Protect your organization against nation-state cyberattacks
U.S. organizations have been called upon to increase cybersecurity vigilance in the wake of U.S. sanctions on Russia for their invasion of Ukraine.
The federal Cybersecurity & Infrastructure Security Agency (CISA) issued an alert on Feb. 16, 2022, that the FBI, NSA, and CISA had “observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors” from at least January 2020 through February 2022. CISA has also posted a web page, titled “Shields Up,” that includes an evolving overview of, the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs to bolster their cyber defenses.
“While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies,” CISA says on the web page. “Every organization – large and small – must be prepared to respond to disruptive cyber activity.”
While awareness has been rising amid the current situation, the threat of nation-state cyberattacks has been on the rise for some time. For example, according to one mid-2019 article, Microsoft had notified almost 10,000 users over the preceding year that they had been “targeted or compromised by nation-state hacking groups,” mostly from Iran, North Korea, and Russia.
Beyond obtaining intellectual property, these attacks may be intended to monitor military and diplomatic information; disrupt operations; compromise physical control systems used in electric utilities, manufacturing, and oil refineries; and generally create panic, chaos, and harm.
These types of actors have been known to employ an assortment of precisely calibrated tactics and techniques, including:
- Email phishing scams, in which messages presented as coming from a trusted company or individual contain links or attachments that, when clicked by the recipient, infect computers with powerful ransomware or malware that gives threat actors remote access to infected computers and potentially other computers in the network.
- Targeting unsecured endpoints like laptops, smartphones, and tablets, which have multiplied as more remote workers use personal equipment rather than company-provisioned technologies. These endpoints can be particularly vulnerable when used by employees who are not trained to avoid phishing and other social-engineering scams.
- Password spraying, a brute-force attack method that attempts to match usernames with common passwords to gain network access. Others purchase email and system log-on credentials stolen in previous cyberattacks. And as more employees work from home, threat actors are exploiting zero-day vulnerabilities – issues that haven’t yet been discovered, or discovered but not yet patched – in VPNs and other remote working tools and software platforms.
Defending against nation-state attacks will require careful assessment and enhancement of your current cybersecurity protections, including your people, processes, and technology, to understand your capabilities and implement further safeguards as necessary.
In general, aim to have a layered defense model that combines multiple security controls at different levels, with a series of defenses working together within each, to secure your network and protect resources and data. Here’s what to consider.
1. Keep people at the heart of your defense plans. Humans tend to be the weakest link in cybersecurity, but they can also be a strong asset, if properly trained on how to spot, avoid, and mitigate threats. Remind employees to be cautious; refresh training and tip sheets about top threats like phishing, ransomware, and weak passwords; and base training programs on current, specific threats. Extend training to all employees, including remote workers, as well as any third-party contractors (and subcontractors). Provide additional specialized role-based training to employees who have super user or privileged access to IT assets.
2. Review your basics. Many of the traditional good cyber hygiene rules apply here: Encryption of data, use of VPNs, proper configuration of firewalls, updated anti-malware and intrusion-prevention software, stringent password requirements. Enforce multifactor authentication for all users across all IT assets – including company leadership.
3. As remote and hybrid work continue, keep track of all hardware and software assets, and make sure you are securing the access coming into your environment. Test VPNs, videoconferencing, and collaboration tools to help ensure adequate capacity for home workers and minimize risks of infiltration or interception. Evaluate the privacy and security capabilities of remote collaboration tools related to access, storage, and sharing of data, including anything based in the cloud.
4. Tighten access across systems. Make sure that privileged access to all IT assets, including security tools, is well controlled and monitored. Access should be granted on the principle of least privilege: Minimize employees’ access to applications to only the ones that are necessary to perform their job.
5. Look outside your own walls. Perform security due diligence on suppliers, business partners, and any other third parties that have access to your systems and data.
6. Implement solutions or third-party services to monitor and log network behavior 24/7, and alert your team to any security events and incidents. And on that point…
7. Don’t overlook security alerts. When your tools are telling you something is wrong, take the time to fully assess what is happening. Understand and utilize the full functionality of the controls you’ve invested in.
8. Make cybersecurity an ongoing process. Deploy tools to routinely perform patch management and maintenance, even remotely. Make sure that any time changes are made to critical applications, you analyze their security impact.
9. Have an adequate incident response plan. Take the approach of “it’s not if you’ll have an incident, but when,” and make sure everyone across your organization knows how to respond when it happens. Update plans to factor in any workforce changes, such as reductions in on-site IT staff, and consider testing your plans now. Review business continuity and disaster recovery plans, too.
10. Incorporate appropriate network segmentation to help limit the impact of an intrusion; be able to quickly isolate any affected systems before attackers can spread too far.
The C-Suite Dashboard
Keep Your Business Moving Forward
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.