U.S. organizations, including technology service providers that represent attractive targets to a threat actor, are being urged to implement cybersecurity protections against cyberattacks as the Ukraine crisis unfolds.
These warnings come from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as well as private sector cybersecurity software providers like Mandiant that have raised awareness of the possibility of large-scale cyberattacks from Moscow as the Ukraine situation unfolds.
However, CompTIA, an IT industry association that counts many managed service providers among its members, has also issued a warning to technology service providers, calling on them to take immediate steps to review and upgrade their cybersecurity defenses.
โWhile we do not have any information to indicate any specific threat, we believe that we all need to be in a significantly heightened state of alert,โ says MJ Shoer, chief community officer for CompTIA and executive director of the CompTIA ISAO. โWe urge technology companies to elevate the monitoring of their networks, as well as those of their customers and partners for any sign of suspicious activity.โ
The organization calls on service providers to prepare for attacks on corporate/ networks, customer networks, networks of suppliers and partners, critical infrastructure and platforms used by individual citizens.
According to news reports, Russia has amassed over 100,000 troops near the Ukrainian border and could be preparing to invade its neighbor. While military action has yet to unfold, Ukraine has already suffered cyberattacks in recent weeks, including aย malware campaign masquerading as ransomwareย and DDoS attacks that temporarilyย knocked some government and banking websites offline.
As high-level discussions between Russia and the west continue, cybersecurity experts say organizations should expect to see more cyberattacks.
In a blog post, Sandra Joyce, executive vice president and head of global intelligence at Mandiant, says Russiaโs history of aggressive cyberattacks warrants concern. She cites Russiaโs cyberattacks against Ukraine critical infrastructures and other attacks against Europe and the U.S.
If the West responds to an armed conflict with Ukraine, the risk of Russia conducting cyberattacks will increase, Joyce writes. These potential attacks may manifest as supply chain compromises designed to gain access to multiple network simultaneously, similar to the SolarWinds Orion compromise.
โMany of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor, if they take them now,โ Joyce writes.
Despite those potential threats, Joyce cautions against panic, saying that the real target of cyberattacks is our perceptions.
โThe purpose of these cyberattacks is not simply to wipe hard drives or turn out the lights, but to frighten those who cannot help but notice,โ Joyce writes. โThe audience of these attacks is broad, but it is also empowered to determine how effective they are. While these incidents can be quite serious for many, we must remain mindful of their limitations. We only do the adversary a service by overestimating their reach.โ
Meanwhile, cybersecurity giant CrowdStrike says in aย blogย that while cyberattacks against Russiaโs adversaries during this crisis canโt be discounted, they are unlikely due to the potential for global escalation.
โHowever, the incidental targeting of international businesses operating within Ukraine may be used by Russian-nexus adversaries to dissuade business operations and investment and destabilize the local economy,โ the company said.
In addition to Mandiant, CrowdStrike and several other high-profile cybersecurity providers advising customers to harden networks, CISA issued an advisory this week urging U.S. organizations to take steps now to harden its networks. The advisory includes several recommendations for preparing for a cyberattack and responding to one, as well as other CISA resources, including its catalog of known exploited vulnerabilities.
Here are CISAโs recommendations, in its entirety:
Reduce the likelihood of a damaging cyber intrusion
- Validate that all remote access to the organizationโs network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that addressย known exploited vulnerabilities identified by CISA.
- Confirm that the organizationโs IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implementedย strong controls outlined in CISAโs guidance.
- Sign up forย CISAโs free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Take steps to quickly detect a potential intrusion
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Confirm that the organizationโs entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organizationโs resilience to a destructive cyber incident
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organizationโs network is unavailable or untrusted.
A version of this article originally appeared on our sister publication MyTechDecision‘s website.
