Russia’s war in Ukraine: 3 cybersecurity tips for businesses

Offensive cyber actions are an integral part of modern armed conflict. The Russian invasion of Ukraine is no exception.

Russia had already shown that it can damage fledgling democracy through cyberwarfare. Since at least 2013, suspected Russian attacks on Ukraine have included attacks on critical national infrastructure. For example, the 2017 NotPetya destructive worm, which is still Ukraine’s most destructive cyber attack.

Since the invasion, there has been a continuous onslaught of attacks targeting both the public and private sectors, but organizations have largely succeeded in repelling them. This shows that with planning, preparation and the necessary resources, attacks from even the most sophisticated and persistent attackers can be defeated.

Cisco is proud to support the people of Ukraine, both through humanitarian aid and in securing systems. For more than six years now, in partnership with the Ukrainian authorities, we have been providing intelligence and resources to help fend off cyberattacks on the country. Since the invasion, Talos has formed a Security Operations Center (SOC) to aggressively hunt for threats affecting Ukraine. It also directly defends more than 30 Ukrainian critical infrastructure and government organizations.

Based on our experience, we have three tips to help organizations defend themselves:

Customize security and defense against threats and attacks

A proactive defense adapted to your environment makes attacks harder to execute and easier to detect.

Harden systems

Remove network connections, services, applications and systems that are no longer needed. Keep only those that are critical to the business. If your company has many applications that provide similar functionality, tune one and delete the rest. If certain applications are needed but rarely used, restrict access to the few who use them.

Similarly, limit access to sensitive data only to those who really need it. Many functions are better served by limited access to subsets or aggregates of data rather than full access to everything.

Defend your crown jewels

Know where your most valuable data and system is. These are the systems that would do the most damage to your organizations if they were compromised or unavailable. Ensure that access to these systems is restricted and that appropriate protections are in place to mitigate threats. Importantly, not only are critical data regularly backed up, but teams can also recover the data in the event of damage.

Active Vigilance

Like any criminal activity, cyber attacks leave traces at the scene of the crime. Even the most advanced attackers leave traces that can be discovered, and may choose to use everyday tools to carry out their activities.

Don’t discount or downplay the discovery of a relatively common or simple malicious tool or dual-use software. Attackers often establish a foothold within an organization using basic tools before turning to more advanced techniques.

If evidence of a breach is detected, activate the incident response process to quickly resolve the breach. Identify which systems the attacker had access to, where the attacker could persist, and most importantly, how the attacker could penetrate the defenses. Fix any shortcomings before the attacker learns and improves his actions.

Remember that no one can watch over all systems all the time. Prioritize monitoring your most valuable data and systems so that any deviation from normal behavior can be quickly identified and investigated. Conduct regular drills and practice response to potential incidents so that teams are well aware of the steps required and aware of the different teams to coordinate with in the event of a real incident.

Proactive hunting

Traces of intrusion can be found in the system and network logs. By merging these logs for retrieval, teams can actively look for possible signs of compromise. This allows attacks to be identified early before the attacker has had a chance to reach their targets or cause damage.

Using threat intelligence to improve security

Pay attention to reports of how attackers carried out attacks. Consider how the malicious techniques and procedures used in previous attacks can be discovered in your system and network logs. Actively search for this evidence of possible break-in.

Hunt down and investigate deviant behavior. Look for systems that behave differently from others. In most cases there will be an innocent explanation, but sooner or later you will discover something that needs to be rectified.

Think like an attacker

No one knows your systems and networks better than the teams that maintain and manage them. Involve operations teams in detecting threats, asking them about potential vulnerabilities or how users have circumvented restrictions. Use their knowledge to improve defenses and devise new threat hunting strategies.

Usually attackers try to do the bare minimum to achieve their goal. If an attacker finds their attempts to invade your organization fail, or if they are quickly detected, they will be tempted to choose an easier target.

A Threat Defense Resilience Model

Passive defense is not enough to combat the complexity, sophistication and persistence of today’s security threats. The security team should proactively look for hidden threats, even with security systems.

Remember that cybersecurity relies on the dedication and skills of security professionals. Invest in the training and well-being of your teams. Defending against attack is a 24/7 activity, but defenders are humans and must have enough rest to rest and recover in order to have the mental agility to spot advanced raids.

Ukraine has weathered the storm of Russian cyber-aggression as defenders have prepared well, actively pursued attacks and learned from past incidents how to improve their security posture and hunting techniques.

These lessons provide a helpful model that your business can apply to increase security resilience:

• Custom Defenses: Harden systems and identify key systems.
• Active Vigilance: Respond to all incidents, no matter how small.
• Proactive Hunting: Look for evidence of raid.

Cyber ​​attacks are carried out by criminals with a clear idea of ​​what they want to achieve. Preventing and detecting seizures is not a haphazard activity to be taken lightly. With the right focus and resources, even the most sophisticated and persistent attacks can be defeated.

Martin Lee is technical leader of security research in TalosCisco’s Threat Intelligence and Research Organization.