As warnings of an imminent Russian attack on Ukraine makes headlines, it also poses major cyber risk to U.S. and western nations with possibility of nation state sponsored attacks on the critical infrastructure. The joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)— has published an advisory on understanding and mitigating Russian State sponsored Cyber Threats to U.S. Critical Infrastructure.
https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
In fact, the only thing that remains consistent is the uncertainty as to what will happen and how it may affect the rest of the world as collateral damage in cyberwarfare is unpredictable. Its super important and critical to stay vigilant and test the cyber resilience in wake of these threats.
- Risks/Threats to Critical Infrastructure:
- Ransomware
- Sabotage
- Data theft
- Data manipulation, with serious consequences.
- Areas requiring attention:
- IT/OT security landscape
- Security Monitoring Systems
- Data Security
- Cloud Security
- Supply chain security
Potential risks/threats to organizations and security areas requiring attention
Organizations should also consider following short team and near term action items:
- Be prepared. Business continuity and cyber resilience is critical. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Enhance cyber posture. Follow best practices for identity and access management including MFA, protective controls and architecture, and vulnerability and configuration management.
- Increase organizational vigilance. Boost Threat Intelligence and stay current on the reporting on this threat.
While CSA has already published the guideline to stay vigilant:
Immediately: (next 24-48 hours)
- Ensure perimeter devices are patched and up to dates
- Ensure the configuration of the perimeter devices are correct for your environment
- Ensure logging is enabled on all network devices and consider increasing the logging within the ability of the hardware to do so and still serve the business
- Monitor the network logs closely during this time of heightened tensions
- Ensure your critical servers are patched and are logging relevant events especially Domain Controllers, Exchange Servers, and SharePoint Servers as these all deal with Identity and Credentials in specific manners that make them effective targets for large scale credential harvesting
- Monitor the logs of those critical servers closely during this time of heightened tensions
- Ensure all endpoints are patched and up to date
- Remind Employees of the Phishing awareness Training you have provided and advise them to be on the lookout for phishy communications
Near-term: (as soon as practical as these are continuous life-cycle items)
- Enforce Multifactor Access controls for all employees
- Enforce Passwords 16 characters or longer in Windows environments where possible
- Where long passwords are not possible enforce the highest level of complexity possible
- Require Administrators to have separate accounts for administrative duties as their primary accounts should be un-privileged
- Strictly monitor the activities of all Administrator and Service accounts
- Implement Network Access Controls (NAC) to segment and control which machines can communicate and how
- Leverage the NAC to build and maintain an inventory of all cyber assets on the network
- Monitor all outbound connections and ensure no weak protocols are exposed directly to the internet i.e., RDP, SMB, etc.
- Implement a Security Information and Event Management platform where all device logs are centralized
- Implement Endpoint Detection and Response tooling on all hosts
- Implement Honey Traps/pots/tokens/accounts/shares etc in the environment as these will alert defenders that unusual enumeration is happening inside the network
- Implement infrastructure as declarative and virtualized where possible, otherwise known as Infrastructure as Code
- Implement robust backups, preferably solutions with ransomware protection options