The ongoing war between Ukraine and Russia has placed organizations worldwide on full alert due to the possibility that cyber attacks related to the conflict may impact organizations outside the region. 

Trustwave's Darren Van Booven, Lead Principal Consultant and Grayson Lenik, Director of Consulting and Professional Services, Trustwave Government Solutions, during the recently conducted webinar “Russia-Ukraine Crisis – Defending Your Organization from Geopolitical Cybersecurity Threats” looked at the current threat landscape and made recommendations organizations should adopt to protect themselves. 

These suggestions are not only pertinent during a time of crisis but are always effective and necessary.

Cyberattacks Related to the War: What Trustwave SpiderLabs is Seeing 

After several weeks of massive warfare between Ukraine and Russia, an equivalent scale confrontation on the cyber front has not been opened. However, there has been some activity. For example, Russia used wiper malware early in the conflict against Ukraine, and the prolific Conti ransomware team aligned itself with Russia threatening to attack its enemies but then thought better of that statement and recanted the more serious threats.

Trustwave saw many attacks against Ukraine, including some using a wiper malware that struck critical infrastructure targets. Researchers quickly spotted this malware with the cybersecurity community sharing its indicators of compromise (IoC). Sharing this type of data is rare amongst cybersecurity vendors, which shows how serious the community is taking any activity related to the war.

Researchers also saw Dark Web chatter with actors attempting to gather forces to defend Ukraine. These discussions included launching Distributed Denial of Service (DDoS) attacks against Russian government and military websites. Analysts have also spotted additional

The other concern is that an attacker could release a malware variant like Not Petya equipped with a wormable functionality and, even though the attacker aimed the malware at a specific target, it could spread. If the malware developers don't put controls in the software to limit how it spreads, it can then end up being disbursed worldwide over the Internet striking any system that's vulnerable.

Take These Proactive Preventive Steps Today

So, what should organizations do right now to protect themselves in this environment?

The war and its cyber component, in general, has not led to an increase in the overall threat level in the world. Organizations today already operate in a state of continual threat, and they should immediately implement the actions noted below, if they have not done so already. 

1. Multifactor Authentication (MFA): The number one recommendation we make is for all organizations to enable multifactor authentication. 

We respond to events from organizations and clients where they were exploited by not having multifactor authentication. MFA is something that we say is the bare minimum requirement that you must have and if you don't have that enabled for all of your users today, that alone creates an immediate, high-risk situation for your organization.

2. Cyber Insurance: Having cyber insurance is key. However, the fact that a major war taking place right now has a cyber component could cause a problem even for those with general coverage.

First, make the call today to see if you are covered or exposed. If you have insurance, check to see if the policy contains any exclusions. Today, many organizations have cyber insurance policies that cover the impact on your business if an attacker brings down your system with a cyberattack. However, some policies have an exclusion stating that the insurance policy does not cover acts of war.

Exactly what an "act of war" is can be broadly interpreted, and it’s good to know what other exclusion the policy includes, so reach out today and ask your underwriter.

3. Threat Intelligence: There are two layers to conducting threat intelligence within your organization.

At the top level, speak to your staff about what is going on in the world. This communication can vary from a new malware making the rounds that workers should be aware of or a major event like the Russia-Ukraine conflict. This internal monitoring will help staffers "tune in" to what they might see on their system so they can alert the proper team to take action.

On a more technical note, when it comes to vulnerabilities and malware, speed is key. 

With new malware, it doesn't take long for someone to start exploiting the threat in the wild. To be on top of that, you need to obtain the indicators of compromise and any other information you can about what's going on and perhaps who may be the focus of an attack. Once the IoCs are in hand, you can apply the necessary defenses to your organization. There are many places to obtain this information, such as the Cybersecurity and Infrastructure Security Agency, the National Security Agency and commercial threat intel companies. 

4. Phishing Tests: Runphishing tests using the latest techniques that attackers employ. Here you can use your threat intel skills to develop a plan. For example, if security folks have spotted threat actors using a wiper-type malware in a phishing campaign, you can build a test around how the attacker is presenting the malware in emails.

If you conduct this test properly, you will get an accurate indication of how your staff will react. For example, in one recent case, a client ran such a test on 1,200 workers; 250 did in fact, click on the link, and 100 of those gave their username and password. So, while these numbers are alarming, it was a good test of what can happen, and now the company knows where to focus its efforts.

5. Threat hunting: We recommend looking into your environment using the IOCs you have gathered regarding current threats. Conducting these exercises is a good habit regardless of the geopolitical situation. For example. if you are worried about a specific weakness or have a new IoC in hand, you can conduct a scan to ensure your system is safe.
6. Vulnerability Scanning: For the most part, we have noticed many organizations do conduct vulnerability scans. Sometimes it's done to comply with regulations or part of a vulnerability management program that is in place.

A good scan should review your ingress and egress traffic controls, look at your access control list on your web application firewalls, next generation firewall, and router control lists. It's never too late to go back through and take a deep dive look at what you are and are not restricting.

7. Backup Data: Ransomware can spread and encrypt backups, so it's imperative these are checked for malware.
8. Pen and Red Team Testing: Conducting these exercises essentially puts your security team and its response plans through all the points previously mentioned.

A good penetration test or Red Team will include threat intelligence, a phishing test vulnerability scanning, and review ingress and egress controls. So, if you're not doing Red Team or penetration testing, we would highly recommend finding a solid provider. However, if you do have a provider, it might be good to schedule your quarterly a little bit early.

Final Recommendations

Finally, even though we are having this discussion about the current situation in Ukraine, the reality is that everyone has been operating in a state of heightened alert for some time. You just never know when these things are going to happen. 

However, a good guess, having first-hand experience ourselves, we expect it to happen on a Friday afternoon or whenever your business is closed. But it can happen at any time. So, make sure that you have configured your whole environment for that possibility. Then, have a plan in place for when an attack happens outside of business hours.

Many organizations just throw technology at the issue but don't have the staff to run the plan, or the team cannot execute the processes. You need the right people with the right skills to do the job correctly.