Nearly a month has passed since the start of the Russian invasion of Ukraine. Before this, the “Cold War” of cyberattacks has consisted of plenty of nation-state-sponsored activity against Western targets. But until now, this activity has not been a weaponized component in an active physical conflict with Western countries (whether direct or, in this case, by proxy).
As with the rest of the world, Nexum’s Security and Network Operations Command Centers (SNOCC) are paying close attention to activity patterns against these targets. Many of our customers have expressed concern about this “new” threat. They have asked questions about what sorts of things they can do and what they should be looking for. We have made some observations and gained insight by using the data from across our customers and the process of how many organizations categorize or prioritize threats.
The first and most valuable insight is that this threat is not new. Nation-state activity was as real and as dangerous 30 days ago as post-invasion. We can expect the same tactics, techniques, and procedures that have been previously used. As we know, such novel weapons happen regularly in the form of a Zero-Day Exploit. In most cases, disclosure of the vulnerability behind these zero-days is the same for everyone in the game, which means the race to either weaponize or patch starts with the same gunshot. Even in the edge cases where a state-actor has a secret exploit to a previously undisclosed vulnerability, they still need to perform the necessary actions to execute that exploit. These actions are visible when using tools such as a security information and event management (SIEM) solution and an identifying framework such as MITRE.
The second insight that we have been able to glean has been via data across our customer sets. As a Managed Security Services Provider (MSSP), many of our customers have requested extra scrutiny towards .RU and .BY domains. While this is not a bad idea overall, the data across all our customers indicates that there has not been any marked increase in background noise or inbound attack attempts directly from these “hostile” domains. There has not been a significant increase in attempts against Western targets from these aggressor domains aside from occasional spikes (across all country domains) during distributed denial of service (DDoS) attacks. Instead, we have seen slight increases in activity via two Western domains: .US and .NL. So why are the Americans and the Dutch attacking?
The answer has to do with the availability of anonymized resources in these two locations. Between the sheer volume of cloud-based resources in the U.S. and the ease with which compute resources can be secured with stolen credit card data in the Netherlands, both non-state and state actors can operate with both impunity and anonymity with relative ease. Furthermore, this evades the defenses of geo-blocking, and reputation-based defenses such as threat intelligence feeds for a more significant amount of time.
What should organizations be doing considering this new aggression? In short, nothing new. As validated in the CISA Shields-Up bulletin sent early in the campaign, there are essential items that minimize your exposure to attacks, whether targeted and Russian in nature or random and opportunistic.
We have observed that these ten items, when fully committed to, can reduce risk to your organization by several orders of magnitude.
- Embrace zero trust as a core security principle. Identify, limit, and inspect traffic between resources within or outside your organization.
- Isolate operational technology, IoT, SCADA, and/or industrial control networks from corporate networks as soon as possible.
- Reduce or eliminate unrestricted outbound access to the internet for all network resources. Aggressively inspect any outbound traffic that must be allowed out.
- Embrace multifactor authentication (MFA) on all external resources. The principal point of compromise is internal or domain credentials harvested from the outside. MFA reduces this risk by 99%.
- Keep systems patched to current hardware and software revisions. The impact of a service interruption to patch is negligible in all ways as compared to the organizational impact of a breach.
- Monitor log data from your security platforms using a SIEM, SOC-as-a-service, MSSP, or a combination.
- Consider email protection software and/or services and engage in employee training to identify and prevent email-based malware detonation.
- Perform regular vulnerability scans to identify and mitigate vulnerabilities.
- Review and test data and systems recovery procedures, including backups and data recovery plans.
- Disallow access to any location you do not expect to do business.
We may find clear indicators or vastly shifting techniques that warrant specific actions as the campaign continues. However, as is the case for most organizations we observe, your effort is best spent shoring up and fully implementing the basics of strategic defense, fully leveraging the tools in place, and developing discipline towards IT security hygiene.
We will continue to update this page with new information as needed. If you have any questions or specific requests with which we can be of assistance, please use this form to contact us.
Check Out More Resources
The Nexum team attended Black Hat 2023 and DEF CON 31 conferences in Las Vegas. Check out this post about their experiences and some guidance on the differences between the two events.