The Cyberwar Against Pro-Ukrainian Countries Is Real. Here’s What to Do.

cyber security concept  hooded hacker
Shutterstock 1940179153

On April 20, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom released a joint “five eyes” Cybersecurity Advisory (CSA) to warn about increased malicious cyberattack activity brought about “in response to the unprecedented economic costs imposed on Russia as well as material support provided by the United States and U.S. allies and partners.” The advisory also notes that “some cybercrime groups have recently publicly pledged support for the Russian government” and “have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people.”

One example of a Russian-backer is Conti, a highly organised ransomware group that typically targets high-revenue organisations, though recently claimed responsibility for attacking the government of Costa Rica, forcing the country to declare a state of emergency. As reported by CNBC, recently leaked internal documentation from Conti shows that it operates much like a regular company, with salaried workers, bonuses, and performance reviews. Being experts at deceit, Conti has even misled some of its employees into thinking they work for an agency, not a notorious cybercrime organisation.

For our experts at Akamai, the leaked documents presented a rare opportunity to better understand the tools and techniques used by a modern ransomware group. You can read our full analysis here, but one clear key takeaway is that effective mitigation can be achieved by adding or expanding foundational controls, such as more granular access control and network segmentation.

Interestingly, this guidance on foundational controls is reflected in the “five eyes” CSA, reminding us that during this particularly turbulent political time, strengthening or implementing foundational security practices is critical to both protect our organisations and alleviate the already intense strain on our defenders.

What to do about increasing cyberattacks? Start with patching and controlling access

First, let’s look at the lowest-hanging fruit in the CSA guidance, which reminds organisations to update software, including operating systems, applications, and firmware, on IT network assets – especially the patching of known exploited vulnerabilities included in this growing catalogue.

Many servers, especially those in high-risk environments, such as those directly accessible to the internet, may have been compromised before security teams detected a threat. When patching cannot be done quickly enough, installing a fully protective WAAP can give you the greatest range of protection, before, during, and after the patching process.

While there are several points to the advisory, the majority of the recommendations can be boiled down to one main theme: access, including account access and privileges, password hygiene, behaviour analysis, and how your networks are connected. While these recommendations are so common they sound simple, as practitioners, we know they are anything but.

What they are is foundational. The CSA underscores the importance of introducing or expanding Multi Factor Authentication (MFA) within your organisation. MFA also can be the first step organisations take toward building a Zero Trust framework – the security posture we all need now that “securing a perimeter” is largely a thing of the past. Akamai’s CTO, Robert Blumofe provides helpful guidance on where to begin or expand MFA implementation here [link to Bobby Blumofe’s CSO blog].

Use segmentation to address the risk of ransomware

According to the CSA, “Russian-aligned cybercrime groups likely pose a threat to critical infrastructure organisations primarily through deploying ransomware” and by “conducting DDoS attacks against websites.” The five eyes report goes on to discuss segmentation specifically, particularly between IT and OT environments, and the importance of limiting lateral movement. Since ransomware relies on infecting the greatest amount of endpoints in a network, implementing network segmentation, or better yet, microsegmentation, limits its ability to move laterally, which is what ransomware needs to be successful.

In fact, segmentation based on role and functionality, using software-based microsegmentation, might be the most important weapon in your defense arsenal to reduce the risk and spread of ransomware. Microsegmentation allows its users to segment their network down to individual devices, or to segment specific vectors, by using rules.

Not only can segmentation assist significantly with defense, software-based segmentation allows for a significant amount of visibility into your network traffic, adding a powerful tool to your incident response and remediation plan. By being able to see and monitor every traffic pattern in your network, you can easily see inconsistencies, which allows for quick detection.

Develop operational readiness to protect against DDoS attacks

Finally, developing and maintaining operational readiness to mitigate DDoS attacks – the other most common attack type mentioned in the CSA – is critical. Five key areas to address include conducting service validations, confirming authorised mitigation service contacts, reviewing and updating runbooks, performing operational readiness drills, and updating your emergency methods of communication. Businesses with a DDoS mitigation resource in place should also review and refresh processes for how to route on and off of their service.

The current state of our world is daunting on several levels, and organisations are being forced into new territory in terms of where and how they do business and what they need to protect. Taking action is critical, as the right actions can mean the difference between an incident and a headline. Learn more about prioritising security without sacrificing your organisation’s productivity here.

Copyright © 2022 IDG Communications, Inc.