Responding to Crisis: Protecting Your Business From Cyberwarfare
By Josh More, Chief Information Security Officer, CDI
CDI’s Tips for Responding to the Evolving Events in Eastern Europe
How to Respond Week 1, Month 1, and Beyond
This article lists a tiered approach for actions to take following a global political crisis outside of your local region, like those unfolding in the Ukraine and from an adversary like Russia. Priority is given to actions that either (1) lay the groundwork for future action or (2) are quickly implemented within the time range tier.
NOTE: Due to the nature of global political crises, it is not possible to provide a comprehensive list of actions to take, nor is it possible to give generalized advice should you be located within a region in crisis, as the specifics will vary drastically at the local level.
While it is best to have performed most of these tasks prior to the crisis, it may not always be possible to do so. The goal of the first day is to get the lay of the land and understand the general risk you face. Tasks include:
Identify Geographic Risk – Employees
You may have employees within the region of concern. In the case of one country invading another, remember that the geographic region of concern would involve these two countries, as well as all countries bordering the country being invaded, as those are the areas most likely to absorb any refugees. Identify all employees in the risk zone and work toward evacuating them to a safer location. Companies that can help with this process are: Global Rescue, Seven Corners, and International SOS.
Identify Geographic Risk – Third Parties
Once the zone of risk is known, it is important to identify any third parties, such as contractors or any vendors with headquarters or major offices in the zone. Once identified, a rapid analysis should be conducted to identify the risk you face should those resources suddenly become unavailable or if the information (data, source code, configuration, plans, etc.) be accessed by a hostile invading force.
Where possible, these resources should be evacuated, augmented, or otherwise secured. Companies that can help with evacuations are listed above. Vendors that can help secure a site will vary by location and will include document destruction firms such as Shred-IT and Iron Mountain.
Identify Communications Risk
It is increasingly common for denial-of-service attacks to be used as part of modern warfare. These attacks tend to take two forms.
The direct form of attack targets the infrastructure of the region being invaded, to disrupt their communications, and hamper their ability to mount a strong defense. Accordingly, you should identify if you have any assets in the region that would be impacted by loss of communications availability.
The indirect form of attack focuses on specific industries to disrupt the ability of third-party countries to provide aid and/or weaken their ability to internally communicate and coordinate. In some instances, cyber-attacks on critical infrastructure – such as energy and financial sectors – are also undertaken to raise the level of fear and weaken the political will of a people to counter action.
The best vendors to work with on this issue would be the local internet service providers as well as satellite providers such as the Iridium network, Comtech Telecommunications, Loral Space & Communications, Globalstar, Inmarsat, ORBCOMM and Telesat.
In the first week of crisis, it is important to quickly assess the information security basics to ensure that you are not on the short list of entities targeted by the aggressors and related allies. There will not be time to conduct a comprehensive overview, so instead, effort should be placed on a handful of most-likely attack points.
Understand Your Position in the Supply Chain
Different aggressors tend to target different industries and organizational profiles. For the most part, these attacks are technological in nature and do not directly target people or property, but there is no guarantee that will be the case. To assess realistic likelihood of attack impact, start by viewing your vendors and customers and identify how specific actions taken against you or your vendors could flow down and disrupt your customers, customers’ customers, etc. If the impact of such actions could serve the aggressors, identify how such actions could be blocked, detected, or mitigated and begin identifying the most likely attack types and lowest effort actions you could take to address such attacks.
This process may require coordination throughout your sector, so be sure to leverage any industry groups, user groups, and other connections that could serve to simplify or amplify your actions.
Understand Your Perimeter
While we all recognize now that most attacks bypass traditional perimeter technology, like firewalls, by targeting individuals directly, attackers can still get quick wins against certain types of perimeters. While most companies are doing regular external scans, this is the time to check that these scans cover the entirety of the perimeter. Check all internet connections at all locations and make sure you are scanning by allocated CIDR range and not just the single IPs that you were using at one time. Check all cloud environments and make sure that all of the externally-exposed assets are covered in your scan. Also check any cloud-based security defenses, such as Web Application Firewalls (WAFs), and ensure that the assets are configured to only allow inbound traffic through the cloud-based defense and that trivial bypasses aren’t possible.
While a full understanding of your perimeter may take more than a week, getting as far as you can in the first month is important. Vendors that can assist with this effort – though in an incomplete manner – include Bitsight and Security Scorecard.
Understand Your Internal Exposures
While understanding your perimeter is important, exposure of internal assets is a newer risk that is harder to manage. Whether it is employees using technologies like Dropbox and other consumer-grade services, communication methods like Twitter and Facebook, or the old-school risk of just installing unapproved software, internal people and systems can be exposed in ways that attackers can take advantage of.
It is not possible to gain anywhere near a full understanding of this issue in a week, but the issues you find in this first week are likely to be the first elements that an attacker would find, as well. Vendors that can help include ZeroFox and Digital Shadows.
Understand Your Internal Failures
When a nation-state level aggressor finally makes a move, they will have planned the effort for a long time. This means that they have already profiled and likely compromised their top targets. While it is impractical to engage in active threat hunting in the first week, this is a good time to compare asset lists to identify – for example – when systems that respond on the network have vanished from anti-malware and patch management systems. If there have been oddities with any information security controls that people haven’t had a chance to investigate, this is the time to change that. Clear your investigation backlog as quickly and thoroughly as you can, then make sure that every system that should be covered by the controls are, in fact, covered.
Vendors to assist with this include any IT firm local to your region that can provide resources to quickly scan systems and then compare data to other systems. In the event of approaching aggressors, it may be better to gain such assistance remotely, with a plan to engage in discovery and, if needed, trigger remote data wipe actions should they become necessary.
Consider Impact of Sanctions
It is likely that economic sanctions against the aggressor will begin to be implemented in the following weeks. You will need to plan for this and identify what, if any, processes will be disrupted by sanctions. Plans need to be put in place for replacement processes, even if it means severing business relationships. Unfortunately, doing this may result in raising the risk of individuals and companies that are already at extreme risk due to the conflict. As above, where possible, evacuating those you can and setting up similar processes in areas outside of the sanction zones can go a long way to maintaining business continuity.
Understand Internet Routing
Any modern crisis will involve disruption of critical infrastructure in a zone of conflict. While the internet is designed for “self-healing”, this design is limited to accidental disruption. Intentional damage – be it physical destruction of a communication hub or target cyberattack against core routers, DNS servers, registrars, and other critical internet infrastructure will result in outages. Moreover, if the conflict involves “cyber weapons” against the aggressor, retaliation against any and all regions participating in such action should be expected and local disruption should also be anticipated.
Understanding how your business will operate in a fragmented internet landscape and ensuring that you have the ability to cleanly fail products and services in the fact of disruption is essential to minimizing losses.
Plan for Month of Zero Days
Depending on the technical capabilities of the aggressor, it is reasonable to expect them to have a number of exploits saved up to be used in the early days of a crisis. As these zero day attacks are used, in conjunction with internet disruption, expect it to be harder to identify what is going on and to respond in as timely fashion as you may be used to.
Be ready to identify the patterns in unusual activities to identify technical commonalities and to shut off systems to prevent compromised systems from becoming vectors for additional attacks. While most organizations have incident response practices in place, most are not used to operating in a true 24/7 cadence that lasts for weeks in a row. Be sure that your people are prepared for the eventuality and that plans are in place for working faster and for longer hours than some may be used to.
In the first month, the focus should be in closing any gaps resulting from shortcuts made in the first week. This is where rapid assessment methodologies should be used to identify areas of concern more methodically.
NOTE: The following sections are potential approaches that are not intended to all be used in the first month. It is best to identify the approach based on resource availability. Resources can often be augmented with consulting and contracting firms.
CIS Control Review – Targeted Coverage of Controls – Low Resources
The CIS control review process first identifies all controls in use against the CIS v8 framework and then proceeds to assess each control’s effectiveness. The goal of this review is to test each control and verify that it is both properly configured and functional. The CIS framework will cover the most critical controls in most environments but will not be a complete review. However, for the first month, this may be sufficient.
NIST CSF Review – Generalized Coverage of Business Practices – Moderate Resources
A business practice review against the NIST CSF (https://www.nist.gov/cyberframework) can help to find gaps in practice that could be exploited by attackers and implement short-term detective controls for those exploits. NIST CSF is intended for critical infrastructure but can be adapted for more general commercial services. However, if using this approach, it is important to identify whether to execute the review enterprise-wide or to conduct it against individual business units. The former is faster, but if doing so would result in missing nuance around exploitable issues, the deeper, slower, approach may be warranted.
Comprehensive Vulnerability Review – Asset-based – Moderate-to-High Resources
A comprehensive vulnerability review extends the Week 1 concept of internal failures to the entire enterprise and focuses on understanding weaknesses anywhere they may exist in your environment. While it is likely that vulnerability scanning already exists, it is common for vulnerability scanning systems to get ignored in favor of more interesting work. This approach is where a comprehensive review of the vulnerability management practice is used to identify long-running issues that could be exploited to the advantage of an aggressor and how doing so could impact the larger scope of your business and customers.
It is critical to recognize that this type of vulnerability review is not the industry-standard “patch review”, but a security-focused review of failures of your existing patch review process to gain understanding of what business risks those failures may present.
Vendors that can assist with this process include Tenable, Qualys, and Rapid7, as well as security consulting firms that can help you to understand the risk impact of unmanaged vulnerabilities.
Application-Focused Review / OWASP Top Ten – Application Review – Low Resources
The OWASP Top Ten is a limited view of specific vulnerabilities that are common to many applications. This review trades coverage for speed and, while it will not prevent a dedicated adversary from finding other application flaws to exploit, the process of looking at each critical application through this lens can determine many of the issues that an adversary would find during the early days of their exploration. If you need to review a large number of applications in a short period of time, this approach is one of the fastest ways to do so.
Application-Focused Review / OWASP ASVS – Application Review – High Resources
The OWASP ASVS is the counterpoint to the Top Ten, and is well suited to a deep review of a single application. Though it takes significant effort, when executed properly, an ASVS review can result in high confidence around application security and, when paired with appropriate controls, can serve as the base of an expanding zone of trust.
Red Teaming – Targeted Control and Response Testing – Moderate but Rare Resources
If you are fortunate enough to have a functional and trained red team, it can be helpful to assign them to specifically target security controls to verify that all alerting is functional and that controls are effective in preventing malicious action. It is important to pair their actions to your monitoring as otherwise, they will serve as a form of vulnerability detection. Proper red team testing should test the functionality of the technology, the controls around the technology, and the internal practices around how the technology and controls work together.
In the second month, the rapidly changing situation will in most cases have begun to stabilize. This is a time to reassess the overall situation and complete any efforts from Month 1 that have run over. At this point, it is wise to review the aggressor’s observed patterns and ensure that you have protection in place against the most common or highest risk patterns.
Taking time to review any reports from the first month and matching against observed techniques from the MITRE ATT&CK framework can be helpful in identifying gaps in potential Mitigations and Detection. These gaps should be closed to minimize the actions that could be taken by the aggressor against your systems.
This is also the time when you review the decisions made during Month 1 and identify whether any additional assessments will be needed to identify resulting gaps. For example, if Month 1 involved some targeted OWASP Top Ten assessments, this may be the time to engage in a more formal OWASP ASVS assessment on the highest value applications. Similarly, if the NIST CSF approach was used in Month 1, this month may be a good time to extend that analysis to planning full generation or testing of NIST-aligned System Security Plans (SSPs).
The third month is when the new way of working begins to become business as usual. Efforts in this month should be focused on identifying whether the scope of the initial action is likely to grow and how this will change your risk profile. If the zone of concern is expected to grow, you will need to identify new likely-targeted areas and how such targeting will likely push refugees, impact communications, and affect your own resource availability.
This is also the time when you review the last two months of resourcing and identify whether any long-time resource requirements have changed. and if any of the short-term augmentation – be it at the worker level or through vendor partnership – will need to become permanent. If so, relationships will need to be formalized. It is likely that high signing bonuses, evacuation promises, and similar retention techniques will be needed to be explored and implemented in this stage.
CDI offers various products and services which can help enterprises address or mitigate many of the adverse effects associated with this type of event.
Please contact your account team for further information.