This article originally appeared on the official DLT Solutions blog.
Though the Ukraine-Russia conflict began when the Russian military invaded Ukraine last February, the cybersecurity and cyber warfare elements of this conflict began long before initial combat action. Ukraine was hit with numerous cyberattacks against its government and banking systems in the lead-up to the conflict, with experts blaming Russia for the cyberattacks. And within the first 48 hours, multiple U.S. agencies noted that cyberattacks from suspected hackers in Russia increased by over 800%.
Since then, cyberattacks have been a key and consistent element of the conflict against Ukraine and its Western allies. Ultimately, it has become clear that organizations must strengthen their cybersecurity during this conflict.
Why is the Ukraine-Russia conflict a global cybersecurity threat?
There are multiple reasons to believe the Ukraine-Russia conflict may develop into a global cybersecurity threat for nations and organizations that are not directly involved with the conflict.
As U.S. President Biden noted in a recent statement on cybersecurity, “malicious cyber activity” is “part of Russia’s playbook.” In the same statement, President Biden warned that Russia could likely launch cyberattacks against Western nations in retaliation against sanctions. He also noted that intelligence agencies already discovered “the Russian Government is exploring options for potential cyberattacks.”
In addition, NATO has released their own statements that recommend providing cybersecurity assistance to Ukraine. NATO is actively increasing its own “cybersecurity capabilities and defenses” and “providing support to each other in the event of cyberattacks.”
Given this evidence, the global cybersecurity threat emerging from this conflict could be vast.
As noted by Accenture’s most recent incident report on cybersecurity in the Ukraine-Russia conflict, Russian ransomware operators are openly threatening to attack Western infrastructure. Entities in NATO “should expect potential disruptive activity and information operations,” including ransomware and cyberattacks. Numerous ransomware and distributed denial-of-service attacks have already been launched against countries that imposed sanctions on Russia.
In short: Even if the physical side of the Ukraine-Russia conflict remains limited to the region, the cybersecurity aspect of the conflict has already become a global crisis — between Russia and its allies and Western countries responding to their actions.
The global cybersecurity response to the Ukraine-Russia conflict
Many Western countries have already mounted a cybersecurity response and provided recommendations related to the Ukraine-Russia conflict. Hundreds of thousands of multinational hackers have volunteered to fight back against Russian cybercrimes. And in his previously cited statement, U.S. President Biden explicitly discussed cyber threats to national security and asked the private sector to “harden your cyber defenses immediately” by implementing best practices.
Many of these best practices have been discussed in previous executive orders on cybersecurity and reiterated by the Cybersecurity and Infrastructure Security Agency (CISA), which has launched the Shields Up initiative in response to the Ukraine-Russia conflict. This initiative provides guidance for organizations on how they can bolster their defenses to improve their resilience and response to incidents — with particular emphasis placed on improving ransomware protections.
The risk of cyber threats and cyberattacks from Russia
The Ukraine-Russia conflict is forcing organizations around the world to re-evaluate their cybersecurity risk, revisit their threat models, and build new capabilities in response to potential Russian cyberattacks on critical infrastructure and services.
There has been a flurry of activity in boardrooms across the country as companies scramble to mount an effective response to these cyber threats and develop new cybersecurity strategies and solutions.
At Illumio, many of our customers have asked what they can do to prevent threats from spreading to their IT systems. We have identified two primary sources of risk emerging from this conflict — one highly specific to cyber threats particular to the region and the other more general.
Multinational organizations with locations in Ukraine, Russia or Belarus are worried that malicious actors may compromise their computer networks in these regions. Doing so would give attackers the opportunity to shut down critical assets and to move laterally and infiltrate networks closer to home. This threat is similar to the NotPeya virus that spread out of Ukraine in 2017.
Organizations without a presence in this region are worried about the potential repercussions of Western sanctions on Russia. As President Biden’s warning stated, all organizations in the U.S. and allied countries need to prepare for retaliatory cyberattacks. This is especially true for organizations in critical infrastructure like finance, utilities and healthcare.
For the rest of this article, we will outline how organizations can strengthen their cybersecurity and build resilience against the general and specific cyber threats they face as the Ukraine-Russia conflict continues to develop.
Types of cyberattacks to worry about: Focus on ransomware
Many types of cyber threats and a wide range of cyberattacks will likely occur as part of the Ukraine-Russia conflict. However, we anticipate that ransomware will remain the primary cyberattack pattern and type of threat during this moment of crisis.
There are a few reasons for this perspective.
First, ransomware was specifically highlighted by CISA in their Shields Up initiative as the primary threat for which they discuss building a response.
Second, ransomware has already emerged as today’s biggest cybersecurity threat, and we have seen it deployed to disrupt critical infrastructure and supply chains for financial profit. Ransomware has proven that it can cause major damage to the operations of most any kind of organization. We expect to see more of it.
Third, ransomware is a complex cyberattack pattern with many discrete steps and tactics — most of which are used by other cyberattack patterns. This means if you build your resilience against ransomware, you will also build your resilience against most other cyber threats.
Finally, successful ransomware incidents highlight how traditional cybersecurity architectures fail to stop new threats. Ransomware has made it clear that prevention is no longer enough, breaches are now inevitable, and conventional cybersecurity tools and protocols can’t keep up with the speed and scale of today’s cyberattacks.
How to establish a resilient cybersecurity architecture and environment that stops ransomware and other cyberattacks
To build resilience against ransomware and other modern cyber threats, you must first understand how they operate.
Let’s break down the common attack pattern most of these threats follow and then provide simple steps to counter this attack pattern and build a more resilient architecture and environment.
Most ransomware attacks are built around three behaviors.
- They exploit common pathways. Most modern cyberattacks succeed with fundamental tactics like exploiting software vulnerabilities, misconfigurations, or user errors. To do so, they automatically scan the Internet for open, exploitable ports into a network. They typically target a small set of high-risk pathways (like RDP and SMB), and they follow these pathways to spread quickly through open environments.
- They are multistage campaigns. Often, modern cyberattacks have to complete many stages of action in between breaching a network and compromising enough assets to shut down systems and demand a ransom. To do so, they typically compromise a low-value asset in the initial breach, connect to the Internet to pull down tools to advance the attack, and gradually work their way through the network to reach high-value assets.
- They go undetected for months. After breaching an organization’s perimeter, they hide in its network and spend as much time as possible silently building a foothold and increasing their leverage. To do so, they often exploit assets that organizations don’t know they have, travel network pathways that organizations don’t know are open, and leave hard-to-follow trails of data — only making themselves known when they strike.
Fortunately, building cyber-resilient architectures and environments that stop these attacks is simpler than you think. Just take the above attack pattern and build cyber defense capabilities to counter each component. Here’s how.
Cybersecurity capabilities that stop cyber threats and build resilience
There are three main cybersecurity capabilities that can help you counter common attack behaviors and build resilience against ransomware and other related threats.
To learn more details about each of these capabilities — and how to develop them quickly — you can check out our full guide, How to Stop Ransomware Attacks. But here’s a quick overview of what capabilities can stop most ransomware threats.
Comprehensive visibility into communication flows. With the right visibility, ransomware and other modern cyber threats will have nowhere to hide. If you have real-time visibility into how your applications communicate with each other, you will have a better chance of detecting these attacks early enough to prevent harm.
This visibility can also help you identify the unnecessary cybersecurity risks in your environment, centralize and correlate multiple sources of risk data into a unified view of your communication flows, and prioritize which actions to take to harden your environment.
Ransomware-blocking. If you can reduce obvious pathways of attack for cybercriminals, you can limit a breach’s impact and harm. To do so, you should proactively close as many high-risk pathways as possible, monitor those you have to leave open, and create a reactive emergency containment switch that can lock down your network in seconds during an incident.
Isolating critical assets. Finally, if you can limit the ability of an attack to spread from one system to the next, you can prevent ransomware from reaching your critical assets and causing major damage. To do so, you first have to identify your highest value assets and then implement segmentation to isolate and protect those assets within your network — closing outbound connections to unknown and untrusted sources.
If you develop these fundamental cyber defense capabilities, you will rapidly improve your cybersecurity against the attack patterns you’ll most likely face over the course of the Ukraine-Russia conflict.
While these capabilities might sound complex and challenging to develop, your ability to rapidly spin them up in your environment depends primarily on which security and network tools you decide to use. Though most legacy tools can’t build these capabilities fast enough to respond to the Russia-Ukraine conflict, modern technology like Illumio can give organizations these capabilities in minutes, hours and days.
How Illumio stops cyberattacks from the Ukraine-Russia conflict
Illumio is a platform that provides visibility and Zero Trust Segmentation controls (including micro-segmentation) to give you new layers of cyber resilience against ransomware and other modern digital threats. Illumio takes a new approach to segment global networks at both broad and granular levels.
With Illumio, you can rapidly build cybersecurity measures for multiple scenarios related to the Ukraine-Russia conflict. If you have assets and networks in high-risk countries — like Ukraine, Russia and Belarus — then Illumio can help in several ways
Illumio can give you rich, risk-based visibility and application dependency mapping. It can give you a clear picture of how your assets in Ukraine, Russia and Belarus interact with the rest of your organization, highlight any dangerous connections, and help you decide where you may want to block traffic.
In minutes, Illumio can block traffic to and from IP addresses running in Ukraine, Russia and Belarus. You can also write exceptions to maintain forensic access to these systems using Illumio’s Enforcement Boundaries capability, which can create a perimeter around these IP addresses in minutes.
If you have Illumio deployed across all of your assets, including your assets based in Ukraine, Russia and Belarus, you can use labels to achieve this same blocking capability by writing a policy that says, “If assets are located in these countries, then block that traffic.” With Illumio, you can do this in just a few minutes.
Illumio makes it fast, simple and easy to take these actions and improve your cybersecurity against direct attacks related to the Ukraine-Russia conflict and indirect attacks that might come your way.
Learn more about how to better protect against ransomware. Download Illumio’s guide “How to Stop Ransomware Attacks.”