Take These Steps To Prepare For And Handle The Cybersecurity Effects Of The War In Ukraine
CISOs and their teams in Europe and worldwide are either already experiencing cybersecurity impacts from the war in Ukraine and the sanctions imposed on Russian and Belarusian actors — or they soon will. If you haven’t already, here are the cybersecurity-related steps to take right now, plus some pitfalls to avoid. (Note: You can find the risk-management-related actions to take in this companion blog post.)
- At the risk of stating the obvious, follow current advice from your national cybersecurity authority. The US Cybersecurity and Infrastructure Security Agency (CISA) has already warned of increased attacks on critical infrastructure and defense industrial bases through their Shields Up initiative. This is the best place to receive up-to-date information from CISA on the current state of the conflict. In the UK, the National Cyber Security Centre (NCSC) has published specific steps to undertake in the current heightened threat landscape. Other agencies such as the European Union Agency for Cybersecurity (ENISA), the Federal Office for Information Security (BSI) in Germany, and the National Cybersecurity Agency (ANSSI) in France have warned of the situation, and an EU cyber unit has been deployed to assist Ukraine. The Australian Cyber Security Centre also provided guidance via an urgent alert when the Australian government placed sanctions on Russia on February 23. In the absence of specific information from your national cybersecurity authority, use the guidance we’ve linked here.
- Reach out to government contacts. Make sure you have a stable contact within the government in each country where you have a large operation that you can reach out to in the event of an incident or for updates on the current situation. In the United States, InfraGard coordinates information sharing with critical infrastructure providers. In the UK, review information provided by the UK National Cyber Security Centre’s (NCSC) Critical National Infrastructure hub and its equivalents in Europe. For EU-based organizations, speak to your local CSIRT (computer security incident response team) and CERT (computer emergency response team) contacts. (Find a full listing here.)
- Initiate a “request for intelligence” from your threat intelligence vendor. Ideally, this is an existing part of your contract — but it’ll be worth it even if you must pay an additional fee. Explain the target audience for the report so that your vendor will produce information at the right altitude (for your board of directors, for your security team, etc.). The request for intelligence should go beyond the normal overviews your vendor provides, and it should include specifics related to your vertical industry and operating locations. Further, it should give you information on threat actors of concern and on the tactics, techniques, and procedures (TTPs) that those threat actors use.
- Brief your senior stakeholders ahead of the news cycle on the threat environment and risk. Cybersecurity incidents that achieve media prominence have a habit of alarming senior executives and board members, resulting in a cascade of panicked questions to you and your team. Don’t be caught unawares, as such requests can consume precious time that you will need to deal with a potential incident. Prepare a brief in advance, and make it as factual as possible about the overall external threat and situation, the potential impact on your organization, and the overall risk to the business. Take the opportunity to remind your executives what tactical activities you are undertaking to deal with the immediate issues, as well as how your strategy will serve to prepare for such events, now and in the future.
- Collaborate with your security vendors. Your organization’s security vendors need to take a proactive role in your preparations for cyber conflict and defense in depth. Rely on your vendor account representatives; they’re incentivized to ensure that you receive the proper level of care contractually or specific to that technology. For product vendors, confirm turnaround time and automation options for ruleset and patch updates; for managed services, clarify their processes and communication channels. You should already be receiving communications from your vendors regarding the conflict in Ukraine. If you have yet to receive updates, reach out directly to the vendor, your rep, the support team, etc. Pay particular attention to vendors that were less responsive during Log4Shell, because two subpar performances during a crisis make an unpleasant pattern.
- Do not attempt to predict what nation-states will do. The world’s intelligence agencies have done a remarkable job of coming together and sharing intelligence to limit misinformation and disinformation. They have the information you — and we — do not have, and they still miss things. Focus on preparation and on improving your firm’s resilience rather than trying to predict what will happen next.
- You can’t prepare for cyberattacks when they’re already happening, so don’t try. Dentists will tell you that “you can’t cram for a dental exam,” and this is similar; it’s too late to initiate widespread technology changes. That’s why cybersecurity is a program and why readiness and preparedness are so important. If there are adjustments you can make after a recent tabletop session to processes or communication, make them — and update your documentation accordingly.
Here’s What To Do Next
After you’ve completed the above steps, here’s your next checklist to follow:
- Be ready for more misinformation and disinformation. Misinformation and disinformation featured heavily in the lead-up to this conflict. Allegations of staged cabinet meetings well after decisions were made are one example. On February 3, the US predicted that Russia would use graphic fake videos as pretext for invasion. Open source intelligence researchers analyzed a video that surfaced two weeks later proving the US correct. These videos serve two purposes: to bolster internal sentiment for invasion and distort narratives abroad. In France, India, the UK, and the US, respondents to our March 2021 Global Trust Imperative Survey trusted their employers more than their national and local government leaders. This means that the information your security team provides carries considerable weight. So, keep your incident response plans and their communication elements handy.
- Consider secure communications tools for security, privacy, and reliability. Firms concerned about the security and privacy of business communications — such as eavesdropping, communications metadata exposure, data loss, or noncompliance — over traditional channels can take steps to protect corporate communications. Employees in and around Ukraine may also face disruptions to communications infrastructure. Encrypted messaging and calling solutions like Element, KoolSpan, and Wickr work in low-bandwidth environments. And these tools aren’t one-off investments; you can use them to protect your everyday communications and as out-of-band communications channels during incident responses and to provide traveling executives with enhanced security.
- Build your incident responder ranks. If you’ve been looking to create a path for advancement for your high-performing security operations center (SOC) analysts or security engineers, now is the time. Many incident response service providers offer training for internal teams on response actions, forensic investigations, and evidence collection. A targeted attack usually results in a complex, protracted response. Work with your provider to develop a training plan that creates a bench of capable understudies on the promotion path so that you can allow your key responders to rest and avoid burnout.
- Pay attention to device and software hygiene. This may seem like a no-brainer, especially given typical C2C (comply to connect) policies, but this is a critical time to get your devices, endpoints, and applications fully patched and up to date. Prioritize critical vulnerabilities and any vulnerabilities with a known exploit, but don’t neglect highs and mediums; an unrelated attacker who has been hoarding a backlog of exploits might well decide to use them while the world is preoccupied with the war in Ukraine. In addition, consider a tabletop exercise around responding to and patching a new zero day.
Forrester just published a full report on this same topic: “Russia’s Invasion Has Permanently Altered The Cyberthreat Landscape”.
Note: Senior Analyst Heath Mullins also contributed to this blog post.