In Light of Ukraine: How to Brace Yourself Against Cyberwar

Russia has invaded Ukraine and the war is on. Here, in the West, we may think it’s distant. It’s not. As my friend and technology journalist colleague Mike Elgan describes it, this is the first TikTok war. We’ll be seeing it in real-time on our social networks. Our technology, business, and lives are also going to be collateral or direct damage in the ongoing cyberwar.

Under Putin, Russia has been launching cyberattacks for years. Long before the tanks started rolling into Ukraine, Russia had injected malware and DDoSed Ukrainian websites. Years before that Russia turned off the Ukraine capital city Kyiv’s power supply and attacked other former Soviet countries such as Estonia and Georgia. Finally, lest we forget, Russia has been attacking the United States over the internet and may have the power behind the SolarWinds attack.

What You Can Do

Next up? Our websites, our cloud services, and our software. So what can you do about it?

Insight Partners, an American venture capital and private equity firm and owner of The New Stack, warns cyberattacks were already increasing in volume and level of sophistication before the war began. In addition, The Cybersecurity & Infrastructure Security Agency (CISA) states in its latest bulletin, Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology, that they expect attacks to increase.

So do I.

What can you do about it?  Insight Partner’s general advice is to “be on the alert and ensure that you’re securing your most critical assets.” Specifically, the company notes you should protect your:

1. Email security
2. Multifactor authentication
3. Resilient systems (data backup)
4. Endpoint protection
5. Ransomware protection
6. Routine security assessments (penetration testing)
7. Security monitoring
8. Network security
9. Vulnerability management and patching program
10. Have a plan (incident response plan)

Stick to the Basics

Notice something? There’s nothing fancy here. It’s the basics. But they are quite right. It’s the fundamentals you need to protect. Now is not the time to worry about fancy attacks. It’s time to circle the wagons you need for your day-to-day business.

Security expert Mick Douglas agrees. In his Twitter feed, Douglas lays out some basic rules on how to protect your systems these days. One I would like to underline in specific is “Start treating the entire internet as hostile… because it is.” Yes. Underline this. It’s never been that safe, but now it’s more dangerous than ever.

First, he suggests keeping a close eye on your firewall. You should also recall that “Firewalls work both ways.” You must monitor your DMZ servers initiating outbound traffic. Do you want your machines to be “phoning home” for C2 instructions on who they should be launching a Distributed Denial of Service (DDoS) attack? I don’t think so!

You can also forget about geoblocking Russian IP addresses as a way of protecting yourself or somehow getting back at them. As Douglas notes, “the only time Russian groups come from Russian IP space is when they want to rub it in.” All the real action will be coming from compromised hardware scattered around the world.

You’ll also need to know what the “normal” executables are in your systems. App control, aka whitelisting, is. Douglas states, “no longer a ‘nice to have,’ it’s IMO table stakes. Anyone who claims otherwise is giving dated & dangerous advice.”

Not sure what executables you have on your system? Sigh. OK, I won’t scold you. Mark Baggett‘s srum-dump, which converts the Windows System Resource Usage Monitor (srum) data into an xlsx spreadsheet is a big help in finding out what’s running on your systems.

If you’re using Linux — and you should — basic tools such as auditd or sysmon are your friends. Not sure how to get the most from these? Check out this auditd or sysmom documentation.

Living off the Land and More

You should also be aware of Living off the Land (LoL) attacks. These are attacks that use your existing legitimate tools to launch attacks. Typically, this is done with command-line tools such as Powershell and PsExec on Windows or Bash on Linux. Of course, for these to work your system must have already been penetrated at a high level. Has it been? Are you sure?

It doesn’t have to be as obvious as an unknown user logging in from some remote IP address. Malware, such as Astaroth use LOL attacks, hide from plain sight, and are nasty as nasty can be.

You also, Douglas warns, can’t rely on security information and event management (SIEM) or Endpoint detection and response (EDR) programs to save your bacon. It’s all too easy for savvy hackers, like say those employed by the Russian Foreign Intelligence Service (SVR), to run a LOL attack right under your nose.

Douglas also recommends that you increase your logging, while both filtering out the junk you don’t care about and “SHORTENING the retention length for the data you don’t need long term.” Why shorten? Because the attacks are going to be coming fast and furiously at you. You don’t care about what happened a month ago, you care about what is hitting you right now.

Dealing with all this won’t be easy. But Douglas believes that if you adopt a detect and respond model to the flood of trouble coming our way, we can still beat this.

We’d better. It’s not like we have any choice in this but to rise to the occasion. It’s either that or kiss our businesses goodbye.

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.

Read more from Steven J. Vaughan-Nichols