Russian Cyberwar Attacks Against U.S. Put Added Pressure on SOC Teams

The Russian cyberattacks against the U.S. are ramping up in scope and volume. Last month, a hacking group claimed credit for cyberattacks hitting more than a dozen U.S. airports’ websites, temporarily rendering parts of the sites inaccessible to the public.

State-sponsored actives in non-war conditions expend exorbitant efforts to disguise themselves to prevent attribution. They also purposefully limit the scope of their attacks. When cyberwar is engaged, however, those inhibitors and restrictions are removed; operational doctrines change and the target scope expands exponentially.

The goal is to cause as much disruption to the targets ability to wage war — and in modern times that includes every aspect of a country’s supply chain and general populace life. All enterprises are in the “blast radius” of a cyberwar.

Cyberwar Exploits Vulnerable Apps

As Russia has repeatedly shown in Ukraine, civilian infrastructure is a legitimate target despite it being against the conventions of war and, consequently, a war crime. Nothing is out of bounds, and software can do the dirty work. For example, destroying the elevator systems in high-rise buildings by exploiting system vulnerabilities is much easier than knocking them down. What may be a major inconvenience for some could end up being a death sentence for the elderly and infirm.

Further, Russia’s exploits in cyberspace often draw immediate attention, which is by design. The goal is massive disruption, not attribution through covert operations. When attribution and stealth are removed from the equation, cyberwar explodes in breadth and volume of attacks. If your normal daily volume of detectable cybercrime and state-sponsored attacks is 100, you’ll likely encounter 1,000 to 10,000 in cyberwar conditions. So, SOC teams that struggle to battle 100 incidents a day will need to move into an entirely different operational mode to keep pace. Speed of mitigation is most critical, and the biggest challenge for analysts in cyberwar.

In these unprecedented times of targeted attacks against governments and financial institutions, every organization should be on heightened alert about protecting their critical infrastructure and digital attack surface. Tapping expertise from outside of your immediate organization can play a critical role in this effort.

Leverage the Broader Security Community

Expert teams know the value of leveraging the power of the broader community to build effective security content, share intelligence, and keep current with best practices. The same is true in times of cyberwar. Community, when fused with data, analytics and automation can help analysts optimize their incident response skills and implement the latest attack techniques.

Leveraging industry-sourced content and on-demand expertise will boost an organization’s security posture. SOC teams can learn from global security experts about cyberattacks they’re actively battling, especially from organizations operating in the same industry facing similar threats.

While professionals from different SOCs may vary in type of practice (database, security operations, service operations, machine learning, etc.), and may also be focused on a particular vendor or network technology, they still may be able to complement the experts in your own SOC.

Recommended Security Tips and Best Practices

In addition to seeking support from the broader security community, all businesses should implement simple steps such as using strong passwords, enabling two-factor authentication, and updating software frequently. To prevent Russian cyberattacks, more stringent steps are necessary, too. Here are four security best practices recommended by CISA and the FBI’s Counterintelligence Division that organizations should start to implement.

  1. Check Network: Begin hunting for any indications of Russian state-sponsored tactics and techniques on your network. It’s critical to mitigate any public-facing vulnerabilities with the utmost urgency, particularly those that are being actively exploited.
  2. Secure Credentials: Russian state-sponsored advanced persistent threat actors have demonstrated their ability to maintain persistence using compromised credentials. Businesses should be resilient in this area, especially now, as Russia is facing global scrutiny.
  3. Patch Vulnerabilities: Applying security patches promptly is critical so no cyber attackers – cybercriminal or nation-state backed operative – can exploit known vulnerabilities as a means of entering or maintaining persistence on the network.
  4. Maximize Resilience: Take whatever steps necessary to maximize resilience to a disruptive or disruptive cyber incident. This includes exercising your incident response and remediation (IRR) plan and designated crisis response team, ensuring the availability of key personnel, and testing your backup procedures to the degree it’s applicable.

The FBI and CISA emphasize the importance of contacting CISA if your business believes it was impacted by a cyber incident. Businesses can report incidents to CISA via email at [email protected] or through a regional point of contact. Additionally, CISA has a one-stop source for information called Shields Up that documents malicious Russian cyber activities and tips on how to address those risks.

Most organizations might perceive themselves as being at low risk today. While it might be true that they are not specific targets, they are just as likely as others to get caught up in opportunistic attacks by Russia-sympathetic threat actors or become victims of collateral damage. So now is a good time for all organizations to review and tighten their security posture.