Preparing for Cyber Threats Related to Tensions in Ukraine

As events continue to deteriorate in Ukraine, the full geopolitical impact remains unclear, especially in the cyber realm. CISA (Cybersecurity and Infrastructure Security Agency) reports that while there are no specific or credible threats to the US at this time, Russia may consider taking retaliatory action in response to sanctions that may impact business and critical infrastructure in the US. Therefore, CISA and the global intelligence community recommend organizations adopt a heightened, vigilant posture and immediately take additional steps to harden defenses and improve resiliency. PacketWatch is providing actionable steps organizations can take to safeguard themselves during this time.

Background

The Russian government has a proven history of escalating and taking actions to destabilize its perceived adversaries outside of their initially targeted country. The Russian government has demonstrated ability to conduct hybrid warfare combining kinetic and cyber elements for maximum disruption. The Russian government may conduct these cyber activities by its military units, through its intelligence organizations or more commonly through sponsored advanced persistent threat (APT) actors.

Based on knowledge of historical TTPs utilized by these APT actors, organizations should take the following steps to increase organizational readiness:

• • Network Egress Points
    • Monitor network perimeter egress points; examine outbound traffic for signs of anomalous activity (ports, locations, protocols).
    • Restrict what ports/services can communicate to external resources.
  • Network Ingress
    • Geo-block where possible but understand limitations and downstream impacts.
    • Ensure only assets serving specific business purposes are publicly exposed to the internet.
  • Monitor egress and ingress communication from computer assets in the DMZ.

• Network Segmentation
• Enforce strong segmentation between network zones to contain traffic.
• Restrict endpoint-to-endpoint communication.
• Monitor east – west traffic for anomalous activity.
• Restrict BYOD assets from access to production networks.
• Know your assets and what they access; Identify everything
• Update your inventory survey of hardware and software assets.
• Review your application control list.
• Hunt for unmanaged assets.
• Validate Security Controls
• Focus on updated controls for Endpoint, Server, Cloud security and Access Management.

• Align and enforce password policies using an applicable framework/standard.
• Unprivileged users should not have privileged access, audit access and permissions.
• Implement Multi-Factor Authentication (MFA) across all networks, systems, applications, and resources.

• Scan for open vulnerabilities and patch/mitigate as directed.
• Update Vendor Solutions, Open-Source Software, and Operating Systems.
• Isolate vulnerable legacy systems.

• Increase levels of logging and ensure proper collection retention — especially on endpoints, servers, network devices and Cloud services.
• Review access logs for suspicious activity and impossible logons.
• Monitor for abused or malformed access tokens.
• Adopt best practices securing cloud services.

• Review / rehearse / test
• Continuity of Operations Planning (COOP) plans.
• Business Continuity / Disaster Recovery (BC/DR) plans.
• Incident Response (IR) plans.
• Ensure adequate staffing for longer duration workloads.
• Anticipate service disruptions and supply chain impacts.
• Establish alternate providers for mission critical services / providers.

• Contact experienced security professionals for assistance in testing or implementing the above recommendations.
• If you believe you have been impacted already, contact your local FBI field office.