On 18th March 2022, the National Cyber Security Centre published an advisory to all UK businesses regarding a perceived elevated threat as a consequence of Russia’s invasion of Ukraine.
Russia has previously been accused of (and has vehemently denied) involvement in state-sponsored attacks on Ukrainian infrastructure (DarkEnergy 2015/2016) and the devastating NotPetya incident of 2017.
With the crisis continuing in the region, hacktivists and script kiddies alike appear to be taking up keyboards in support of both sides; the combination of both state and “less professional” actors point to elevated risks for all businesses – including those who would not see themselves as direct “targets”.
The NotPetya incident of 2017 serves as a powerful warning of what may happen when a cyber-attack runs out of control or is deployed recklessly – a $10 billion hit to the global economy.
With armies of self-trained (and unmanaged) “cyber-warriors” scanning for targets within the scope of whatever geography or economy they perceive to be an “adversary” the result is an increased likelihood of any risk (known or unknown) to your organisation related to malicious activity being realised.
The NCSC has produced a list of actions to take during this period of heightened cyber threat; it’s well worth reading through and considering whether your security posture could be improved.
The main focus of the actions are as follows:
- Access Control
- Incident Response
- Perimeter and Endpoint Controls
- Threat Intelligence
Arguably the greatest threat posed to business in a full blown cyber conflict is that of data destroyers, or wipers; possibly masquerading as ransomware. Denial of Service and Data Exposure extend the list.
There are a number of “quick win” activities which can improve security posture of organisations regardless of size and budget.
- Remind colleagues to complete any mandatory cyber awareness training
- Measure and reinforce cyber awareness training compliance
If you’ve previously imagined cyber awareness training to be too expensive, or your organisation too small think again; free cyber awareness materials and often training can be accessed directly on the NCSC website and through the national Cyber PROTECT network.
- Issue updated phishing guidance advising colleagues how to detect, react and report suspected malicious communications and attachments
Larger organisations should ensure that a suitable, timely and effective response process sits behind phishing reporting – the same malicious emails may not be received by just one individual, therefore responding to reports and eradicating the threat early reduces potential impact.
- Ensure that security activity during the heightened period is spotlighted to, and endorsed by senior stakeholders
Keeping senior management engaged with the elevated threat, and obtaining their sponsorship for any initiatives or communications raised is absolutely critical. Spotlighting activities or concerns relating to the conflict in a regular high level briefing is advisable.
- Ensure you are receiving basic, credible threat intelligence
These could be paid for services, however there are numerous well regarded blogs that can provide free insights. In addition, you can register your organisation for the NCSC Early Warning service if you have a static IP address or a domain name. You may also wish to consider joining the free Cyber Security Information Sharing Partnership (CiSP) which provides a forum for representatives from various sectors to share advice, IoCs and intelligence in the spirit of mutual protection.
Some activities will depend on the resources you have available, and may take longer to address; it’s important to reprioritise and carry out those activities that may have been “put off”. Some ideas (and indeed the usual suspects!):
- Remove blockers for stalled security initiatives
- Vulnerability scanning (external and internal)
- System hardening (particularly End of Life equipment)
- Consider tightening patch schedules
- Ensure Anti-Virus is installed and kept up to date
- Account review – prioritising privileged accounts with external access
- Account review – all third party access
- Access Management – consider the length of any dormancy thresholds; can they be reduced
- Access Management – new credentials; can validity period be reduced when delivered to new users
- Supplier review – consider how exposed your suppliers may be to the conflict and the level of access they have to your estate
- Coverage Audit – Detection: ensure you have full visibility of your estate
- Coverage Audit – Backups: ensure your backups are adequate to recover your estate
- Backup Resilience – explore methods of securing your backups from destruction or corruption
- Themed Response exercising – consider free NCSC Exercise in a Box for tabletop and live exercises
- Recovery exercising – go beyond validating backups, perform restore exercises
- Firewall Review – weeding old rules and validating existing ones
One final idea which requires an explanation:
- Establish basic geo-fencing
If you have the capability, it’s probably worth investigating where your incoming business traffic originates. It is likely that you never receive legitimate traffic from a large number of countries. Ideally, a whitelisted geofence (ie one that only accepts traffic from explicitly named countries) should be the aim, but where this is too time consuming or complex, simply considering whether to accept traffic from conflict related countries is a good start.
Of course, IP addresses can be spoofed, and attackers can use a VPN, but that assumes that your organisation is being directly targeted. Removing your company from the basket of “low hanging fruit” is the goal – those who can be exposed by the large numbers of hacktivists running automated scans who are so brazen they don’t bother to disguise their location.
You can also use the VPN to your advantage; if you are able to ensure that your international traffic utilises a VPN with an exit node in your country, you can quickly achieve the whitelist model.
Another block list should be TOR exit nodes. TOR is the browser of choice for denizens of the so called “dark net”, and it’s services can also be used for anonymising traffic. For most businesses, any traffic passing through TOR is likely to be malicious. The exception might be if your organisation provides services to users in a censored or more oppressive environment – for example, the BBC has a “dark website” that would allow TOR users in Russia to connect and receive news that has not been censored or manipulated by the state.
Whilst I hope that the conflict in Ukraine ends soon, all the signs suggest that this will be a protracted period with the risk of escalation and spillover in cyberspace and geographically, ever present.