As the conflict in Ukraine heightens the risk of cyberattacks globally, what can organizations do to improve their resiliency?
Due to the current attack by Russian forces on Ukraine, do you expect there to be more cyberattacks? This is the most common question I am being asked post Russia unleashing its offensive in Ukraine.
The answer is simply “Yes”.
When conflicts take place, part of the standard playbook is to disrupt communications and information channels, and this conflict is no different. There are many news articles, many of them fact-checked, referencing distributed denial-of-service (DDoS) attacks on important websites in Ukraine.
For businesses and organizations based in countries that are expressing solidarity with, and support for, Ukraine, governments and their cybersecurity agencies – obviously including the United States’ Cybersecurity and Infrastructure Security Agency (CISA) – are actively warning of a possible increase in the number of cyberattacks. Is there potential for an increase? Absolutely, yes. Should we all be more vigilant? Yes.
Beware of disinformation and a spike in phishing
There is, of course, the risk of an increase in disinformation, fake news and phishing emails attempting to direct the recipients to campaigns collecting funds for Ukrainian refugees, claiming to have unique news clips or such like. The ESET research team has already circulated images of some such emails. These demonstrate the willingness and readiness of cybercriminals to spin up campaigns quickly and effectively to profit and monetize their activities. Any major incident provides them this opportunity, as we have seen during the pandemic with fake contact tracing apps, phishing emails, and sites claiming to have protective equipment.
Improve cybersecurity planning and resiliency
The current circumstance in Ukraine has increased the visibility of the need for companies to ensure they are prepared to deal with a cybersecurity incident. I suspect – in fact, feel certain – that many cybersecurity teams have already been working for some time under the extreme pressures of potentially being attacked.
Last year was, without question, the year of escalating ransomware demands, with notable moments throughout the year, including Colonial Pipeline handing over $4.4 million, CNA Financial reportedly paying $40 million, then cyberattackers demanding $70 million from Kaseya and $240 million from MediaMarkt.
I am certain that the escalating ransomware demands, numerous disclosures of severe vulnerabilities, and supply-chain incidents have created an environment of preparedness already. However, it’s always good to check your organization’s processes and operations.
What should be on your cyber-resiliency checklist?
Here are a few important tasks that should be on the priority list:
- Refresh the continuity plan. Understand how the business can operate while under cyberattack and access to systems may be limited.
- Conduct a practice crisis scenario. Make sure everybody knows their roles and the expectations on them.
- Update the crisis emergency contact list – “Who ya gonna call?”
- Consider your third-party supply chain and what part you play in others’ supply chains. The upstream and downstream businesses need to have cybersecurity policies that reflect your own. Check that they are still in compliance, and that you are.
- Empower your cybersecurity team and those in key positions. They may need to make changes and react quickly to an incident as it unfolds.
- Monitor for suspicious and unknown network behavior. Implementing an EDR solution is recommended and will help keep teams focused on the critical incidents.
- If you lack resources to deal with a major incident, outsource this critical responsibility. Consider contracting with a managed service provider.
- Conduct impromptu cybersecurity awareness training for all employees that reminds them not to open attachments or click unknown or untrusted links. This will help keep things front of mind for all employees.
And as a reminder, a few core cybersecurity musts…
- Enforce a policy of strong, secure passwords – or, better yet, strong passphrases.
- Implement two-factor authentication on all external access and for all accounts with admin privileges. This should also be considered for power users who have broad access to company data.
- Update and patch promptly to remove the risk of becoming a victim due to a previously known vulnerability.
- Test backups and disaster recovery systems. Be sure to keep offline backups as well as those in the cloud.
- Audit user access – reduce risk by limiting access to services, software, and data so that only those who need access actually have
- Close ports and stop services that are not used and which provide an open door that can easily be closed.
- Legacy systems that rely on outdated technology should be segmented and held at arm’s length.
- And of course, make sure all endpoints, servers, mobiles and such are protected with an anti-malware product that is updated and fully operational.
And lastly, if you are an ESET customer, then…
- Ensure that important features such as Advanced Memory Scanner, Exploit Blocker, ESET Dynamic Threat Defense, and Ransomware Shield are all enabled.
- Where necessary, configure HIPS and Firewall rules.
- And ensure the most current version of the product is installed and updated.
Stay safe and stay strong. My thoughts and prayers are with the victims of this conflict.
written by Tony Anscombe, ESET