U.S. organizations have been called upon to increase cybersecurity vigilance in the wake of U.S. sanctions on Russia for their invasion of Ukraine. 

The federal Cybersecurity & Infrastructure Security Agency (CISA) issued an alert on Feb. 16, 2022, that the FBI, NSA, and CISA had “observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors” from at least January 2020 through February 2022. CISA has also posted a web page, titled “Shields Up,” that includes an evolving overview of, the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs to bolster their cyber defenses.

“While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies,” CISA says on the web page. “Every organization – large and small – must be prepared to respond to disruptive cyber activity.”

Usual attack vectors

While awareness has been rising amid the current situation, the threat of nation-state cyberattacks has been on the rise for some time. For example, according to one mid-2019 article, Microsoft had notified almost 10,000 users over the preceding year that they had been “targeted or compromised by nation-state hacking groups,” mostly from Iran, North Korea, and Russia. 

Beyond obtaining intellectual property, these attacks may be intended to monitor military and diplomatic information; disrupt operations; compromise physical control systems used in electric utilities, manufacturing, and oil refineries; and generally create panic, chaos, and harm.

These types of actors have been known to employ an assortment of precisely calibrated tactics and techniques, including:

• Email phishing scams, in which messages presented as coming from a trusted company or individual contain links or attachments that, when clicked by the recipient, infect computers with powerful ransomware or malware that gives threat actors remote access to infected computers and potentially other computers in the network.
• Targeting unsecured endpoints like laptops, smartphones, and tablets, which have multiplied as more remote workers use personal equipment rather than company-provisioned technologies. These endpoints can be particularly vulnerable when used by employees who are not trained to avoid phishing and other social-engineering scams.
• Password spraying, a brute-force attack method that attempts to match usernames with common passwords to gain network access. Others purchase email and system log-on credentials stolen in previous cyberattacks. And as more employees work from home, threat actors are exploiting zero-day vulnerabilities – issues that haven’t yet been discovered, or discovered but not yet patched – in VPNs and other remote working tools and software platforms. 

How to protect your company against these cyberattacks

Defending against nation-state attacks will require careful assessment and enhancement of your current cybersecurity protections, including your people, processes, and technology, to understand your capabilities and implement further safeguards as necessary. 

In general, aim to have a layered defense model that combines multiple security controls at different levels, with a series of defenses working together within each, to secure your network and protect resources and data. Here’s what to consider.

1. Keep people at the heart of your defense plans. Humans tend to be the weakest link in cybersecurity, but they can also be a strong asset, if properly trained on how to spot, avoid, and mitigate threats. Remind employees to be cautious; refresh training and tip sheets about top threats like phishing, ransomware, and weak passwords; and base training programs on current, specific threats. Extend training to all employees, including remote workers, as well as any third-party contractors (and subcontractors). Provide additional specialized role-based training to employees who have super user or privileged access to IT assets. 

2. Review your basics. Many of the traditional good cyber hygiene rules apply here: Encryption of data, use of VPNs, proper configuration of firewalls, updated anti-malware and intrusion-prevention software, stringent password requirements. Enforce multifactor authentication for all users across all IT assets – including company leadership.  

3. As remote and hybrid work continue, keep track of all hardware and software assets, and make sure you are securing the access coming into your environment. Test VPNs, videoconferencing, and collaboration tools to help ensure adequate capacity for home workers and minimize risks of infiltration or interception. Evaluate the privacy and security capabilities of remote collaboration tools related to access, storage, and sharing of data, including anything based in the cloud. 

4. Tighten access across systems. Make sure that privileged access to all IT assets, including security tools, is well controlled and monitored. Access should be granted on the principle of least privilege: Minimize employees’ access to applications to only the ones that are necessary to perform their job.

5. Look outside your own walls. Perform security due diligence on suppliers, business partners, and any other third parties that have access to your systems and data. 

6. Implement solutions or third-party services to monitor and log network behavior 24/7, and alert your team to any security events and incidents. And on that point…

7. Don’t overlook security alerts. When your tools are telling you something is wrong, take the time to fully assess what is happening. Understand and utilize the full functionality of the controls you’ve invested in.

8. Make cybersecurity an ongoing process. Deploy tools to routinely perform patch management and maintenance, even remotely. Make sure that any time changes are made to critical applications, you analyze their security impact.  

9. Have an adequate incident response plan. Take the approach of “it’s not if  you’ll have an incident, but when,” and make sure everyone across your organization knows how to respond when it happens. Update plans to factor in any workforce changes, such as reductions in on-site IT staff, and consider testing your plans now. Review business continuity and disaster recovery plans, too. 

10. Incorporate appropriate network segmentation to help limit the impact of an intrusion; be able to quickly isolate any affected systems before attackers can spread too far. 

Contact

Bhavesh Vadhani, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Thomas McDermott, Partner, Cybersecurity, Technology Risk, and Privacy

973.364.7836