After spending over a decade in cyber warfare and information warfare, including being personally targeted by nation states, I get asked all the time how companies and individuals can protect themselves from nation-state attacks. Today, my answer has changed.
Usually, I answer that companies and individuals are not a target. In the past, nation state actors have generally kept their attacks to national institutions, militaries, political entities, and larger corporations, leaving individual citizens and the broader industry off the table. However, as we see Russia invade Ukraine and Western governments respond with sanctions, that playbook has been seriously eroded – now, as the saying goes, “you’re not a target until you are.” Cyber attack technologies have evolved significantly in the last two decades to enable massive, broad attacks across swaths of targets simultaneously. With that, the spectrum of potential targets in a nation-state campaign is much wider than it used to be.
We should expect Russia to increase their offensive cyber attacks to retaliate against sanctions, especially given the hardening of other countries’ physical defenses and security postures. Based on the sanctions we’re seeing, if you’re in the financial sector, an energy company, or a Western non-profit, you’re likely much higher on the target list. However, you might be a target and not even realize it. For example, if you have executives involved publicly in non-profits or think tanks taking a public anti-Russian stance, you may be garnering unwanted attention. It’s worth taking a moment with this in mind to diagnose whether you may be a “critical” or likely target for attacks. You can also expect other nations to take advantage of the chaos and increase their cyber espionage and attacks.
I frequently hear defenders and security companies talk about 100% effective defenses or ways to “always” detect adversaries – as my fellow offensive-minded professionals like to joke, that’s “spoken like a true defender.” I’m here to tell you that while preventing a dedicated nation-state attack isn’t possible, you can and should be prepared. Ultimately, you should be raising the bar defensively to make it hard for the adversary to make an impact and cause you damage.
Here is the Crisis Readiness Playbook that every organization should be following.
- Make sure everyone is safe. If you know of anyone traveling in or near Eastern Europe, get them to register with their embassy immediately.
- Send out a reminder to your entire company on how people are the most likely vector of attack. For example, remind them of phishing attacks and tell them to report unusual activity.
- Check executive connections or communications to political hot topics, even as simple as social media posts targeting Russia. You might be a target because of those views and not because of your business.
- Put an insider risk playbook into place. Consider that attackers might be internal, and not just employees but contractors and partners also.
Harden Your Security Posture
- Do you use a managed security provider? If so:
- Find out where you are on their priority list across their client base and/or how they would handle broad simultaneous attacks on a number of their clients.
- Find out what they’re doing to increase their readiness.
- Do you manage your own security? If so, increase your readiness for attacks:
- Turn on multifactor authentication (MFA), especially for your key accounts. If you’re still one of those people using the same passwords everywhere, start changing them now. Get a password manager like Bitwarden or Dashlane.
- Increase your network monitoring. Focus on outbound traffic where you’re more likely to see malware calling out to a (C2) controller. Nation-state malware is extremely difficult to detect these days, but in most cases it has to communicate somehow.
- Increase endpoint monitoring as much as possible. Consider deploying browser plugins like Microsoft Defender Browser Protection or GuardIO Protection for Chrome if you don’t have something in place.
- Prepare and practice network and host isolation. If you’re a critical target, consider practicing pulling the plug on your key network(s) and disconnect them from the Internet.
- If you have the cybersecurity staff with deeper skills, time to go on the hunt. Work your way through your critical servers, data, and key systems within your business, and go deep looking for anything abnormal.
- In both cases:
- Take a look at your incident response plan. Like most organizations, you probably have a check-the-box written plan that’s near-worthless in a real incident. Make sure that the plan is up to date and that you would know exactly what to do if an incident occurred. Start thinking about documenting real workflows for likely attacks – think flowchart if you don’t know how to get started.
- Check your backups. If you’re not 100% (yes, 100%) confident they’re protected, make offline backups of anything critical as much as possible.
- Distributed denial of service (DDoS) attacks will likely continue to be the first wave. Make sure you are prepared, and see what your organization, your cloud and network providers, and similar underlying infrastructure have in place. Get something for yourself into place as needed. Critical targets may want to proactively “turn it up”.
- Move forward increasing your focus on hygiene. For example, time to get after patching those vulnerabilities you’ve been delaying acting on.
Improve Readiness for Action
- Update or establish an incident response team. If you’re a critical target, test activating it. Make sure it’s cross functional and integrates privacy, security, IT and communications, among others.
- Run an exercise with your team, right now. Start small if necessary, just to warm up the team.
- Update or establish a backup communications plan. If you’re a critical target, consider going live in the background now.
- Open source intelligence (OSINT) is incredible these days and you can use it to stay on the bleeding edge for what’s going on and coming over the horizon. A word of caution: it’s easy to get obsessed with watching it tactically, so the key is not to go overboard.
- Bob Gourley (@bobgourley) and the OODA (@ooda) team’s Russia/Ukraine list: https://twitter.com/i/lists/1483456727219683332
- #OSINT on Twitter. Keep an eye out for disinformation, it’s already out there broadly. https://twitter.com/hashtag/OSINT
- Follow all the amazing security community professionals and government agencies putting out tips to help:
- Hat tip to Mick Douglas (@bettersafetynet): https://twitter.com/bettersafetynet
- DHS Cybersecurity and Infrastructure Security Agency – CISA #shieldsup: https://www.cisa.gov/shields-up
Ensure Business Continuity
- Break out your Business Continuity & Disaster Recovery plan. What would you target if you were attacking your organization? Imagine that’s down, now what?
- Think about critical connectivity – networks, phones, whatever is relevant and core to your business. If that’s disrupted, what’s your backup?
- Examine your cyber insurance plan. Know your requirements if you have an incident or attack. Call your provider and find out where you are in their priority stack and/or how they would handle broad simultaneous attacks on a number of their clients.
- Update your law enforcement and government agency contact list.
- Connect with your marketing and/or corporate communications team. Find out if there are any impending communications that might increase your likelihood of being a target. Also, find out if they have a communications plan for customers and other key stakeholders in the event of an incident.
Finally, keep in mind a lesson I personally learned in the aftermath of the 9/11 attacks – don’t lose your cool. Get focused and go for the long game. Chances are that, once the lid comes off, our worry about a nation state attack on individuals and businesses will shift from a point in time to a continuous threat. You can expect other nations will also take advantage of the chaos and increase their cyber espionage and attacks. We should all be using this as a wake-up call to shore up our defenses and prepare for another permanent escalation in cyber warfare.
Want to get ahead of any potential incidents? You can access the playbook above in the BreachRx incident management platform while automating your workflows and collaborating live with your team. If you are a 501(c)(3) non-profit, BreachRx is pleased to provide this playbook in our platform at no cost for the 2022 calendar year.
Get ahead of incidents with the BreachRx
Crisis Readiness Playbook