoid using the same laptop/smartphone for work and personal needs.
- Schedule routine pen-testing (red teaming) of your networks.
- Test disaster contingency plans including those involving failover sites, restoring backups, handling staff shortages, ensuring knowledge transfer, etc.
- Continue to update all software and maintain logs of software versions, patches, and last updates applied.
- Continue to train staff on basic security practices – test staff with phishing emails.
- Embed security from the start for any new products and projects, including source code security, data encryption, pen testing, etc.
This isn’t a time to panic, but it is a time of heightened alert and awareness of credible threats, which is exactly when we should all be reviewing security policies, exercising contingency plans and being aware of potential threats against our organizations and industries. The best we can do is to position ourselves for what might come, and this is achieved by practicing.
Updated March 29, 2022, at 1 p.m. PT.