With events surrounding Russia’s invasion of Ukraine changing by the minute, government and corporate executives around the world have focused on mounting a vigorous defense against nation-state cyberattacks.
Potential attacks could come in retaliation to sanctions on Russia from the U.S., the U.K., the EU, and others. The fear is that adversaries could act on a scale that would make Log4j, SolarWinds, and the Microsoft Exchange Server supply chain vulnerabilities look like child’s play.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to companies and organizations—both large and small—and cataloged the free tools and services available to shore up defenses in the event that Russian cyberattacks threaten critical infrastructure and financial institutions. “Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety,” CISA warned in a statement.
Still, executives would be wise not to panic. With cybersecurity, Keep Calm and Carry On is always a wise mantra to keep top of mind. The path of cyberwarfare will probably first involve government agencies and NGOs active in Ukrainian and defense issues, and thereafter financial institutions that implement sanctions against Russian interests, says Chris Hallenbeck, CISO for the Americas at Tanium. Cyberwar could broaden to other companies and industries from there, depending on the nature of the Russian response.
To help executives batten down the hatches, Endpoint has assembled the top advice from our experts over the past year of covering the security landscape. The upshot: The time to take action was yesterday. “If you’re waiting for an event like the invasion of Ukraine to decide you’re going to do something about cybersecurity, you’re already behind the eight ball,” says Hallenbeck.
Dust off cyber resilience playbooks
CISA has urged all private enterprises to review its recently published playbooks, which have cataloged the U.S. government’s evolving practices in response to President Biden’s executive order to improve cybersecurity. While the playbooks are aimed at federal civilian agencies in the executive branch, CISA “strongly encourages” the private sector to make use of both their strategies and standards.
“Having a plan of any sort is better than no plan,” says Hallenbeck. “Having a plan that is tailored to your operations and cultural approach is even better.” But just having a plan sitting on a shelf gathering dust does no one any good, he adds. Companies need to run focused tabletop exercises to ensure that people understand the plan and their role in it, and then test different scenarios to make sure it actually works.
Focus on mitigating supply chain risks
Rather than targeting organizations directly, cybercriminals and nation-state hackers use software supply chain attacks like SolarWinds to steal data, and in some cases shut down critical U.S. infrastructure and services.
They inject attack code into software that organizations use to power their organizations, specifically targeting vulnerable software development pipelines and insecure cloud configurations, or exploiting software update processes. Supply chain attacks increased fourfold in 2021 over 2020, according to the European Union Agency for Cybersecurity (ENISA).
“Supply chain related risks, whether they involve a vulnerability or an active attack, are only increasing in frequency and severity,” says Hallenbeck. “And now you have an event like the conflict in Ukraine that increases the likelihood that another round of supply chain hacks could happen.” To be ready, organizations must scan the environment to know which assets they have, where they are located, and what’s installed on those assets, he says. They must find out whether endpoints have been compromised and immediately remediate vulnerabilities.
Step up threat hunting activities
Threat hunting in most cases involves searching for “unknown unknowns”—previously undetected anomalies, unusual activity, or malicious code that might open the door to a cyberattack. Similar to how the body’s immune system works, threat hunters continuously look for cybersecurity threats across an organization’s networks and endpoints, including laptops, PCs, tablets, and virtual machines in the cloud. The approach proactively finds, removes, and remediates threats before hackers can burrow into your network.
“Always assume that an adversary has gotten into your environment,” says Hallenbeck. “And always be on the lookout for signs of compromise through proactive threat hunting.” Threat hunting teams look at the behaviors and methods attackers would use to gain access to your environment and move around, and then look for outliers that indicate a breach. Once or twice a year, it pays for even a midsize organization to bring in an outside firm to go on the hunt.
Upgrade patch management processes
As the attack surface keeps expanding, patch management has become significantly more complex. “The pandemic accelerated the movement away from a parameterized network by a significant order of magnitude,” says Phil Reitinger, president and CEO of the Global Cyber Alliance, a former CISO at Sony, and a top cybersecurity official in the Obama administration.
The situation got even worse with the emergence of the Log4j hack of widely used open-source software, which has kept enterprises and governments furiously patching their systems.
Patching is often seen as one of the simplest and best weapons to combat cybercrime. However, it can be tricky in practice. Hackers take full advantage of slow patch management systems. But instead of deploying the most sophisticated hacking techniques, they often focus on low-cost, low-effort vulnerabilities that have been around for years. That’s why the preferred defense is to automate most aspects of monthly patching while still testing sufficiently before new patches are rolled out.
Bolster cyber hygiene practices
Cyber hygiene is a set of habitual practices for ensuring the safe handling of critical data and for securing networks. It’s like personal hygiene, where you develop a frequent routine of small, distinct activities to prevent or mitigate health problems. Cyber hygiene practices include the inventory of all endpoints connected to a network, vulnerabilities management, and the patching of software and applications (see above).
Cyber hygiene helps prevent criminals from breaching an organization’s network—or at least raises the “opportunity cost,” making it so hard that the hacker gives up and goes looking for another victim.
Ultimately, good hygiene reduces the attack surface. “Organizations spend a lot of time, effort, and money to patch things, and that’s to be applauded,” says Tanium’s Hallenbeck. “But if you’re patching something that no one’s using, why are you making the effort? Anytime you keep something up and running that is either not being used or is underutilized, you present more avenues you have to monitor and maintain.”
Unlike the common adage: The best offense is actually a good defense. With these and other strategies, executives can keep a level head as they prepare for and respond to whatever the next cyber meltdown throws their way.