First lessons learnt related to Cyber Offensive actions led by Russia against Ukraine – How sh
Known recent cyberattacks originating from Russia include the following. Despite the fact that there is no magic way to increase in a very short period of time the level of Cyber Protection of a company, here are my (non-exhaustive) thoughts related to how you should protect against these threats or at least strengthen your cyber-posture.
Distributed Denial Of Service (DDoS) attacks,
Mainly observed against military, gov, media and banking critical services by Russia
To prevent or mitigate such threats, you should consider:
shutting down any server/service that is not necessary
implementing network anti DDoS systems (eg: Arbor DDoS Protection Solutions (NETSCOUT), KONA Site Defender) for your critical services (that must be identified)
contacting your telco operator to prepare an adhoc reaction procedure to a DDoS attack
Website defacements
Mainly against gov sites
Probably coming from APT (Advanced Persistant Threat) UNC1151, with similar weapons than APT29 Russian state-sponsored group
To prevent or mitigate such threats, you should consider:
Ensuring that you have a full inventory of your websites (eg: Cycognito, Uncovery, Palo Alto Cortex Xpanse)
Checking that they don’t have any [critical] vulnerability (eg: using a vulnerability scanner such as Rapid7 Insight VM)
Filtering traffic at network level using regular or application firewalls – WAF (eg: Checkpoint, Palo Alto)
Fixing all such vulnerabilities or deactivating related services temporarily, otherwise consider virtual patch management solutions for limited periods of time (eg: TrendMicro)
Activating 2 (or multi) factor (2FA/MFA) authentication to prevent unauthorized accesses to your systems from Internet
Activating mechanisms to automatically ban sources that have failed to authenticate several times
Fraudulent messaging
SMS phishing (Smishing), typically pretending that there was a bank issue to trap target users
To prevent or mitigate such threats, you should consider:
Increasing the awareness programs of your users (eg: KnowBe4 service). Inform them in particular about attempts to steal their credentials using phishing websites or alike
Implementing or reviewing the configuration of your Anti SPAM systems (eg: CISCO IronPort, Barracuda Networks)
Malware attacks
Known code names are WhisperGate & Hermetic Wiper. Both aim at destroying files/filesystems, as opposed to ransomwares for which data access recovery is possible
Mainly against gov, communications, non profit organizations, e-services for citizens, IT organizations
To prevent or mitigate such threats, you should consider:
Implementing robust cloud proxy (in particular isolation techniques, such as Menlo Security) and Cloud Application Security Broker – CASB solutions (eg: NetSkope CASB, Microsoft CASB, etc.)
Implementing best in class Endpoint Detection & Response – EDR (eg: Cybereason, Mandiant) in a Managed Service mode (unless you’re lucky to have the proper internal ressources to manage it)
Making sure that such Managed Detection and Response – MDR or EDR and other CyberSecurity solutions are fed with all necessary Indices of Compromise (IoCs), that you either get from free (open) or commercial sources (eg: Recorded Future). To manage these IoCs, you may consider using a Threat Intelligence Platform (eg: Threat Quotient, Anomali), but I also strongly encourage you to contact us at CIX-A, to join our European Alliance of CISOs again hackers and other threats!
Contracting with a Rapid Reaction Force supplier to react to any major cyber-attack (eg: Cybereason Incident Response)
Generating off-line backups of your most critical systems and data and ensuring that you have properly documented how to restore them (or even already performed successful drills)
And of course updating your systems (cyber-hygiene) as often as possible, don’t forget to reboot them immediately when necessary
In addition to all of the above, you’ll need to :
closely collect, consolidate and monitor your logs (eg: Elastic Cloud, Rapid7 Insight IDR)
request your partners and suppliers to inform you immediately in case of detection of a proven cyber incident on their assets
and be ready to react to detected incidents, be them suspicious or proven.
To do so, numerous companies offer a Security Operation Center (SOC) service or Incident Response ressources that are worth considering. If you already contracted such service, consider increasing its level of vigilance on your known critical assets
You may also prepare to segment your network, to confine any detected attack. To do so, you’ll need a proper inventory of your business critical assets
Again, here, I also encourage you to join CIX-A, as we share technical critical and actionable information (including various cheat sheets, and IoCs) to respond to cyber-attacks!
Here are some interesting / relevant URLs that are worth mentioning:
Palo Alto’s Unit42 page on Gamaredon Group (aka Primitive Bear), one of the most active existing Advanced Persistent Threats (APT) group targeting Ukraine
Bình luận