February 26, 2022
Are You Prepared for Russian Cyber Attacks?

Prepare for Russian Attacks but Increased Attacks are Here to Stay
Cybersecurity and Infrastructure Security Agency’s (CISA’s), Issued the following assessment of the Russia Cyber Attack Threat. But make no mistake about it, these threats already exist and will continue to exist after any Russia geopolitical tension subsides.
The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries. Recent Advisories published by CISA and other unclassified sources reveal that Russian state-sponsored threat actors are targeting the following industries and organizations in the United States and other Western nations: COVID-19 research, governments, election organizations, healthcare and pharmaceutical, defense, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing. The same reporting associated Russian actors with a range of high-profile malicious cyber activity, including the 2020 compromise of the SolarWinds software supply chain, the 2020 targeting of U.S. companies developing COVID-19 vaccines, the 2018 targeting of U.S industrial control system infrastructure, the 2017 NotPetya ransomware attack on organizations worldwide, and the 2016 leaks of documents stolen from the U.S. Democratic National Committee.
According to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment, “Russian cyber attacks continues to target critical infrastructure, … as compromising such infrastructure improves—and in some cases can demonstrate—its ability to damage infrastructure during a crisis.” The Assessment states that “Russia almost certainly considers cyber-attacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts.”
Small Businesses at Risk Too
While many of these targeted at important or critical infrastructure, Russia cyber-attack organizations like Sandstorm are attacking small to medium business infrastructures with attacks like Cyclops Blink. The fact that delivery of malware can be automated makes all companies vulnerable to attacks.
Most of today’s most damaging attacks are automated attacks like ransomware, supply chain attacks and CEO fraud. The federal government thinks the threats are real enough that it is passing legislation and working with the SBA to start identifying top security needs for small businesses and to start funding some of these solutions. The CISA says “Every organization—large and small—must be prepared to respond to disruptive cyber activity,” the agency says in its warning.
CISA Guidance
The CISA is providing this guidance as it relates to Russian Cyber-attacks. The guidance includes reducing the likelihood of damage, taking steps to detect an attack, making sure your organization is prepared to respond, and maximizing resilience. At the beginning of the Russian invasion of Ukraine, Russian cyber-attacks focused on the government of Ukraine, as well as critical infrastructure and businesses in that nation. However, as support for Ukraine grows internationally, so is the likelihood that Russian cyber-attacks will spread to government and business networks in the U.S. and in other NATO countries.
Common Russian Cyber-Attack Tactics from State-Sponsored APT Actors
CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. Advanced Persistent Threats (APTs) have been around since the 2010s but are still most effective method for providing persistence attacks on organizations. APT attacks include these steps:
- Reconnaissance
- Initial Access
- Exploiting a vulnerability to gain access (malware, zero-days, supply chain attacks etc)
- Execution
- Use of remote victim computers to execute attacker code
- Persistence
- Methods to remain active in the victim’s systems. Stolen credentials, system hijacking
- Credential Access
- Use of multiple methods to steal credentials for easy persistent access.
- Brute force methods, dark web access to password stores, system vulnerability exploits, unsecured credentials etc
- Command and Control
- Control of target systems that facilitates download of new malware, use of target systems as botnets etc., often using VPNs for secure hidden traffic
How Companies Need to Respond to Russian Cyber-Attacks
These are the top methods recommended by the CISA re: Russian threats, but are also the top methods recommended by regulations, and best practices to prevent, detect and respond to cyber-attacks.
- Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a security plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
- Use 3rd party risk assessments to determine your most important security gaps
- Use assessment results to develop and maintain an up to date security plan
- Identify & document critical assets
- Define, implement, and test these plans:
- Incident response plan
- Resilience plan
- Business continuity plan
- Implement a complete resilient security infrastructure
- Use 3rd party risk assessments to determine your most important security gaps
- Enhance your organization’s cyber posture. Follow best security practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Harden your Security Systems
- Implement strong identity and access management
- Multi-factor authentication
- Strong passwords
- Use of Adaptive authentication, when possible, on developed software systems
- Use of least privilege authorization
- Implement strong identity and access management
- Identify, Detect and Investigate Abnormal Activity
- Actively managed overall security monitoring, new threat detection & response/remediation systems
- Monitor all security & IT systems
- 24×7 security monitoring is recommended
- 3rd party security operations centers (SoCs) using SIEMs is an easy way to provide this capability
- Threat hunting
- Other Networking monitoring
- Endpoint Detection & Response (EDR) solutions
- Strong Email Security (overlapping solutions are a good idea, email is a top threat vector)
- Computer Assisted User Training (CAT) to minimize user error
- Network Segmentation
- Vulnerability and Configuration Management
- Timely application & system patching
- Configuration controls
- Harden your Security Systems
- Increase organizational vigilance. Stay current on industry cyber threat reporting and be prepared to respond
Top Cyber Readiness Takeaways
1) The Russian cyber-attacks may intensify on U.S. companies, but high levels of cyber-attacks are here to stay, and companies need to be prepared now and in the future
2) Attacks will continue to be waged against ALL size companies. Automated attacks enable cost effective attacks against all companies. Companies need to up their games on their cyber security infrastructures
Recommendations
1) The recommendations from CISA to combat Russian threats are no different than what all major security frameworks already recommend such as NIST, ISO 27000.
2) Cyber readiness starts with 3rd party risk assessments to determine your company’s high priority security investments
3) Use of 3rd party managed security enables all size companies to have expert 24×7 management of their security.
4) 24×7 SoCs using sophisticated SIEMs provide top level 14×7 monitoring, detection, and proactive response to security attacks. Third party managed SoCs are a good solution for companies who do not have large 24×7 security staffs.
Don’t hesitate to Contact eSecurity to discuss how your company can increase its cyber security posture.