U.S. intelligence is anticipating cyber attacks against U.S.-based organizations due to sanctions resulting from the Ukraine-Russia conflict. The CISA advisory believes organizations of all sizes will be at risk and targeted by cyber attacks meant to halt business operations. U.S. organizations will be threatened as direct targets and/or collateral damage from the onslaught of wiper malware, ransomware, and DDoS attacks on internet-facing systems.
U.S. targeted for sanctions against Russia
Russian officials and threat actor groups have warned of retaliation against any country that may apply sanctions or interfere with Russian operations. Attackers may exploit internet-facing systems, unpatched vulnerabilities, and web applications of U.S.-based organizations. The Top targets may include financial institutions and banks, IT services and MSPs/MSSPs (Managed Service and Security Providers), internet service providers, critical infrastructure, public utilities, and government agencies.
U.S. organizations may be collateral damage from wiper malware
We’ve seen this story before; the NotPetya malware targeted Ukrainian businesses with the destructive malware impacting banks, manufacturers, critical infrastructure and many other industries. As a result of the NotPetya attack, U.S. organizations including FedEx, Merck, and several U.S hospitals faced disruptions. As a result, U.S. officials are now concerned of history repeating itself and causing mass disruption from Russian-based attacks on Ukrainian networks. The wiper malware will likely have an impact on networks that goes far beyond the boundaries of Ukrainian networks.
What you can do: Best practices to implement and reduce your risk
Confirm backups are sufficient, encrypted, and stored offline. Backup strategy should include more than just backing up to a server on the network. It should also include segregating that backup and maintaining copies offline from your trusted network.
Enable multi-factor authentication (MFA) on all remote access, privileged and administrative access to your organization’s network. Cowbell has several helpful guides on how to activate MFA on various software vendors.
Have an endpoint detection and response solution (EDR). The endpoint detection tool will help monitor any unusual activity on devices and endpoints. This can help detect when a bad actor is attempting to log in and gain unauthorized access to the network. Cowbell has a partner list of EDR vendors on our Cowbell Rx marketplace.
Intrusion Detection System/Intrusion Prevention System (IDS/IPS). IDS will passively identify potential threats. While IPS will actively block those identified threats before they harm an organization.
Apply a web application firewall (WAF). This will assist with blocking internet-based attacks on your web applications.
Train employees on cybersecurity awareness. Employees are generally both the first and last line of defense against an attack. Therefore, it’s crucial to conduct workshops and exercises to educate employees regularly, especially given the evolving cybersecurity threat landscape. Cowbell offers free cybersecurity awareness training through our Cowbell Rx partner, Wizer.
Develop an incident response plan (IRP) and conduct tabletop exercises to ensure all members of the crisis response team understand their roles and responsibilities during an incident. Make sure to include senior business leadership and board members in tabletop exercises to familiarize them with the process internally – and within your supply chain – on how a cyber incident will be managed.
Implement a robust password management policy. A strong password policy would include at least ten characters, a combination of uppercase and lowercase letters, numbers, and symbols or special characters. Change passwords regularly.
Maintain good email hygiene. Verify before opening suspicious emails, take caution with links/attachments/URLs from unrecognized senders, and encourage employees to report suspicious activity to IT.
If you need support or guidance in putting the above in place, please reach out to our Risk Engineering Team.