Protecting from the Ongoing Threat of Russian Cyberattacks

Two weeks ago, the world watched in horror as Russia launched an unprovoked attack on Ukraine, a democratically elected, sovereign nation. We continue to watch with admiration as a nation’s civilian population have taken up arms to fight for their homeland. Both domestically and internationally, the response has been galvanizing. Governments have both condemned Russia’s actions and placed sanctions meant to pressure Russia into ending their assault. Businesses have severed ties with Russia in an effort to pressure the people of Russia to take a stand against Putin and his violent forces.

Proactively bracing for retaliation, the cyber security industry and various government security agencies such as the FBI, have issued directives and warnings to both private and corporate businesses. Those directives detailed the very likely scenario of cyber-attacks against the US and rest-of-world (ROW) as the Russian government begins to broaden its scope beyond Ukraine.  The U.S. Department of Homeland Security issued a warning to U.S. businesses urging them to be prepared for Russian cyber-attacks, reiterating that the threat is “ongoing.” While this guidance is all relevant, timely, and critical, it nonetheless begs an obvious question,
“So what’s changed? Hasn’t Russia been actively engaged in cyber-attacks all along?”

Unfortunately, the answer isn’t black and white. While the prevailing assumption is that Russian threat actors are “State Sponsored,” there has never been enough evidence to directly accuse the Russian government of the cyber-attacks launched from inside their country.  Case in point, just a short time ago, Russian hackers took down the Colonial Pipeline, the largest fuel pipeline in the U.S., with a ransomware attack. While the Russian government was never named in the attack, it was strongly suggested that the attackers were state sponsored. In response, Russia announced the arrest of numerous members of the REvil hacking group in a highly publicized “event” and at the request of the US Government. Prior to the invasion, and shortly after the REvil attack, Ukraine’s government experienced a massive cyberattack. Again, while not “attributed to Russia,” the mode of attack was strikingly similar to attacks carried out in advance of conflict with Georgia in 2008 and Crimea in 2014. Therefore, it is no stretch of the imagination to conclude that Russia is, indeed, still our enemy.

We know that once sanctions against Russia begin to take economic affect and they start to broaden their focus beyond Ukraine, cyber-attacks against the US, NATO and our allies will begin… and be brutal in their onslaught. So, what can you do to protect from the very real Russian threat of cyber-attacks?

The answer is by no means sexy or exciting. It is, however, achievable. Let’s start with application security and then look at ways to protect the organization as a whole. There are short-term and long-term best practices that can protect you from not only this enhanced threat level, but also ensuring the security of your applications in production:

• In the short-term, focus “Right”:
  • Inventory what assets are currently in production and exposed. Knowing what assets are deployed in production can help you begin testing to determine their risk of exposure.
  • If you are not currently scanning for vulnerabilities in your production environment applications, now is the time to start. Even if your developers write the most secure code, vulnerabilities can result from 3^rd party dependencies.  Minimize your attack surface risk by automatically scanning and discovering exploitable vulnerabilities in pre and postproduction environments.
• Over the long term, focus “Left” by ensuring that application security testing enabled and layered throughout your SDLC:
  • Empower your developers by testing code early in development stages so to ensure critical vulnerabilities are not deployed into pre-production.
  • Develop true DevSecOps by integrating testing into the tools and environments where software engineers work. By simultaneously testing for vulnerabilities as they build and test your applications locally and automating application security testing within their CI/CD pipelines, software engineering teams can identify and correct security vulnerabilities earlier and release secure applications faster.
• Implement strong security 101 hygiene across the organization:
  • Ensure that software is up-to-date on all devices and servers.
  • Protect endpoints with up-to-date anti-virus/anti-malware software.
  • Enable the embedded security features on all Windows and Mac devices.
  • Use Multi-Factor Authentication on all services, applications, and devices.

By adopting a layered approach to application security throughout your SDLC and implementing strong security hygiene throughout your network, your organization can protect from attacks from wherever they originate, whether by threat actors operating within Russia, by state sponsored attacks from Russia, or by threat actors attacking from across the globe.