What is happening?
The Russian government has used cyber as a key component of their force projection over the last decade, including previously in Ukraine in the 2015 timeframe. The Russian government understands that disabling or destroying critical infrastructure—including power and communications—can augment pressure on a country’s government, military, and population, accelerating their acceding to Russian objectives.
While there are not currently any specific credible threats to the U.S. homeland, the potential exists for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.
Why is This Significant?
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.
Why is This Significant?
Shields Up Guidance for All Organizations
All organizations—regardless of size— must adopt a heightened cybersecurity posture when it comes to cybersecurity and protecting their most critical assets. Recommended actions include:
Reduce the likelihood of a damaging cyber intrusion
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities
- Confirm that the organization’s IT personnel have disabled all ports, services and protocols that are not essential for business purposes.
- If the organization uses cloud services, ensure that IT personnel have reviewed and implemented strong controls more here https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a
Take steps to quickly detect a potential intrusion
- Ensure that the cybersecurity team is focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Confirm that the organization’s entire network is protected by antivirus/antimalware software and these tools are updated frequently.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
Ensure that the organization is prepared to respond if an intrusion occurs
- Create a Cyber Incident Response Plan that includes the following actions:
- Designate a Cyber Incident response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a Cyber Incident response tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization’s resilience to a destructive cyber incident
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack.
Ensure that backups are offline and isolated from potential compromise/infection - If using industrial control systems (SCADA) or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the network is unavailable or untrusted.
- By implementing the steps above, all organizations can make near-term progress toward improving cybersecurity and resilience.
In addition, while recent cyber incidents have not been attributed to specific actors, CISA urges cybersecurity/IT personnel at every organization to review Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. More here https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
And StopRansomware.gov, a centralized webpage providing ransomware resources and alerts https://www.cisa.gov/stopransomware
Recommendations for Corporate Leaders and CEOS
Corporate leaders have an important role to play in ensuring that their organization adopts a heightened security posture.
We urge all senior leaders, including CEOs, to take the following steps:
- Plan for the Worst: While the U.S. government does not have credible information regarding specific threats to the U.S. homeland, organizations should plan for a worst-case scenario. Senior management should ensure that exigent measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.
- Empower Chief Information Security Officers (CISO): In nearly every organization, security improvements are weighed against cost and operational risks to the business. In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company and ensure that the entire organization understands that security investments are a top priority in the immediate term.
- Lower Reporting Thresholds: In this heightened threat environment, these thresholds should be significantly lower than normal. Senior leaders should establish an expectation that any indications of malicious cyber activity, even if blocked by security controls, should be reported to CISA or the FBI. Lowering thresholds will ensure they’re able to immediately identify an issue and help protect against further attack or victims. In the event of a cyber incident, CISA is able to offer assistance to victim organizations and use information from incident reports to protect other possible victims. Report incidents and anomalous activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov
- Participate in a Test of Response Plans: Cyber incident response plans should include not only your security and IT teams, but also senior business leaders and Board members. If you’ve not already done so, senior leaders should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain i.e. MSP’s, MSSP’s, CSP’s, ISP’s & SSP’s.
- Focus on Continuity: Recognizing finite resources, investments in security and resilience should be focused on those systems supporting critical business functions. Senior leaders should ensure that such systems have been identified and that continuity tests (DR) have been conducted to ensure that critical business functions can remain available after a cyber intrusion being contained and then recovered from.
Additional Resources
- Russia Cyber Threat Overview and Advisories as of Feb 23, 2022, https://www.cisa.gov/uscert/russia
- War on Pineapple This infographic looks at how foreign adversaries conduct malign information operations to inflame hot button issues in the United States. https://www.cisa.gov/sites/default/files/publications/19_1008_cisa_the-war-on-pineapple-understanding-foreign-interference-in-5-steps.pdf