C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine
One thing a career in the intelligence community taught me is no model for predicting the future is foolproof. Every model and method has flaws. But when a an adversary tells you what they will do you have to take that into account. And at this point all indications from Putin are that Russia intends on invading the Ukraine.
This post is about what this means for organizational cybersecurity posture.
The Russian Cyber Threat
The capabilities of Russia to conduct cyber espionage and cyber attack have been battle tested and are hard to thwart even during daily “peacetime” operations. They include well resourced capabilities of the military and intelligence services and also deep technical expertise in the Russian business ecosystem and in organized crime which operates as part of Russian national power. Proof points of Russian capabilities include the massive and sophisticated Solar Winds attacks which leveraged low and slow, well thought out plans to achieve access to multiple well-protected targets. Ransomware successes by Russian based criminal networks are also instructive as to the capability of Russian cyber threat actors. The use of malicious self replicating code (worms/virus/trojan) to spread malicious code into infrastructure is also well proven with decades of practice including fielding software that replicates from unclassified to classified systems in the military and spreads throughout critical infrastructure.
Assessments of the Russian Cyber Threat should also take into account the 200 year long Russian culture of leveraging propaganda, misinformation and disinformation and the more modern Russian mastery of using those techniques in US media and social media to manipulate opinions. This type of attack differs from traditional cyber attacks but is related especially in manipulating unsuspecting individuals to enable attacks and in weakening response and needs to be considered by decision-makers.
C-Suite leaders should be aware that Russian doctrine and practice in cyber conflict has been well articulated and also practices for years, and Russian perceptions of the benefits to their military operations in Georgia and Ukraine to date make it clear that cyber operations will be conducted in what they call the “information space.” Offensive cyber operations have already occurred against US targets as well and should the US oppose the Russian invasion of Ukraine these will almost certainly increase. Attacks against military organizations are a given. Increased attacks by Russian aligned organizations (including Ransomware actors and other criminals) against civilian infrastructure are also highly likely.
As a planning assumption, organizations should plan for changes to the tactical situation before, during and after the invasion. Prior to the invasion expect to see more low observable action to gain access to networks and systems to establish a foothold but possibly less ransomware activity than in recent past. During the invasion expect the nature of the threat to vary by sector and mission of the organization, but all will see increased activity including low level threats, ransomware attacks and attacks against critical infrastructure to flood the zone. Even though all will know these attacks come from Russia there will be plausible deniability and it would be reasonable to expect a confrontational “so what are you going to do about it?” response to any attempt to put the blame on Russia. After the invasion the scenarios may include a rapid draw down in the threat level as the Russians mop up resistance inside Ukraine.
Recommended Actions To Mitigate The Russian Cyber Threat
With the caveat that there is no such thing and operating risk free and will never be perfect security, there are steps that can be taken that reduce risk and make it harder for adversaries to damage business operations. Here are a few important considerations for C-Suite leaders broken down by organization size:
Large Businesses/Large Federal Government Agencies
Most all large businesses and large government agencies will already have a security program, but if there are any questions about what this should look like reach out to experts immediately to improve your program (contact OODA here). It can be very hard to make fast changes to a large organization, but starting an improvement plan now is better than waiting till you are under siege.
Large businesses and governments should put plans in place to inform employees, customers and partners of what to do in the face of misinformation and disinformation attacks. Employees should know who to contact inside the organization to confirm questionable information. Leadership should be prepared to rapidly communicate to the public, employees and partners to counter intentionally deceptive information.
We recommend large businesses and large federal agencies convene their leadership team immediately to discuss worse case scenarios regarding infrastructure attack and response, to include quick table-top exercises to ensure the entire leadership team is aware of what the threat may mean for continued business operations. The IT and security team should be questioned regarding backup and recovery capabilities including last time that recovery was tested. The IT and security teams should also ensure core business communications links are redundant so operations can continue in outages of primary links. And security out of band communications should be put in place including means for the executive team to communicate directly with each other with security (using apps such as Wickr Pro).
This is also a good time to reconfirm appropriate relationships with external partners including the appropriate ISAC for your business sector. Contact the ISAC now and start a dialog on the nature of the Russian cyber threat to your sector. The US DHS security team at CISA has been providing exceptional cybersecurity leadership on topics like countering ransomware and patching big vulnerabilities like Log4j and during a conflict with Russia will no doubt be providing key info to business leaders. One particularly relevant initiative of CISA which we believe will prove instrumental in improving collaboration in time of crisis is the Joint Cyber Defense Collaborative (JCDC).
Although it seems clear that Russia will initiate hostilities with Ukraine, there is uncertainly over timing. Do not stop your long term security improvement plans during this crisis. Continue to push towards a zero trust architecture and continue to train employees on the importance of security.
Small To Mid-Sized Businesses/State and Local Governments
It is an unfortunate reality that most small to mid-sized businesses and most state and local governments have very thinly manned security teams. Leaders in these organizations should understand it is incumbent on them to ensure the business can continue when under cyber attack. Fortunately there are best practices that can be followed to help prioritize actions (see OODA’s Cybersecurity Sensemaking Page and Best Practices for Agile Cyber Defense). The The US DHS security team at CISA also has insights and advice relevant for mid-sized businesses and state and local governments. We most strongly recommend all small to mid sized organizations including governments review the specific, actionable advice of the Global Cyber Alliance.
Key items to check into immediately include:
- Ensure you are patching your operating systems and applications. This sounds so basic, and it is so basic. But it is too frequently overlooked and it gets both individuals and companies hacked, again and again. So if you are a home user make sure you do this yourself and if you are a small business make sure you have processes in place for it to be done for all. Leaders in organizations of all sizes should realize it is a common mistake to just assume systems are being patched. Don’t just assume it is going on. Check it.
- Put multi-factor authentication in place for every employee, including on their use of cloud based services, and encourage all to do this at home as well. Depending on your business model, you may need to do this for customers and suppliers too. This is very important for a good defense. Some multi-factor methods are still open to attack. Important accounts should be protected by a hardware token too, like the YubiKey.
- Configure your DNS to make it harder on the bad guys. There are simple configuration changes you can put in place that will greatly reduce the risk of malicious code and privacy attacks. There are many options for the changes to make to your DNS, but for most we recommend changing your DNS server to 220.127.116.11 (learn more at Quad9.net and see more options and info at: DNS Configuration Tips).
- Configure your email to make it harder to be spoofed/phished. By using widely used configurations called DMARC you can significantly reduce the chance that your email will be spoofed and your partners or employees tricked because of you. Learn more about DMARC here.
- Prepare for the worse. Know what your incident response plan is and make sure it is well documented and reviewed. Ensure it includes notification procedures. Ensure your team is also prepared to respond to “digital swiftboating,” which can come at any time and may involve trolls and haters sponsored by your competitors or even hostile nations. Preparing for incidents means more than just planning. Exercise the plan by realistic scenario driven table top exercises.
- Ensure you are able to communicate with others in a way that cannot be monitored by criminals/hackers. This is important in day to day business and urgent in incident response. Our recommendation: Wickr Pro, which will allow secure messaging, secure audio and secure video as well as document exchange.
Your home and personal IT can be used as a launching pad for Russian attacks against others so it is critically important to take personal responsibility to defend your part of cyberspace. One thing all who are more technically savvy can do is to help others protect themselves. We strongly recommend reaching out to friends, family and small business partners to help others understand and execute on:
- Implementing multi-factor authentication on all accounts.
- Automating the updating of software.
- Being aware of fraud methods and the way adversaries make people click links.
- Using strong passwords, preferably with a password manager.
It should go without saying that tracking threats is critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.
OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.
You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.
Black Swans and Gray Rhinos
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
Corporate Sensemaking: Establishing an Intelligent Enterprise
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
The OODAcast Video and Podcast Series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast