Ukraine Crisis Cyber-Readiness Checklist

With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered. While we have seen cases of destructive cyber actions focused on Ukraine, at this point attribution is not possible. 

As a result of these actions, there is a heightened sense of concern being felt by many organizations. Our focus here is to protect organizations by helping them prepare for potential cyberattacks. For that, we have put together this cyber readiness checklist. While many of these suggestions are standard cyber hygiene protocols and best practices, being reminded of doing the basics never hurts, especially when there are so many other concerns. In the same way that hand washing helps in our fight against COVID-19, simple actions can also go a long way towards fighting against cyberthreats. 

Key Takeaways

  1.  Patching: Ensure that all systems are fully patched and updated
  2.  Protection Databases: Make sure your security tools have the latest databases 
  3.  Backup: Create or update offline backups for all critical systems
  4.  Phishing: Conduct phishing awareness training and drills 
  5.  Hunt: Proactively hunt for attackers in your network using the known TTPs of Russian threat actors
  6.  Emulate: Test your defenses to ensure they can detect the known TTPs of Russian threat actors 
  7.  Response: Test your incident response against fictitious, real-world scenarios
  8.  Stay up to Date: Subscribe to threat intelligence feeds like Fortinet Threat Signals 

Detailed Actions

  1. Patching: Threat actors often target unpatched vulnerabilities in a victim’s network. As a result, the first line of defense should always be patch management and running fully patched systems. For organizations interested in focusing on specific vulnerabilities, CISA maintains a list of specific CVEs used in the past by Russian threat actors. But the better approach is to simply focus on being up to date all the time. This is also true for air-gapped environments, and now is a good time to ensure that these systems have been patched as well. And remember, patching is important not only for workstations and servers but also for security and networking products.
  2. Leverage Protection Databases: FortiGuard Labs continuously creates new detection rules, signatures, and behavioral models for threats that are discovered in our extensive threat intelligence framework. These are quickly propagated to all Fortinet products. Make sure that all protection databases are updated regularly.
  3. Backup Critical Systems: Many attacks come in the form of ransomware or wiper malware. The best defense against the destruction of data by such malware is to keep up-to-date backups. It is equally important that these backups are kept offline since malware often tries to find backup servers to destroy backups as well. The current crisis is a good opportunity to check whether backups really exist (not just on paper) and run recovery exercises with the IT team.
  4. Phishing: Phishing attacks are still the most common entry points for attackers. Now is a good time to run a phishing awareness campaign to heighten the awareness of everybody at your organization and to ensure they know how to recognize and report malicious emails.
  5. Hunt: The sad truth is that if your organization plays any sort of role in this conflict, then adversaries may already be in your network. Running threat hunting engagements can be vital in detecting adversaries before they install spyware or cause serious destruction. For threat hunting, you can use the known Tactics, Techniques, and Procedures (TTPs) below. 
  6. Emulate: The TTPs listed below can be also used to evaluate whether your security infrastructure is able to detect them. Running emulation exercises can uncover configuration problems and blind spots that attackers might leverage to move around in your network undetected.
  7. Response: A quick and organized incident response will be crucial when a compromise is discovered. Now is a good opportunity to review procedures for responding to an incident, including disaster recovery and business continuity strategies. If you have your own incident response team, you can run tabletop exercises or fictitious scenarios to ensure everything will run smoothly should a compromise occur.
  8. Stay up to Date: it is crucial that the actions listed here are not performed just once. Staying up to date and patched, monitoring vulnerabilities, and maintaining threat awareness are actions that must be performed continuously. One way to learn about the newest threats as they are discovered is to follow the FortiGuard Threat Signals.

Tactics, Techniques, and Procedures

For hunting for adversaries in your networks CISA recommends the following TTPs:

For Additional TTPs Review These Known Actors

How Fortinet Can Help

Fortinet provides multiple opportunities for organizations to mitigate serious cyberattacks and investigate possible breaches. Below are just a few popular examples of the technologies and solutions Fortinet offers.  

  • Fortinet Cyber Threat Assessment: Secure network architectures need to constantly evolve to keep up with the latest advanced persistent threats. There are two ways to find out if your solution isn’t keeping up—wait for a breach to happen or run validation tests.

  • Managed Detection and Response: Fortinet helps customers better understand the cybersecurity risks they face and improve how they identify and react to threats. 

  • Fortinet Virtual Patching solutions: FortiGuard Labs protects against specific exploits. 

  • FortiGuard Incident Response Service: The FortiGuard Incident Response Service provides organizations in the midst of a cybersecurity incident (including targeted ransomware attacks), with experienced staff, expert skills, and powerful tools. 

  • FortiGuard IPS and Anti-Virus: Services and engines utilize a variety of techniques including multiple machine learning and artificial intelligence strategies to protect our customers against advanced and zero-day threats.

Further Reading 

 

http://feeds.feedburner.com/fortinet/blog/threat-research

Leave a Reply