9 Step Action-Plan to Reduce Cybersecurity Risks Arising From the Russian War Against Ukraine

It is no news anymore that Russia started the largest war in Europe since Second World War. In an unstable system like the current global order, it is absolutely a singularity: an unexpected event that could lead to arbitrarily large effects. Nobody really wanted to believe it was happening but here we are, not knowing what the next few days and weeks will make of the world order as we know it.

Most are conscious already that in 2022 wars are not only fought in the physical realm. The modern world is dominated by technology, modern technologies are often interconnected through data networks, and more than often that network is the Internet.

This means that cyber soldiers can sit in the comfort of their homes (in the discomfort of their shelters like the Ukrainians right now) and still be able to cause major damage to critical infrastructures.

For example, Ukraine suffered the latest blow in an ongoing campaign of cyber attacks as Russian aircraft attacked Ukrainian cities. A number of government and bank websites in Ukraine crashed on Wednesday, according to the BBC. It comes just over a week after a similar attack caused the downtime of 70 Ukrainian government websites. Ukraine computers were hit by data-wiping software as Russia launched an invasion.

Both Ukraine and the United States have accused Russia and is difficult to think they are wrong.

Ukrainians, on their side, are not holding still. Ukraine has called its hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops according to Reuters.

"We are creating an IT army," Vice Prime Minister Mykhailo Fedorov wrote in a Tweet that linked to a channel on the Telegram messaging app which published a list of prominent Russian websites.

Cyber armies are converging and fighting in support of one side or another, but how long will it be before they turn their attention to businesses instead, and what guarantees us that it will be someone else's business?

I strongly believe war is a disgrace to both fighting parties, and in the hashes of this cyberwar, we will find highly skilled cyber experts who are in extreme poverty on either side; guns for hire. In a world where cryptocurrency exchanges can easily be carried out in stealth mode, are your competitors likely to hire them?

Better safe than sorry is one of my guiding principles. We have been gearing up for these cyber battles for years and as this conflict escalates, we have designed the following steps specifically to respond to targeted cyber-attacks and make full use of our Advantio MDR (Managed Detection and Response) and all connected technologies in use at our MSOC. 

Our goal today is to share these with you so that you can protect your business and focus on growing it efficiently.

Stay safe,
Marco Borza

 Do not forget that these actions should be applied on top of existing business continuity initiatives.

• Step 1 - Creation of the special intelligence workforce
  A group of executives and senior technicians meet twice a week or more to conduct special and continuous risk assessments and lead extraordinary activities that might be triggered on a day-to-day basis. Our CISO reports daily about all relevant activities to the executive board. Our contingency plans are updated on a regular basis.
  
• Step 2 - Installation of dedicated SIEM (Security Information and Event Management) correlation rules and installation of additional threat intelligence feeds.
  Our SOC team has defined ad-hoc triggers to monitor potential attack vectors generated from within or that target specific geographical locations. These triggers are based on precise payloads and IoCs (Indicators of Compromise). Similar initiatives are being applied globally by Threat Intelligence feeds providers. Our MSOC team engages those intelligence feeds to continually improve and reinforce the evaluation of potential attacks.
  
• Step 3 – Identification of critical assets and users in Ukraine, Russia, and nearby locations
  We have opted for a full cloud-based approach. We require that all of our impacted users remove local content and ensure data is safely uploaded to our company cloud infrastructure. Dedicated monitors are in place to supervise users’ behaviors in full respect of their privacy. Additionally, we have instructed users to disable sync options for local content and wipe local copies, if any.
  
• Step 4 – Remote Interventions on impacted assets
  Our MSOC is ready to act remotely thanks to our EDR (Endpoint Detection & Response) technology and our MDR processes. This technology allows us to isolate and wipe computers based on threats. By default, computers left unattended due to emergency responses are wiped immediately and remotely. If you do not have an EDR technology, this should be your first technological improvement over the next few hours/days.
  
• Step 5 – Privileged users from risky geographical locations
  To contain the expected elevation of alert thresholds in risky geographical locations, privileged users are temporarily demoted to limit potential damage caused by theft of identity or malware.
  
• Step 6 – Increase all endpoint protection policies
  To prevent incidents, our EDR is running with highly restrictive policies. Such constraints apply to content management, web browsing, network connections, and threat analysis. In addition to regular real-time incremental malware analysis, endpoints disks are checked every hour.
  
• Step 7 – Remote connectivity
  We have offered emergency support to those in need of secure connections from remote and untrusted networks by allowing links through multi-protocol VPN concentrators to our corporate assets. All our corporate assets and client data reside either on AWS (Amazon Web Services) or Azure.
  
• Step 8 – Ad-Hoc dashboards
  A series of dedicated monitoring dashboards has been designed by the MSOC team to provide our emergency workforce with a real-time view of critical KPIs (Key Performance Indicators). For example, our emergency team can view connections originating from risky geographical locations, if any.
• Step 9 – Test your incident response planA cyber crisis tabletop exercise, also known as a cyber incident response test, will help your organization to identify different risk scenarios and prepare you for cyber threats. This is the most efficient way to evaluate whether your organization's incident response plan works effectively in the event of a cyberattack.

As a multinational with a strong presence in Ukraine, we want to make sure our Ukrainian colleagues are also provided with adequate, and often bespoke, security controls. We have laid down a summary of all the recent measures taken to enhance our SOC - read here.

We know cyber security is one of your primary concerns right now, but it should not be your primary responsibility during this challenging time - let us be your trusted security partner.

Cyberattacks will increase dramatically over the coming weeks amid the ongoing conflict. In order to protect the assets of your executives and management team, we are offering the Advantio MDR (Managed Detection and Response) service FREE until the end of May 2022.

While we strive to help everyone, our capacity is limited. Hence, we will work on a first-come-first-served basis, and our existing clients will be given priority.

Reach out to us now and start protecting your business today.

Interesting reading and useful resources: 

• https://hbr.org/2022/02/the-cybersecurity-risks-of-an-escalating-russia-ukraine-conflict
• https://www.cnbc.com/2022/02/25/will-the-russia-ukraine-crisis-lead-to-a-global-cyber-war.html
• https://www.ft.com/content/60066343-4c5f-422a-b680-c597f2b24cbf
• https://www.cisa.gov/shields-up
• https://www.cisa.gov/cisa-tabletop-exercises-packages
• Featured image source: Skorzewiak / Alamy Stock Photo