What Can Cyber Practitioners Do in the United States to Prepare?
Today, our world is more connected through technological infrastructure that has revolutionized the way in which individuals, organizations, and governments carry out their day-to-day activities. While this evolution has enhanced our lives economically and socially, it has also altered the definition of warfare. Russia has been employing cyber tactics to conduct warfare since at least 2014 when it unlawfully annexed the Ukrainian territory of Crimea and is poised to inflict more damage in the wake of their invasion and mounting conflict with Ukraine. As tactics continue to evolve, it is essential to examine its impact on critical infrastructure in order to become cyber-ready, whether or not nations are currently at war.
Traditional Warfare vs Cyberwarfare
Traditionally, warfare has been defined by military forces combating one another by land, sea, and air within defined borders bounded by state institutions and laws. However, as we continue to modernize our infrastructures with technology, we must be aware of nefarious actors who use the borderless digital realm to exploit our interconnected technological infrastructure. The aim of these actors is to use the cyberspace to damage, destroy or disrupt vital services provided by critical infrastructures (water, transportation, energy, etc.), and their actions are usually either criminally or politically motivated. The use of these cyberattacks by one state against another is referred to as cyberwarfare and has significantly changed our perception of what war is—by transitioning, or at least collaboratively using, traditional and cyber techniques in the art of war.
Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation's computers or information networks through, for example, computer viruses or denial-of-service attacks’. -RAND Corporation
Cyberwarfare: Russia’s Annexation of Crimea in 2014
Today, there is no doubt that as we see increased conflict among nation-states, we should expect the use of cyber tactics to aid in their objectives. For example, the 2015 and 2016 cyberattacks on Ukraine’s power grid by Russia’s GRU military spy agency left thousands of people without power. The attackers used spearphishing techniques to send a malicious Microsoft Word document to the employees of Ukrainian energy companies. The attackers then executed the malware found in the Word document to gain the foothold needed to take power grids offline and temporarily destabilize communications in Ukraine after Russia annexed Crimea in 2014.
In June 2017, Russia’s GRU launched a malware called NotPetya to wipe data from the computers of banks, energy firms, senior government officials, and an airport. The hacker lured victims to a trusted Ukrainian site for tax and accounting software updates that had been infected. From there, the victims downloaded the malware that would then disrupt Ukraine's financial systems. This affected computer systems in Denmark, India, and the United States because of Ukraine’s shared connection with vendors, customers, and partners abroad. To date, the NotPetya attack has caused $10 billion (£7.5bn) in damage worldwide.
Cyberwarfare: Russian Invasion of Ukraine (2022)
Days before Russia invaded Ukraine on February 24, 2022, it deployed cyberattacks as a part of its destabilization campaign to overthrow the Ukrainian government. To do so, Russia distributed a series of denial-of-service attacks aimed at Ukraine’s financial institutions and government websites. Additionally, Russia has deployed a malware called HermeticWiper on the systems of Ukrainian financial institutions and government contractors. The aim of the malware was to infect Ukraine's computer systems, delete its data, make it unrecoverable, and ultimately render the systems inoperable. The malware was able to bypass anti-virus protection because it appeared to be digitally signed with a certificate from a company called Hermetica Digital Ltd. This malware has now been found on systems in Latvia and Lithuania due to their contractual work for the Ukrainian government.
The Impact of Russia’s Cyberwarfare in Ukraine on the United States
The United States and its NATO allies have imposed several economic sanctions on Russia for its invasion of Ukraine. This has alerted the security community to warn the U.S and its allies that Russia may retaliate with cyberattacks into the west. As a result of this possible attack, President Biden has made remarks stating that “if Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond,”—but only if Russia attacks the U.S first.
Additionally, the U.S’s cyber defense agency CISA (Cybersecurity and Infrastructure Security Agency) has urged all organizations, corporate leaders, and individual Americans to follow its ‘Shields Up’ guide to prepare for, respond to, and mitigate the impact of cyberattacks—particularly in the wake of these sanctions imposed by the U.S and its allies. The guide has made the following recommendations with corresponding detailed steps.
CISA's Shields Up Recommendations
All Organizations Reducing the likelihood of damage from a cyber intrusion:
- Ensure that ALL access (including remote, privileged and administrative) to the organization’s network uses multi-factor authentication.
- Ensure ALL software is updated and prioritize updates that address CISA’s known exploited vulnerabilities.
- Disable ALL non-essential ports and protocols.
- Implement strong cloud security configurations from CISA’s guidelines.
- Sign up for CISA’s free cyber hygiene services, which include vulnerability scanning, web application scanning, phishing campaign assessment, remote penetration testing, and more.
Steps to quickly detect a potential intrusion:
- Ensure that Cybersecurity/IT personnel are focused on identifying and quickly assessing suspicious network behavior. Enable logging for investigative purposes.
- Ensure that the network is protected by antivirus/antimalware software and has up-to-date signatures.
- Closely monitor and isolate network traffic from Ukrainian organizations and review their access controls.
Prepare to respond if an intrusion occurs:
- Designate a crisis-response team with main points of contact for suspected cyber incidents from varying roles across the organization.
- Ensure that key individuals are available to provide support during an incident.
- Conduct a tabletop exercise that will ensure all participants understand their role during a cyber incident.
Maximize the organization’s resilience to a destructive cyber incident:
- Test backup procedures for restoration of critical data and ensure backups are isolated from network connections.
- Conduct a test of the manual controls to ensure that critical functions remain operable when the network is unavailable or untrusted.
- Additional: Urge Cybersecurity/IT personnel to review Understanding and Mitigating Russian STate-Sponsored Cyber Threats to U.S. Critical Infrastructure.
- Review CISA’s Ransomware.gov for key resources and alerts.
Individual Americans Improve cyber hygiene online by:
- Implementing multi-factor authentication or FIDO key on ALL your accounts such as email, social media, online shopping, financial services, gaming, entertainment services like Netflix, etc.
- Ensure ALL your software is updated and that automatic updates are turned on for all your devices and applications.
- Think before you click a link anywhere online or in an email to prevent phishing schemes and malicious malware from being executed.
- Utilize strong passwords (numbers, symbols, etc) or a password manager that can generate and store unique passwords.
Corporate Leaders & CEOs Implement a heightened security posture:
- Empower Chief Information Officer (CISO) by including them in the decision-making process for risk and promote security investments as a top priority in the immediate term.
- Lower reporting thresholds below normal so that every threat is documented and reported to senior management, as well as the U.S. government. Any indication of malicious activity, even if blocked by security controls must be reported to CISA or the FBI.
- Test Cyber Incident Response Plans with your security and IT team, senior business leadership, and board members, so that they are aware of the process and how that affects your organization and supply chain.
- Ensure that Business Continuity Plans are tested, so that critical business functions can continue after a cyber incident.
- Plan for the worst, as the U.S. government does not always know when specific threats will occur. Organizations should be prepared to do what is necessary.
CISA also recognizes that organizations of varying sizes may find it challenging to identify key resources to improve their security. Therefore, it has compiled a catalog of free services from government and private sector partners. Source: https://www.cisa.gov/shields-up
The Impact of Cyberwarfare on Critical Infrastructures
Our world has increasingly become dependent on technology to carry out tasks that range from simple to complex. This dependency can be found in every industry across the globe and has provided great benefits to users, organizations, and governments. It also leads to the creation of new and emerging technologies. While these technologies provide many benefits to our society, they also broaden the digital realm for nefarious actors to commit sophisticated and organized activities that are criminal and politically motivated.
Today, these actions have fundamentally altered the definition of traditional warfare between state actors to a hybrid that includes cyberwarfare tactics. The use of cyberwarfare as a tool for modern war can impact critical infrastructures to various degrees and, in many instances, it can be catastrophic. Some examples include denial-of-service attacks that lock users out of financial systems, ransomware attacks on hospital equipment that is used to sustain life, malware that shuts down energy grids or wipes sensitive data from critical systems, phishing schemes used to gain access into secured networks, hacking transportation systems to change routes, and so on. These cyberattacks can be disastrous to critical infrastructures and ultimately pose a threat to the national security of a state and its people.
Cyberwarfare’s Call to Action: Public and Private Sector Partnership
It is imperative that the private and public sectors continue to strive for collaboration, discussion, sharing of vital resources, and information on how best to protect critical infrastructures. For example, the Cybersecurity and Infrastructure Security Agency’s Sector Partnerships foster these engagements and interactions, to maintain critical infrastructure security and resilience. It is through these partnerships that CISA was able to provide its ‘Shields Up’ guide to prepare for, respond to and mitigate the impact of cyberattacks —particularly in the wake of sanctions imposed on Russia by the U.S and its allies.
Cyberwarfare’s Call to Action: Improving Cybersecurity Readiness
Implementing a defense-in-depth approach will improve the cybersecurity readiness of any organization or individual. This approach combines the capabilities of people, operations, and security technologies to establish multiple layers of protection. For organizations, defense-in-depth includes conducting a risk assessment, prioritizing risk, tracking security metrics, monitoring and auditing security controls, applying patches and updates, conducting regular employee security awareness training, empowering the CISO, investing in security, creating an incident response plan, implementing a business continuity plan and so on. For individuals, defense-in-depth includes staying up-to-date on new threats, updating your devices and applications, using strong passwords, securing your Wi-Fi, creating backups, using multi-factor authentication on all accounts, installing antivirus software, using security apps on mobile devices, avoiding the use of public Wi-Fi, and so on.
Another aspect of cybersecurity readiness is hiring the right people for roles within a security team. The CISO, Security Manager, Security Engineer, Security Analyst, and their role variations are all mechanisms of a security architecture designed to protect the organization’s information assets. Secondly, it is vital that the security team receives professional development as new technologies and techniques emerge. This will ensure that the security team is optimally prepared to respond to incidents that are old and new.
By understanding the capabilities of current technologies and the threat landscape, organizations, agencies, and individuals can effectively protect themselves, their nation's critical infrastructures, and by extension, its national security.
Cybrary: Equipping Cybersecurity Professionals
As a cybersecurity training provider whose mission is to equip cybersecurity professionals with the skills they need to succeed against ever-evolving cyber threats, Cybrary is focused on helping prepare practitioners to respond in this uncertain environment. Our catalog includes several courses, virtual labs, and skill assessments that are aligned with CISA's 'Shields up' guide to help organizations, corporate leaders, and individuals prepare for, respond to, and mitigate the impact of cyber-attacks.
More recently, we've added a new series of courses that focus on adversary Tactics, Techniques, and Procedures (TTP), as mapped to the MITRE ATT&CK Framework (see our matrix here). These TTPs include those used by Russian attackers in the conflict with Ukraine. We recently released our Spearphishing Attachment and PowerShell course, which highlights the same type of spearphishing campaign that Russian threat actors used in the 2015 and 2016 attacks that brought down Ukrainian power grids. In these TTP courses, learners experience hands-on labs and over-the-shoulder demo videos highlighting how to detect TTPs and mitigate them.
Cybrary will be following the events in Ukraine closely to ensure we add content that is pertinent in these uncertain times. We regularly publish "Exploitation and Mitigation" courses that focus on specific vulnerabilities that have just emerged. Sign up for a Cybrary Insider Pro subscription today, and be sure to keep an eye out for these courses as the cybersecurity landscape continues to evolve.
Update: March 16, 2022
It has always been Cybrary's mission to empower ALL learners with the knowledge and skills necessary to defend against adversary tactics. We're committed to doing all we can to sharpen your skills as you mitigate these evolving cyber threats. To further our commitment, we have made over 10 hours of critical training content - related to CISA's 'Shields up' guidelines - FREE to all Cybrary members.
Supporting Free Content Includes:
- Executive Vulnerability Management
- Identifying Web Attacks Through Logs
- Network Operational Management
- Incident Response Lifecycle