Cyber Readiness and the Russia-Ukraine War

This blog was originally published on March 10, 2022 by Lookout.

Written by Hank Schless, Senior Manager, Security Solutions, Lookout.

I was encouraged when I saw our partners over at Microsoft step in when Russian cyberattacks commenced alongside their invasion of the Ukraine. While there have yet to be any reported attacks on the United States or its allies, I can’t help but think about our collective readiness, especially as sanctions against Russia intensify.

The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency under the U.S. Department of Homeland Security has been monitoring the conflict closely and putting together some great resources in collaboration with the Federal Bureau of Investigation (FBI).

In this blog I’ll highlight some of CISA’s major recommendations and offer some insight on behalf of Lookout.

We’re all connected

Today we live in a closely interconnected world, where no one country is less connected than another. As a result, the cyber threats initially directed at Ukrainian government bodies and infrastructure could easily be targeted at other nations, whether they be attacks on supply chains or the deployment of ransomware and other advanced malware.

Nearly five years ago, a series of Russian-linked ransomware targeting Ukrainian entities ended up affecting citizens in more than 60 countries and destroying 49,000 computers, impacting organizations of all sizes from shipping companies to hospitals. The weapon used by the Russians was NotPetya, a malware that behaved like ransomware, but the actual motive is to wipe out systems.

Cyber readiness requires a holistic approach

For Russia or any other nation-state threat actors to compromise supply chains or deploy ransomware, they need to gain access to your infrastructure and move laterally.

Mitigating these risks can happen by identifying and stopping these attacks early in the kill chain. This means blocking access from high-risk or compromised endpoints and accounts, stopping lateral movement and continuously monitoring to help you hunt for threats.

Fertile ground for phishing attacks

Much like the COVID-19 pandemic, the war in Ukraine is an event that attackers will leverage for social engineering attacks. Whether it’s click-bait headlines, fake humanitarian efforts or accounts pretending to be the media, attackers will get creative with the hooks they use to trick individuals and enterprise users to download malware or hand over login credentials.

Everyone should be on high alert for phishing campaigns that use the war as a compelling event. Warn employees, educate them about what these attacks could look like and how they can best protect their devices. We also recommend deploying anti-phishing on every device used to connect apps and data.

Segmentation can help against lateral movement

Before wreaking havoc, threat actors need to first move laterally around your infrastructure to find additional vulnerabilities to exploit, or sensitive data to steal or hold hostage. This is the reason you need a Zero Trust architecture that can deploy granular conditional access in place.

To effectively apply a Zero Trust mindset, automate the risk assessment of your users, the endpoints they use and adjust their access to applications and data based on the sensitivity level. Bottom line, don’t give unnecessary access. For example, when you provide a user access with a virtual private network (VPN), they have access to your entire network when they may only need to connect to a single app. In the event that a user account or endpoint is compromised, you can limit lateral movement by segmenting access. This ensures that a threat actor using their account or device cannot move around the rest of the infrastructure and access additional apps and sensitive data.

Continuous monitoring can improve threat hunting

Continuously monitoring all of the activity I’ve discussed so far is critical. The risk level of a user or device can change in an instant, continuous logging and risk assessment will enable you to heighten security readiness without limiting productivity.

While many incidents can be resolved quickly, detecting and blocking advanced persistent threats (APTs) often requires proactive threat hunting. As CISA pointed out in its guidance, this is especially important for organizations that have Ukrainian connections. With continuous logging, you also have the evidence to conduct forensic investigations for when something does occur.

Cyber threats are not limited to conflict zones

With an interconnected world, regional conflicts can easily spread elsewhere, especially in cyberspace. Cyber readiness should not be something that only organizations are doing. Individuals need to be prepared as well, especially as attackers use this opportunity to deliver phishing attacks.