ArchiveDisruptive TechnologyOODA OriginalSecurity and Resiliency

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine

One thing a career in the intelligence community taught me is no model for predicting the future is foolproof. Every model and method has flaws. But when an adversary tells you what they will do you have to take that into account. And at this point all indications from Putin are that Russia intends on invading Ukraine.

This post is about what this means for organizational cybersecurity posture.

The Russian Cyber Threat

The capabilities of Russia to conduct cyber espionage and cyber attack have been battle tested and are hard to thwart even during daily “peacetime” operations. They include well resourced capabilities of the military and intelligence services and also deep technical expertise in the Russian business ecosystem and in organized crime which operates as part of Russian national power. Proof points of Russian capabilities include the massive and sophisticated Solar Winds attacks which leveraged low and slow, well thought out plans to achieve access to multiple well-protected targets. Ransomware successes by Russian based criminal networks are also instructive as to the capability of Russian cyber threat actors. The use of malicious self replicating code (worms/virus/trojan) to spread malicious code into infrastructure is also well proven with decades of practice including fielding software that replicates from unclassified to classified systems in the military and spreads throughout critical infrastructure.

Assessments of the Russian Cyber Threat should also take into account the 200 year long Russian culture of leveraging propaganda, misinformation and disinformation and the more modern Russian mastery of using those techniques in US media and social media to manipulate opinions. This type of attack differs from traditional cyber attacks but is related especially in manipulating unsuspecting individuals to enable attacks and in weakening response and needs to be considered by decision-makers.

C-Suite leaders should be aware that Russian doctrine and practice in cyber conflict has been well articulated and also practices for years, and Russian perceptions of the benefits to their military operations in Georgia and Ukraine to date make it clear that cyber operations will be conducted in what they call the “information space.” Offensive cyber operations have already occurred against US targets as well and should the US oppose the Russian invasion of Ukraine these will almost certainly increase. Attacks against military organizations are a given. Increased attacks by Russian aligned organizations (including Ransomware actors and other criminals) against civilian infrastructure are also highly likely.

As a planning assumption, organizations should plan for changes to the tactical situation before, during and after the invasion. Prior to the invasion expect to see more low observable action to gain access to networks and systems to establish a foothold but possibly less ransomware activity than in recent past. During the invasion expect the nature of the threat to vary by sector and mission of the organization, but all will see increased activity including low level threats, ransomware attacks and attacks against critical infrastructure to flood the zone. Even though all will know these attacks come from Russia there will be plausible deniability and it would be reasonable to expect a confrontational “so what are you going to do about it?” response to any attempt to put the blame on Russia. After the invasion the scenarios may include a rapid draw down in the threat level as the Russians mop up resistance inside Ukraine.

Recommended Actions To Mitigate The Russian Cyber Threat

With the caveat that there is no such thing and operating risk free and will never be perfect security, there are steps that can be taken that reduce risk and make it harder for adversaries to damage business operations. Here are a few important considerations for C-Suite leaders broken down by organization size:

Large Businesses/Large Federal Government Agencies

Most all large businesses and large government agencies will already have a security program, but if there are any questions about what this should look like reach out to experts immediately to improve your program (contact OODA here). It can be very hard to make fast changes to a large organization, but starting an improvement plan now is better than waiting till you are under siege.

Large businesses and governments should put plans in place to inform employees, customers and partners of what to do in the face of misinformation and disinformation attacks. Employees should know who to contact inside the organization to confirm questionable information. Leadership should be prepared to rapidly communicate to the public, employees and partners to counter intentionally deceptive information.

We recommend large businesses and large federal agencies convene their leadership team immediately to discuss worse case scenarios regarding infrastructure attack and response, to include quick table-top exercises to ensure the entire leadership team is aware of what the threat may mean for continued business operations. The IT and security team should be questioned regarding backup and recovery capabilities including last time that recovery was tested. The IT and security teams should also ensure core business communications links are redundant so operations can continue in outages of primary links. And security out of band communications should be put in place including means for the executive team to communicate directly with each other with security (using apps such as Wickr Pro).

This is also a good time to reconfirm appropriate relationships with external partners including the appropriate ISAC for your business sector. Contact the ISAC now and start a dialog on the nature of the Russian cyber threat to your sector. The US DHS security team at CISA has been providing exceptional cybersecurity leadership on topics like countering ransomware and patching big vulnerabilities like Log4j and during a conflict with Russia will no doubt be providing key info to business leaders. One particularly relevant initiative of CISA which we believe will prove instrumental in improving collaboration in time of crisis is the Joint Cyber Defense Collaborative (JCDC).

Although it seems clear that Russia will initiate hostilities with Ukraine, there is uncertainly over timing. Do not stop your long term security improvement plans during this crisis. Continue to push towards a zero trust architecture and continue to train employees on the importance of security.

Small To Mid-Sized Businesses/State and Local Governments

It is an unfortunate reality that most small to mid-sized businesses and most state and local governments have very thinly manned security teams. Leaders in these organizations should understand it is incumbent on them to ensure the business can continue when under cyber attack. Fortunately there are best practices that can be followed to help prioritize actions (see OODA’s Cybersecurity Sensemaking Page and Best Practices for Agile Cyber Defense). The The US DHS security team at CISA also has insights and advice relevant for mid-sized businesses and state and local governments. We most strongly recommend all small to mid sized organizations including governments review the specific, actionable advice of the Global Cyber Alliance.

Key items to check into immediately include:

  • Ensure you are patching your operating systems and applications. This sounds so basic, and it is so basic. But it is too frequently overlooked and it gets both individuals and companies hacked, again and again. So if you are a home user make sure you do this yourself and if you are a small business make sure you have processes in place for it to be done for all. Leaders in organizations of all sizes should realize it is a common mistake to just assume systems are being patched. Don’t just assume it is going on. Check it.
  • Put multi-factor authentication in place for every employee, including on their use of cloud based services, and encourage all to do this at home as well. Depending on your business model, you may need to do this for customers and suppliers too. This is very important for a good defense. Some multi-factor methods are still open to attack. Important accounts should be protected by a hardware token too, like the YubiKey.
  • Configure your DNS to make it harder on the bad guys. There are simple configuration changes you can put in place that will greatly reduce the risk of malicious code and privacy attacks. There are many options for the changes to make to your DNS, but for most we recommend changing your DNS server to 9.9.9.9 (learn more at Quad9.net and see more options and info at: DNS Configuration Tips).
  • Configure your email to make it harder to be spoofed/phished. By using widely used configurations called DMARC you can significantly reduce the chance that your email will be spoofed and your partners or employees tricked because of you. Learn more about DMARC here.
  • Prepare for the worse. Know what your incident response plan is and make sure it is well documented and reviewed. Ensure it includes notification procedures. Ensure your team is also prepared to respond to “digital swiftboating,” which can come at any time and may involve trolls and haters sponsored by your competitors or even hostile nations. Preparing for incidents means more than just planning. Exercise the plan by realistic scenario driven table top exercises.
  • Ensure you are able to communicate with others in a way that cannot be monitored by criminals/hackers. This is important in day to day business and urgent in incident response. Our recommendation: Wickr Pro, which will allow secure messaging, secure audio and secure video as well as document exchange.

Individuals

Your home and personal IT can be used as a launching pad for Russian attacks against others so it is critically important to take personal responsibility to defend your part of cyberspace. One thing all who are more technically savvy can do is to help others protect themselves. We strongly recommend reaching out to friends, family and small business partners to help others understand and execute on:

  • Implementing multi-factor authentication on all accounts.
  • Automating the updating of software.
  • Being aware of fraud methods and the way adversaries make people click links.
  • Using strong passwords, preferably with a password manager.

Stay Informed

It should go without saying that tracking threats is critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Resources for the C-Suite and Crisis Management Team:

Twitter List For Tactical Information: This Twitter list of vetted resources that have reported accurately on tactical moves in the Ukrainian theater can be used to quickly capture the gist of a dynamic military situation.

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine: The capabilities of Russia to conduct cyber espionage and cyber attack have been battle tested and are hard to thwart even during daily “peacetime” operations. They include well resourced capabilities of the military and intelligence services and also deep technical expertise in the Russian business ecosystem and in organized crime which operates as part of Russian national power. Proof points of Russian capabilities include the massive and sophisticated Solar Winds attacks which leveraged low and slow, well thought out plans to achieve access to multiple well-protected targets. Ransomware successes by Russian based criminal networks are also instructive as to the capability of Russian cyber threat actors. The use of malicious self replicating code (worms/virus/trojan) to spread malicious code into infrastructure is also well proven with decades of practice including fielding software that replicates from unclassified to classified systems in the military and spreads throughout critical infrastructure. This post goes beyond an articulation of the threat into recommendations leaders seeking to mitigate cyber threats from Russia including threats before, during and after a Ukraine invasion.

What The C-Suite Needs To Know About The Threat To Space Based Systems (and what to do about it): OODA recently updated the analysis below on threats to space based assets (with a focus on what the C-Suite needs to know) because of tensions with Russia and continued testing of satellite destruction capabilities the most recent of which (Nov 2021) caused significant increases in dangerous space debris.  We recommend this be read in conjunction with our report on what the C-Suite needs to know about the cybersecurity threats due to the coming Russian invasion of Ukraine, see links in the document for more.

Will China Replicate Russia’s Cyber Offensives in a Taiwan Reunification?: The current situation in the Ukraine has garnered the world’s attention with stakeholders watching attentively as the crisis unfolds. Such regional hotspots have the potential of spilling over into neighboring countries and pulling in governments from all over the world in some capacity. The threat of armed conflict escalating into a major global engagement is always a possibility. China and Taiwan are eagerly watching the crisis as well, but largely for different reasons. While Taiwan is interested to see how friendly governments come to Ukraine’s aid, China is observing how Russia may go about reclaiming territory of the former Soviet Union, in the attempts of gaining insight into how such an act can be accomplished successfully, should Moscow do just that.

A Warning for the U.S. Chip Industry: Russian Retaliation Could Hit Supply of Key Materials: Russia may retaliate against the U.S. threat of trade sanctions and export curbs by blocking access to key materials like neon and palladium. Ukraine supplies over 90% of U.S. semiconductor-grade neon. This type of supply chain-based retaliation has become a priority concern for the White House, which is encouraging a broad diversification of the supply chain in the event Russia limits access to these key materials.

In 2022, the Strategic Impact of Global Intermodal Supply Chain Gridlock on IT Supply Chain Remains High: The OODA Loop Research Team has been tracking the impact on supply chains from the onset of the pandemic.

Russia’s Long Game, Leadership Lessons, and Learning from Failure: In February of 2021, Matt Devost spoke to Rob Richer, a highly regarded advisor to international executives and global government leaders including several heads of state. Rob has a well-informed perspective on international risks and opportunities and an ability to analyze and distill observations in a way that is meaningful for your decision-making process. In light of the conditions in Europe, this portion of their initial OODAcast conversation is timely and includes a discussion of Richer’s time as the head of CIA Russian Operations, his perspective on U.S./Russian relations (especially the role of cyber), leadership, the role of failure, and decision-making.

Charity Wright on China’s Digital Colonialism: Charity Wright is a Cyber Threat Intelligence Analyst with over 15 years of experience at the US Army and the National Security Agency, where she translated Mandarin Chinese. Charity now specializes in dark web cyber threat intelligence, counter-disinformation, and strategic intelligence at Recorded Future. Her analysis has provided deep insights into a variety of incidents, activities and strategic moves by well resourced adversaries, primarily actors operating in China.

The January 2022 OODA Network Member Meeting: Putin, Russia, Gray Zone Conflict Capabilities and The Future of Europe: To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks :In what felt like coordinated attacks last Friday, data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites. The attacks prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses.

Additional Context on OODA Reporting on Russia’s Military-Technical Maneuvers in Europe: We are conscious of our need to keep our usual variety of News Brief and OODA Analysis, but for obvious reasons, this week is top-heavy with Russian, NATO, and Ukrainian coverage. We intend on keeping our focus on providing context you need vice the blow by blow of major moves. Like in other domains we endeavor to provide the “So What?” and “What’s Next?” you need to help drive your decisions.

OODA Research Report- The Russian Threat: This special report captures insights into the capabilities and intent of the Russian Threat, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.

Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes OODALoop.com. Bob is the co-host of the popular podcast The OODAcast. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency. Find Bob on Defcon.Social