They should – Dr Suleyman Ozarslan
Geopolitics and cyber warfare are complex issues. Meanwhile, enterprise security has always been nuanced and multi-faceted. However, I believe this is a simple question with an easy answer. Yes, of course, security teams need to enact change.
The threat landscape is changing rapidly, and the ability to adapt is imperative for protecting critical infrastructure, supply chains and businesses worldwide. The threats posed by the war in Ukraine are real, and their impact extends beyond borders. Additionally, nation-state tactics, techniques and procedures (TTPs) will quickly fall into the hands of cybercrime gangs outside Russia. They already pose a risk to organizations globally.
It’s a useful starting point, Russian threats aside, to consider the more fundamental question of whether security teams should adjust their security posture on an ongoing basis. The answer is always going to be a resounding ‘yes.’ A fundamental aspect of good security has always been to keep on top of a rapidly changing threat landscape. As attacks evolve, defenses should too.
War in Europe only intensifies the need for security teams to be proactive and act decisively. Ignoring the existence of new major cybersecurity threats is just burying your head in the sand.
A sizable proportion of cyber-criminal activity in 2022 is linked to Russian attackers. This includes military state-backed threat actors created by the Russian government and state-sponsored attackers formed independently yet still supported by the government.
In addition, there are financially motivated cyber-criminal gangs like Conti that are allowed to operate without prosecution by the Russian authorities and sometimes even encouraged to act on the state’s behalf.
There is often no clear distinction between state-backed, state-sponsored and independent cyber threat groups. These groups will often contain the same individuals. A big problem is that these groups have different motives and cannot be contained by neat geographical boundaries. Attackers with links to Russia have already targeted Ukrainian allies, including Norway, Germany and Italy. The recent Viasat wiper malware attack and subsequent internet outage also had ramifications far beyond Ukraine.
Destructive DDoS attacks and wiper malware are common during cyberwarfare. Unlike financially motivated cyber-criminal activity, these attacks are designed to destabilize critical infrastructure, supply chains and prominent businesses. These kinds of attacks are already happening inside and outside of Ukraine.
There is a stand-off now, but it’s plausible that Russian President Vladimir Putin will consider new cyber campaigns in response to global sanctions and other Western interventions. We may also see countries like China and North Korea take advantage of the global uncertainty and ramp up their campaigns against political targets, as both have vast networks of advanced persistent threat groups.
During cyber warfare, we also see changes in the global threat landscape accelerate as attacks leveraged initially by nation-state actors become commoditized. NotPetya is a prime example of a devastating nation-state attack initially targeting organizations in Ukraine that other criminal actors later leveraged to target organizations worldwide.
Even if they are not in Russian crosshairs, smart companies should stay up to date with the TTPs used by nation-state actors today. This information should be used to ensure that their defenses are tuned accordingly.
The trickle-down of TTPs used by nation-state actors is now quicker than ever. It is common to see techniques used by attackers from nation-states being leveraged by financially motivated actors in a matter of days. Threat actors learn about each other’s TTPs within hours, and the tools used are often easy to procure on the dark web.
This rapid trickle-down makes it even more important that organizations regularly assess their security posture. Using the latest threat intelligence to learn how to better prevent and detect new adversary behaviors will help prevent future incidents.
Considering all of the above and the direction of the security industry more generally, it’s clear that altering a company’s security posture in light of emerging threats should be a priority. Organizations that maintain a close understanding of the latest threats and adopt a proactive approach to mitigating them will be in a far better position to minimize cyber risks in the short and long term.
The Russo-Ukrainian War is not the world’s first full-scale cyberwar and will not be the last. In this new normal, security teams need to ensure that they adopt a threat-centric approach by continuously evaluating the risks they face and taking action to harden defenses accordingly.
They should not – Brian Honan
As human beings, we’re hardwired to watch out for danger in our surroundings. Imminent threats like predators trigger a survival response. We’re also not supposed to be on high alert for prolonged periods. This can cause hypervigilance, leading the sufferer to feel high anxiety and stress levels. What does this have to do with cybersecurity and the potential for attacks that could spill over from the Russia-Ukraine conflict? Everything, I believe.
Since Russia invaded Ukraine in late February, there’s been a lot of coverage about the potential impact in cybersecurity terms. Cybersecurity experts have been quoted in various media outlets saying both the Kremlin and Russia-allied hackers may launch cyber-attacks that cripple critical systems and business applications far beyond Ukraine.
Ratings agency Fitch said the war “increases spillover risks of global cyber-attacks.” National cybersecurity agencies such as the UK’s National Cyber Security Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA) have warned organizations to prepare for increased attacks from Russia. CISA’s ‘Shields Up’ campaign encourages companies of all sizes to put in place additional security measures to protect themselves from cyber-attacks that could result from the conflict.
Yet what’s missing from many of these warnings is specific detail about the exact nature of the threat. Are we talking about ransomware on a scale of 2017’s NotPetya outbreak? Could it be a large-scale DDoS attack with the potential to disrupt regular operations? Or is it another type of threat altogether? Or all of the above?
The problem is, we don’t know. Without knowing what kinds of attacks we should be preparing against, it’s not a sustainable position to have a cybersecurity or IT team constantly on high alert. This hypervigilant state leads to feeling overwhelmed and, ultimately, fatigued. If that were to persist for weeks or months, it would leave key professionals and their teams far short of optimal condition to respond effectively if something drastic happened due to the conflict.
From a mental health point of view, we run the risk of losing good people who could walk away from their jobs, burned out and unable to function because they’re constantly on guard against… what, exactly? Let’s not forget that we regularly hear that the industry has a skills shortage as it is.
From a security professional’s perspective, another factor worth bearing in mind is the wider context: we’re only just emerging from an intense two-year period when often under-resourced cybersecurity and IT teams have been trying to secure and enable their businesses to work remotely and via the cloud in response to the COVID-19 pandemic. By most accounts, this was an incredibly stressful time. There is no academic research into this area yet, but a wealth of anecdotal evidence suggests that cybersecurity professionals were adversely affected, just as many other workers were.
I believe it’s unfair that we’re now asking them to jump into the fray yet again – without telling them exactly what they’re up against. To give credit to agencies like the NCSC and CISA, much of the guidance they’re providing is sensible. They’re encouraging businesses and organizations to maintain good levels of basic security hygiene, such as ensuring critical systems are patched, continually updating firewalls, using multi-factor authentication where possible and deploying up-to-date antivirus software.
If companies haven’t reached this basic level of security, it’s right to call out organizations for the potential risk. However, only investing in something as critical as IT in response to a crisis is no way to manage a cybersecurity program.
Almost 10 years ago, Wendy Nather coined the phrase the “security poverty line” to describe organizations that don’t have the cybersecurity basics in place. It’s fair to ask who would be the potential targets or victims of a cyber-attack related to the Ukraine conflict? Would they be above or below this poverty line?
Every organization should do a risk or threat assessment with an honest look at whether they have the appropriate security controls in place. It’s good practice to secure the supply chain, so organizations that work with suppliers or vendors operating in Ukraine should build that into their resilience planning.
Psychologists say the way to counteract a feeling of hypervigilance is to ask: what needs my attention? In the same vein, my argument is that organizations should check they’re doing the security basics right – and then build the capability to ramp up against specific threats when they become known. They should not fundamentally alter their security posture.
If there’s a ransomware attack directed against your industry or your business specifically, then by all means, put your shields up. When there are so many aspects of security to deal with daily, however, it serves no purpose to stay on high alert except as an incredibly stressful distraction.
At the time of writing, the war has been predominantly restricted to Russia and Ukraine, physically and online. Until the threats are more real and more widespread against countries or organizations outside the current conflict zone, maintaining a state of high alert could be self-defeating and counterproductive.