Business Continuity Management / Disaster Recovery , COVID-19 , Critical Infrastructure Security
9 Essentials for Global CISOs During Russia's Ukraine WarMandates: Brief the Board, Appeal for Resources, Work to Prevent Burnout and More
As Russia's invasion of Ukraine continues, what should CISOs and security teams be doing to ensure that their organizations stay protected?
In the big picture, security experts have detailed multiple scenarios that could directly affect corporate networks:
- Collateral damage: Russia or its allies may target networks in Ukraine with attacks that go global either inadvertently or by design. One example: the NotPetya wiper malware, which in 2017 led to up to $10 billion in commercial damage.
- Direct attacks: In response to Western governments providing support and materiel to Ukraine and sanctioning Russian organizations, Moscow or its allies might order direct attacks on critical infrastructure sectors. "Banks and the energy sector are likely targets in this scenario," Rick Holland, CISO at threat intelligence firm Digital Shadows, says in a blog post.
- Cover: Criminal groups and nation-state attackers alike might use the heightened uncertainty and potential chaos caused by the above scenarios to increase their attempts to penetrate corporate networks.
The likelihood of any of those scenarios is impossible to predict. Some carry a diplomatic cost and could lead to escalation not just online but in the physical realm. Indeed, Russian President Vladimir Putin has been reminding the world that he has nuclear weapons. If the invasion he's ordered of Ukraine drags on, might he use them?
As Russia expert Fiona Hill tells Politico: "Every time you think, 'No, he wouldn't, would he?' Well, yes, he would. And he wants us to know that, of course."
1. Know What Is Controllable
None of this is something CISOs can control. But what they can address is their team's readiness and focus, as well as the message being communicated inside their organization, not least of which will involve reassuring other senior executives and the board of directors that the security team is ready (see: Russia's Invasion of Ukraine Triggers Resiliency Reminders).
While it might seem "a bit crass," the mandate is very much about "not letting a good cyber crisis go to waste," says Ian Thornton-Trump, CISO at threat intelligence firm Cyjax.
2. Appeal for Resources
What's the best way to maximize an organization's cyber resiliency as the war continues?
"There is one thing CISOs need to do: Take the warnings to your board and ask for financial support and other resources. That's it. That's the mission," Thornton-Trump says. "Being a CISO is about leadership - if you're sitting in front of a screen looking at the 'pew pew' action on your security controls, you're done."
3. Take a 'Shields Up' Approach
In terms of specific recommendations, numerous security experts continue to point to the "Shields Up" guidance being issued by the U.S. Cybersecurity and Infrastructure Security Agency, as well as defenses advocated by Britain's National Cyber Security Center.
"Organizations should follow NCSC advice and act on improving their resilience with the cyber threat heightened," the guidance says.
Both CISA and the NCSC focus on essential defenses for guarding against many different types of threats, including ensuring critical patches get deployed quickly and updates applied, widespread use of multifactor authentication and well-tested backup and recovery practices.
"Continued vigilance" by organizations of all sizes remains the mandate, says CISA Director Jen Easterly (see: Feds Advise 'Shields Up' as Russian Cyberattack Defense).
"Just because we have not seen threats to date doesn't mean we will not see them manifest quickly," she says.
A cyberWhile there are currently no specific or credible cyber threats to the US homeland as a result of the unprovoked Russian invasion of Ukraine, @CISAgov strongly urges continued vigilance by all orgs – large & small. See https://t.co/noCFT0QNm8 for info & updates 1/— Jen Easterly (@CISAJen) March 2, 2022
4. Complicate Life for Attackers
Security experts say even small improvements can disrupt or deter attempted attacks. Guidance abounds, not least from CISA and the NCSC, including which steps organizations should take first.
On the network security front, meanwhile, on Tuesday, the U.S. National Security Agency released guidance that it has developed based on responding to real-life intrusions against American organizations.
Network infrastructure security is critical. Administrators can leverage our technical report to help prioritize next steps in their work to strengthen networks against adversary targeting attempts. https://t.co/LiyG5GGul3 pic.twitter.com/SXXJi7Z7QQ— NSA Cyber (@NSACyber) March 1, 2022
"This guidance focuses on the design and configurations that protect against common vulnerabilities and weaknesses on existing networks," the NSA says. "Recommendations include perimeter and internal network defenses to improve monitoring and access controls throughout the network."
The goal is simple: to "make it harder for the adversary" to penetrate American networks, says Rob Joyce, the NSA's director of cybersecurity. "The recommendations come from years of helping NSA customers respond to threats and protect their networks."
While the NSA didn't comment on the timing of the release, the fact that the guidance is being published at the same time that Russia's war in Ukraine poses a risk to global networks seems like more than a coincidence.
5. Review DDoS Defense Needs
Western banking sectors have previously been hit by distributed denial-of-service attacks. Russia is no stranger to this tactic, having notably used it to disrupt Estonian organizations, including government institutions, banks and newspapers, in 2007, and again in recent weeks against Ukraine.
For any organization that thinks it might be on a potential target list for disruption during Russia's invasion of Ukraine, Holland recommends reviewing what mitigation capabilities are already in place, which might potentially include on-premises gear or the use of "a DDoS mitigation service, e.g., Cloudflare, Akamai, Radware," and if the attack bandwidth they will handle still seems sufficient.
For anyone without sufficient capabilities, "assess the likelihood of an attack, and make a risk-based decision on whether to implement a DDoS mitigation solution," he says. "One positive for CISOs justifying the business case is there aren't many security controls that you can easily quantify the value of the protection. Calculate the downtime or lost revenue of an e-commerce website and compare that against the cost of the mitigation."
6. Take Steps to Mitigate Burnout
Information security teams have not had an easy run over the past 15 months or more. The SolarWinds supply chain attack that came to light in December 2020 sent many teams scrambling to work overtime to mitigate the risk. Same again for the Microsoft Exchange hack attacks that began in early 2021, followed by the serious Log4j vulnerabilities that were found last December. Plus, there's been the ongoing COVID-19 pandemic.
At least anecdotally, burnout among cybersecurity professionals has been rife, at a time when they're most needed.
Even as we focus on cyber resilience, we must also focus on human resilience. Defenders across the world are working flat out (again!); leaders must ensure teams get support & resources needed. CEO's must empower CISO's & guard as much as possible against burnout & fatigue. 9/— Jen Easterly (@CISAJen) March 2, 2022
Accordingly, "even as we focus on cyber resilience, we must also focus on human resilience," CISA's Easterly says. "Defenders across the world are working flat out - again!"
7. Keep Honing Your Plans
Preparation remains essential for honing incident response plans, ideally backed by running regular tabletop exercises for practicing how to best coordinate a response, as well as to identify any shortcomings, experts say (see: Incident Response: Best Practices in the Age of Ransomware).
"You can’t prepare for cyberattacks when they’re already happening, so don’t try," according to a new report from market researcher Forrester. "That’s why cybersecurity is a program and why readiness and preparedness are so important. If there are adjustments you can make after a recent tabletop session to processes or communication, make them - and update your documentation accordingly."
8. Set the Tone for Internal Communications
Every CISO should already be proactively briefing their fellow senior executives and the board "to get ahead of the news cycle" and "shape your leadership's view of the Russian invasion and its meaning to your organization," Digital Shadows' Holland says.
"Cybersecurity incidents that achieve media prominence have a habit of alarming senior executives and board members, resulting in a cascade of panicked questions to you and your team," researchers at Forrester write in their report. "Don’t be caught unawares, as such requests can consume precious time that you will need to deal with a potential incident."
Executive Comms: I suggest establishing a cadence for updates. You are going to do x updates a week on these days. You will cover x topics. Get w the execs & see if they have their own questions. Develop intelligence requirements for the questions. #RussiaUkraineConflict— Rick Holland (@rickhholland) February 24, 2022
Accordingly, set a briefing-update schedule and then deliver on it. "You are going to do X updates per week on these days. You will cover X topics," Holland says. "Get with the executives and see if they have questions they'd like answered. Develop intelligence requirements for both your questions and their questions and be ready to answer them on an ongoing basis. Get feedback from them after you deliver your first briefing."
Key to these briefings may be managing expectations about what Russia or its allies may or may not do. For example, as highlighted by the operational security expert known as the Grugq, despite government, military and cybersecurity experts pontificating for years about the role cyber would play in the next major land war, no one seems to have accurately predicted what's happened in the opening week of Russia's invasion (see: Why Hasn't Russia Launched a Major Cyberattack on Ukraine?).
Jan 31: Russia will do a massive cyber against Ukraine.
Feb 14: Russian cyber will explode on the internet, like NotPetya
Feb 23: this is cyber war! Attacks on some Ukrainian websites
Feb 24: …
Mar 1: why no cyber?
Mar 3: cyberwar, as we know, is useless and doesn't exist— thaddeus e. grugq (@thegrugq) March 3, 2022
Truly, no one knows what will happen next.
9. Carpe Diem
Regardless, Thornton-Trump says the cybersecurity threat posed by Russia's war in Ukraine is something that security leaders should declare they're ready for inside their organization.
"It's time for CISOs to say: 'I got this. I went through ShellShock, WannaCry, NotPetya, Log4j and 6 months' worth of every on-premise Exchange box and VPN provider getting pwnd hard," he says. "I got this. I believe in the team, I believe in the mission. I'm going to dig in and protect my people and my organization. I am ready. Bring it, Russia."