The Ukraine War in concert with Russia’s long-standing status as a malevolent cyber nation state actor and an ambivalent host for cyber criminals means that organisations face significantly increased cyber risks from direct and indirect cyber activity. It is highly likely that the current covert relatively lower grade nation state cyber activity will switch to overt high intensity cyber activity as the war and sanctions escalate. Organisations should remember the collateral damage from Russia’s last cyber playbook in Crimea with NotPetya is estimated to have cost the global economy over $10BN. Cyber-criminal activity is already looking to exploit the high level of interest and uncertainty about the war. Hacktivists are lining up as both loosely and tightly aligned groups of cyber militia on both sides attacking, Ukraine, Russia and the West.
To protect their organisations Ward Solutions recommends CISO’s should channel their efforts in the following 6 major areas:
Optimising your human firewalls – the human firewall from an organisation’s executive, IT admins to accounts payable clerk are consistently their greatest weakness when poorly engaged and an organisations greatest strength and defence of last resort when hyper vigilant and educated. Consistently Ward see organisations best of breed security control technologies defeated by relatively simple social engineering, phishing or other people based, targeted attacks. Targeted, relevant awareness, education is now more important than ever to ensure that your people are best educated and hyper-defensively engaged. In our experience segmenting your messages, activities and audiences into relevant groupings such as board, executive, management, technical, operational, finance and supply chain with relevant messaging, tactics, encouraging collaboration, sharing, transparency and lesson learned for each group offers better results in terms of sustainable security effectiveness.
Updating your risk registers and remediation plans – now is the time to rapidly update and revise your enterprise risk register with new or revised risks, likelihoods, impact and remediation based on current circumstances and the environment. Risk transference mechanisms such as cyber insurance may now be pleading exemptions due to acts of war and nation state events. At a minimum CISOs need to check what cover if any applies. If insurance exemptions apply, then CISO need to inform their boards and risk committees and rethink with the organisation how these risks now need to be addressed.
Expanding the scope of their supply chain risk assessments to include a robust review of CNI impact – now is the time to revise and consider the risks and impact to your organisation from your close-in supply chain such as equipment, raw material and general service providers. CISOs do need to revise and consider the impact to their organisation of significantly higher likelihood of attacks, disruption, outages of critical national infrastructure (CNI) locally, regionally and globally to providers for services such as power, water, telecoms, transportation, healthcare, cloud, media/communications to their organisation and their supply chain as the war and sanctions escalates.
Reducing your circle of friends, acquaintances, levels of access and trust. Now is the time to consider geo fencing and blocking of default inbound and outbound communications from your systems and networks not just affected regions but any regions that you have no cause to do business or strategically communicate with. In the past this may have caused some limited disruption to end users, inconvenience and may not have been politically correct. However, extraordinary times require extraordinary measures. CISOs should also consider implementing rules and controls and enhanced security between your key suppliers, customers and partners only, effectively dramatically closing your networks and implementing enhanced security such as VPN’s email security such a DKIM, DMARC IBE etc. and enhanced and adaptive authentication such as MFA etc. Internally you also need to review levels of access that both technical and non-technical people have to systems, networks etc. and consider reducing the scope to minimum required rights with increased levels of validation and authentication for access, change etc.
Shields up and hunt likely threat scenarios – CISOs should also consider increasing levels of monitoring, altering, triage and response to that they can reduce their exposure time. Their organisation will need to be tooled up to respond and investigate these heightened levels of alerting and monitoring as otherwise this simply becomes dead noise. Organisation with high exposure to targeted nation state attack e.g. critical national infrastructure providers should assume that they are compromised, model likely threat scenarios including threat scenarios based on the Russian hybrid warfare playbook in Ukraine and conduct some targeted threat hunting for e.g. wiper software used to attack Ukraine institutions at the begging of the current war and other relevant threat scenarios.
Get your organisation into the Incident Response Cyber Gym. CISOs should be updating their incident response plans immediately. Stacks of policies and procedures are useless unless the people tasked with decision-making are fit and have the muscle memory of what actions to take and when. CISO’s can run table top exercises on likely incident scenarios now to train and build the required muscle memory of the key people in your incident response plans. CISO’s should also consider testing and rehearsing their disaster recovery and business continuity plans now.
Steeling their organisation for the long game. It is unlikely that this crisis will deescalate any time soon. Arguably, the Geopolitical balance has shifted permanently and the direct and covert weaponisation of Cyber is here for the long term. CISO’s would do well to ensure that their organisations are ready to sustain this heightened level of risk, remediation and incident response into the long term. CISO’s workload is already high, so CISOS may need to build capacity into their teams governance, risk and security operations teams to help protect and steer their organisation into this new order. As we know cyber skilled resources have been in short supply for the last 5 years. CISO should innovate quickly to bring right-minded people from partners or other disciplines and parts of their organisations into their teams and bring them up to speed quickly.
Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.