Security Measures to Deploy Now to Defend Against a Russian Cyberattack
On February 22, 2022, U.S. Department of Homeland Security Secretary Alejandro Mayorkas warned critical infrastructure organizations located in the United States of possible cyberattacks by Russian state-sponsored actors in retaliation for sanctions imposed by the United States in response to Russia’s invasion of Ukraine. While critical infrastructure, such as banks, power plants, water treatment facilities, transportation systems, healthcare organizations, and communication systems would undoubtedly be high-priority targets, businesses involved in the stream of commerce for these organizations should also be on high alert and immediately take measures to anticipate and defend against such attacks. These organizations include security software and service providers (recalling the SolarWinds attack), those in the food industry (including farmers, farming equipment, and food packing), and other industries that represent a significant portion of the U.S. economy or whose failure would have a significant impact on U.S. residents. Few industries are not in the crosshairs of a cybersecurity attack.
What Businesses Can Do Now
Developing a mature cybersecurity program could take months, if not years, and cost millions of dollars. Given the public warning and the history of state-sponsored cyberattacks, businesses that do not assess and prepare for the threat are not only vulnerable to such attacks but also are exposed to potential liability in civil actions if that vulnerability concerns consumer data. However, there are some measures that organizations can deploy immediately to help defend against this increased threat.
- Refresh Cybersecurity Training, Including Phishing Simulations. Russian state-sponsored advance persistent threat (APT) actors use well-known but effective techniques to infiltrate systems. These include spear-phishing and other similar methods used to deploy malware or obtain credentials. Employees are frequently the weakest point in an organization’s cybersecurity program. Organizations should remind all users of their IT systems to be vigilant against unusual behavior and consider conducting phishing simulations to give users practice recognizing and defending against these common methods of attack.
- Immediately Replace Hardware and Software That is no Longer Supported and Patch All Systems for Security Vulnerabilities. Another well-known technique used by Russian state-sponsored actors is to exploit known vulnerabilities in common operating systems, applications, firmware, and network infrastructure components. Businesses should immediately deploy all available patches for medium and high-risk vulnerabilities. Prioritize vulnerabilities known to be used by Russian state-sponsored actors to gain initial access to systems (which is then used to launch more advanced attacks). Any IT components that are end of life or deemed obsolete should immediately be replaced.
- Deploy and Update Antivirus and Network Security Technologies. Russian state-sponsored actors are known to develop and deploy their own custom malware. Today’s modern antivirus and other network security technologies not only use signatures for known malware, but also use other technologies, including artificial intelligence, to detect and potentially neutralize anomalous activity that may be the result of unknown malware.
- Enable Logging and Monitoring Capabilities and Promptly Respond to Alerts. Firewalls and other intrusion detection systems may be configured to send and log alerts that may indicate the start or continuation of an ongoing cybersecurity attack. Some activities that trigger alerts are impossible logins (i.e., logins from geographic locations close in time that are physically impossible), multiple simultaneous logins, new account creation (especially privileged accounts), unexpected outbound connections, and unexpected activity in dormant accounts. These alerts do not serve their purpose if they are filtered or ultimately ignored by system administrators, who otherwise may be able to take actions to stop an attack. IT personnel should be on call to respond to alerts and review all medium, high, and critical alerts and warnings in log files at least once per day. IT personnel should avoid over-reliance on automated detection tools and be familiar with normal organization network traffic and computer processes to be able to spot abnormal traffic and processes in logs (which may otherwise not be caught by automated tools).
- Review Password Complexity Rules and Require Multifactor Authentication for All External Access to Systems. Russian state-sponsored actors are also known to use password brute force and other similar attacks to obtain and use legitimate access credentials. Organizations should require that all passwords meet specific password complexity rules (such as passwords of at least ten characters, including upper and lower case letters, symbols, and numbers). Multifactor authentication or other rolling password technologies for all externally accessible IT systems can further protect against access to systems if a password becomes compromised. IT systems should be configured or upgraded to use multifactor authentication if possible and require users to change passwords periodically.
- Closely Monitor Cybersecurity Resources to Track New Threats as They Appear. With the potential rollout of new malware by Russian state-sponsored actors, organizations must stay up-to-date on the latest news in cybersecurity. Resources such as the United States Cybersecurity and Infrastructure Security Agency website and newsletter can prove invaluable for developing quick responses against the newest threats. Organizations should pay close attention to updates and articles reporting on the current events in the cyber world.
- Have an Incident Response Plan or a Call List of Critical Resources to Respond to an Attack. Ideally, all organizations have an incident response plan that has been tested. Organizations that have not had the opportunity to develop one should immediately create a list of cross-functional critical resources that can respond in the event of a cybersecurity attack, along with methods of contacting them in the event of an attack against the organization’s systems (such as personal cell phone numbers). These resources should also include outside legal and other experts who can guide the organization in responding. All critical incident response personnel should keep a hard copy of the incident response plan and contact phone tree with them, as electronic copies may become unavailable in a cybersecurity attack.
- Shut Down Your Devices When Not in Use. Shutting down a device when not in use not only lessens the availability of the device to become infected but may also thwart many types of malware that reside in a device’s memory as it waits to embed itself on the device. When shutting down the device, the device’s memory is erased, along with any malware residing in such memory. Having employees shut down their work devices when not in use shuts down a portal of malware to the company’s IT systems.
For More Information
Even the most mature cybersecurity program cannot protect against all threats. Organizations that have a security program should take the opportunity to review their security measures and update them as necessary. For other organizations who may not yet have developed a cybersecurity program, the above measures may help reduce the likelihood of an attack from all threat actors, including Russian state-sponsored actors, and assist in responding if any such attack occurs. For more information about security measures that your organization can deploy or for assistance in responding to a cybersecurity attack, please contact any of the partners or senior counsel in Foley’s Cybersecurity Team. In the event of a cybersecurity incident, Foley’s cybersecurity team can be reached through our 24/7 cybersecurity incident hotline at (844) 4BREACH or [email protected].
As the Russia-Ukraine war continues, so too do new business and legal implications for companies around the world. For more information on how to mitigate risk and protect your business, contact a Foley lawyer today.