Many of our customers have been asking us how they should plan for escalating hacking and cybercrime activity in light of the conflict in Eastern Europe. Whether it is Russia, cybercrime gangs or other nation states operating under the cloud cover of that conflict, increased hacking is certainly something we can reasonably expect.
The TL;DR response is: if you have a good security program in place now, there isn't anything you should necessarily be changing based on this situation. If however, you are not sure you have a solid program in place, there's probably no one thing you can do - so you'd want to put a broader plan in place and you should expect that may take some time.
I realize this probably isn't what anyone wants to hear, and I will still go ahead and list some important things you can do and key references to try to be as useful as possible, but we have to be independent thinkers and stay honest - and I'm not sure the hype is helpful.
Note, if you are interested in what to for your developers in the Ukraine, we wrote a post about that.
It's Too Little, Too Late
Ironically, many of the queries about escalations came from customers whose board members started asking about security because of the conflict. Unfortunately, when the bits are flying the reality is it is too late to start building a program and putting in place the defenses you need to resist escalated hacking conditions.
There is no "one thing" you can do to prevent it. There is no easy button.
It makes me wonder if the same board members were encouraging their teams to build out security programs in general. It also makes me wonder if the board members are also on the boards of the security companies they are promoting.
You can't buy a tool to eliminate your risks from cybersecurity conflict. You need to plan and execute over time to manage escalated security environments.
OK But Seriously, What Can We Do?
There are a couple of good resources I would point to on this. CISA provides information and great resources in this Shields Up page. The takeaways are largely what we would advocate as well:
- Require MFA for key systems
- Segment and firewall your networks - confirm with vuln scans
- Be on the alert for signals of issues
- Have a business continuity plan including backups and test it
- Define escalation and incident handling processes
- Train on phishing
Another thing you can do is look for software that you are running that CISA has identified as having been targeted by hacking campaigns: known exploited vulnerabilities. Of course, there are likely other vulnerabilities that aren't yet on that list, but this is a good starting point. Generally the action for any software you are using in this list is to disable it or to update it to a version that has a fix for the vulnerability.
In the big picture, we would normally advocate for a holistic program aligned to a major standard such as NIST 800-53 (which is what our securityprogram.io application uses as its primary standard) and broadly speaking, that is what we feel you need to prevent issues from happening.
If this is too big, you could use our worksheet on the 21 Actions to Improve Security Today. The bottom line is there is no time like the present to make sure you are planning for escalated hacking - but you need to plan and navigate that yourself, not based on some checkbox solution.
The Elephant in the Room
The easiest way to get hacked is to leave an unpatched system online, or to have a user click on a phishing link and supply their credentials. But watering hole attacks where a themed site is set up with outrageous content to attract people and then distributes malware as they visit are also quite likely. Vigilance can help prevent or detect these types of attacks as things escalate.
On the other hand, a problem is that many large companies have deeper security problems you can't easily build a plan to mitigate. For instance, it is likely that all major companies (including say cloud providers) have sleeper intelligence agents working there as full time employees waiting for a direction to cause damage or wreak havoc. If things get very bad, disruption of major cloud services might become a strategic goal for a party that has the power to pull that off based on this latent threat. You can't prevent this with vigilance. You can have backup and alternative delivery strategies to maintain maximal business continuity, but until recently such an attack would seem so far fetched as to be not worth planning for.
Conclusion - Planning for Escalated Hacking
With each passing day I am more shocked and saddened by the events unfolding and I feel a sense that people are sensationalizing or trying to get as much out of them as they can. I'm unimpressed by the boards' new attention to cybersecurity. They should have been funding cybersecurity all this time.
The reality is, for most likely problems you should already have a solution in place. But for some, you don't and you can't. That is the reality. Security is a marathon not a sprint. The best way to plan for escalating hacking incidents is to start and maintain a broad security program.