With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered. While we have seen cases of destructive cyber actions focused on Ukraine, at this point attribution is not possible.
As a result of these actions, there is a heightened sense of concern being felt by many organizations. Our focus here is to protect organizations by helping them prepare for potential cyberattacks. For that, we have put together this cyber readiness checklist. While many of these suggestions are standard cyber hygiene protocols and best practices, being reminded of doing the basics never hurts, especially when there are so many other concerns. In the same way that hand washing helps in our fight against COVID-19, simple actions can also go a long way towards fighting against cyberthreats.
Patching: Ensure that all systems are fully patched and updated
Protection Databases: Make sure your security tools have the latest databases
Backup: Create or update offline backups for all critical systems
Phishing: Conduct phishing awareness training and drills
Hunt: Proactively hunt for attackers in your network using the known TTPs of Russian threat actors
Emulate: Test your defenses to ensure they can detect the known TTPs of Russian threat actors
Response: Test your incident response against fictitious, real-world scenarios
Stay up to Date: Subscribe to threat intelligence feeds like Fortinet Threat Signals
Patching: Threat actors often target unpatched vulnerabilities in a victim’s network. As a result, the first line of defense should always be patch management and running fully patched systems. For organizations interested in focusing on specific vulnerabilities, CISA maintains a list of specific CVEs used in the past by Russian threat actors. But the better approach is to simply focus on being up to date all the time. This is also true for air-gapped environments, and now is a good time to ensure that these systems have been patched as well. And remember, patching is important not only for workstations and servers but also for security and networking products.
Leverage Protection Databases: FortiGuard Labs continuously creates new detection rules, signatures, and behavioral models for threats that are discovered in our extensive threat intelligence framework. These are quickly propagated to all Fortinet products. Make sure that all protection databases are updated regularly.
Backup Critical Systems: Many attacks come in the form of ransomware or wiper malware. The best defense against the destruction of data by such malware is to keep up-to-date backups. It is equally important that these backups are kept offline since malware often tries to find backup servers to destroy backups as well. The current crisis is a good opportunity to check whether backups really exist (not just on paper) and run recovery exercises with the IT team.
Phishing: Phishing attacks are still the most common entry points for attackers. Now is a good time to run a phishing awareness campaign to heighten the awareness of everybody at your organization and to ensure they know how to recognize and report malicious emails.
Hunt: The sad truth is that if your organization plays any sort of role in this conflict, then adversaries may already be in your network. Running threat hunting engagements can be vital in detecting adversaries before they install spyware or cause serious destruction. For threat hunting, you can use the known Tactics, Techniques, and Procedures (TTPs) below.
Emulate: The TTPs listed below can be also used to evaluate whether your security infrastructure is able to detect them. Running emulation exercises can uncover configuration problems and blind spots that attackers might leverage to move around in your network undetected.
Response: A quick and organized incident response will be crucial when a compromise is discovered. Now is a good opportunity to review procedures for responding to an incident, including disaster recovery and business continuity strategies. If you have your own incident response team, you can run tabletop exercises or fictitious scenarios to ensure everything will run smoothly should a compromise occur.
Stay up to Date: it is crucial that the actions listed here are not performed just once. Staying up to date and patched, monitoring vulnerabilities, and maintaining threat awareness are actions that must be performed continuously. One way to learn about the newest threats as they are discovered is to follow the FortiGuard Threat Signals.