This year saw Russian hackers leveling attacks against Ukraine to cripple infrastructure and leave Ukrainians in the technological and even literal dark. But, what’s more hackers have also been directing their efforts against Western institutions. These are often in retaliation to sanctions imposed by Western governments, counterattacks on “hacktivists” attacking Russian services and institutions, and towards any countries offering Ukraine aid.
The Biden Administration, amongst others, has warned companies of potential impending cyberattacks. Financial institutions are expected to be hit hard, as are other industries that provide public services or any other organization that would cause significant disruption if faced with any lengthy amount of downtime or data breach.
While it seems unlikely that a large number of organizations and institutions will be hit, it can be expected that a good portion will, so tightening security is a good way to prepare.
What Kind Of Attacks Are We Looking At?
Glad you asked.
While the attacks listed below might be some of the most preferred attacks executed by Russian hackers, it’s not an exhaustive list. But the attacks we’ve seen carried out over the past few months and that are predicted to increase in the future are:
Distributed Denial-Of-Service Attacks
Distributed denial-of-service (DDoS) attacks have always been the preferred method when the attacker’s (or attackers’) goal is to cause chaos.
DDoS attacks are relatively easy to set up and run, and they’re a lot more effective than they used to be. While large organizations have traditionally been the main target (and largely still are), small-to-medium-sized businesses are not only increasingly facing the heat but are also far less equipped to deal with DDoS attacks.
How these attacks operate is they aim to cripple servers by flooding them with web traffic. Often through the use of IP spoofing, a large volume of fake requests will be sent to a server with the intention of overwhelming it to the point where it crashes and goes down.
While not as particularly crippling as data breaches and ransomware attacks, these attacks can incur financial losses for a company due to the downtime and create significant disruption—depending on the target.
Phishing is a common (and often successful) email-based attack which involves a cybercriminal sending out emails to recipients with the goal of tricking them into clicking on malicious links inside or downloading any harmful files attached.
The intention is to steal sensitive information (like financial details or login credentials) or to infect the recipient’s device with malware or ransomware. Credential harvesting is a particularly common reason, as the harvested details can be used for follow-up attacks—often unbeknownst to the recipient.
Phishing relies on either technical processes like spoofing or social engineering-based tactics in order to trick end-users into clicking on links and attachments within phishing emails.
Spear phishing is the exact same as regular phishing attacks, with the only nuance being that these attacks are a lot more targeted in nature, hence the “spearing” moniker. Targets can be a particular organization or even a specific individual.
In the wake of Russia’s war on Ukraine, specific organizations and institutions are being targeted in retaliation, making spear phishing attacks something admins need to be on the lookout for.
Ransomware is a type of malware that, once successfully installed onto a single device within a network, can block users, wipe files and data, and restrict access to the network.
The network will only be available once a ransom is paid in exchange for an encrypted key to access it again. And, many companies often end up paying this ransom to have the matter dealt with as quickly as possible—particularly when remediating a ransomware attack can take anywhere from weeks to months.
This is often the case with industries such as manufacturing, that can’t afford the downtime if production is shut down, or organizations associated with public services such as power companies, healthcare organizations, and so on.
In early 2022, reports of a new strain of data-wiping malware targeting Ukrainian public services and institutionswere emerging at the same time these critical organizations, institutions, and networks associated with public infrastructure were also being hit with DDoS attacks as Russian troops advanced into the country.
Data wiping malware, as the name implies, is a particularly insidious piece of malware that destroys all data on affected devices, with the lost data being completely unrecoverable. And, not only can it wipe data on devices, but also on any storage devices attached to said device. It also leaves the operating system malfunctioned, rendering not only the device devoid of its data but also completely unusable.
While this particular strain has only been reported to affect organizations in Ukraine, variations of this malware have also been reported in countries such as Latvia and Lithuania.
Alongside data-wiping malware, other forms of malware are also considered to be a risk and something organizations will need to keep a lookout for.
How To Prevent And Mitigate Risk
While it’s hard to say how the threat landscape will evolve as time goes on—especially so early on in the conflict—there’s nothing wrong with being prepared.
While large scale-attacks haven’t occurred just yet, that doesn’t mean they won’t in the future. Instilling best practices and fortifying your business’ cybersecurity perimeter can help you prevent and mitigate risk. We’ve compiled some of the best solutions below:
For companies that have already migrated to the cloud (or indeed any companies looking to make the jump to the cloud and need more motivation), the cloud offers a range of robust solutions that can help protect your network from DDoS attacks. On the whole, cloud servers are far more scalable and provide more bandwidth and resources that can more easily withstand a DDoS attack.
Cloud backup solutions are also extremely beneficial in the event of a ransomware attack. Prior to the cloud, backup solutions were often stored on physical hard drives kept remotely away from the main server. While hard drives offer a robust backup solution that is incredibly difficult to compromise, it did leave issues with regular access and backups.
Cloud backup solutions, while often being a little trickier to deploy, configure, and maintain, offer greater flexibility than hard drive solutions. They’re highly scalable and can be configured to automatically back up data at a pre-set time. Admins can also customize which data, apps, and systems are be backed up, and choose where backups are stored.
There are two main tenets to consider when choosing or adapting a cloud backup solution: Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
RPO refers to what amount of data a company is willing to part with should a breach occur—this is usually determined by the backup time that has been configured by admins. If the RPO is set for 24 hours and configured to hit at midnight, that means if the RPO hasn’t reached midnight, everything between that point and the last marked 24 hours will be lost.
RTO refers to the time given for how long it will take for everything to be restored and how long it will take before servers are back online and everything is back to running as normal.
However, cloud backup solutions are not infallible. For all their benefits, they do need to be regularly and properly maintained and tested to ensure that they’re working correctly and have not been compromised.
Identity Access Management And Privileged Access Management
Identity access management (IAM) is a consolidation of tools, processes, and policies that dictate what users have access to and what level of that they have access to, according to their identities.
IAM systems tend to consist of multi-factor and two-factor authentication (MFA and 2FA, respectively), single sign-on capabilities, privileged access management, and more. How much access to a network a user has is down to their job role, level of authority, and amount of of responsibility within the company.
Privileged access management (PAM)—generally accepted to be a part of the IAM umbrella—works in largely the same way, except there is a notable focus on privileged accounts.
Technologies and processes used in IAM are leveled at users, accounts, and even systems that have a large level of privilege and access within a network. They work by mitigating and restricting access where needs be, to reduce the company’s overall attack surface and risks that might arise due to account compromise, negligence, or even compromised individuals—bribery, especially for high-level organizations, does happen.
In 2020, it was confirmed by Elon Musk that Tesla had been targeted by a Russian hacking organization that had offered a privileged Tesla employee $1 million in exchange for installing ransomware onto the company network. In this instance, the employee did the right thing and alerted both the company and the FBI who investigated the issue, but the situation could have had a much more devastating outcome.
So, in the face of a potential influx of cyberattacks, administrators need to reassess their identity and access management systems and see which areas—or specific individuals—need rethinking.
A common attack vector is through the exploitation of shadow admin accounts. Shadow admins are users with a specific set of highly sensitive permissions and access, of which these privileges they can expand in the cloud. This makes them a highly valuable target for attackers due to the level of data they can access and amount of disruption they can cause, as well as being a lower profile than other admin accounts such as domain admins.
In anticipation of increased attacks, disabling shadow admin accounts is a good step in restricting access and gaining control over the whole IT administration. For other admin accounts, multi-factor authentication should be applied in instances where it hasn’t been and generally make sure best security practices have been applied.
PAM (and indeed, IAM) is an important and relevant feature to include in any forward-thinking cybersecurity architecture; in its 2021 Data Breach Investigations Report, Verizon revealed that of all breaches, over 70% had an element of privilege abuse.
Whether threat actors have commandeered a privileged account, or an actual employee has become compromised, it’s clear that employees having more access and privileges than they need is a huge cybersecurity risk and needs to be mitigated.
Managed Detection And Response
Lastly, attacks come from all angles and at all hours. Which means your security measures need to be up and running and in place to fend off any attacks that might come your way.
Outsourcing some of your company’s cybersecurity workload is a great way to deliver this round-the-clock remediation and response strategy and connects your business to a wealth of experts that are highly adept in tackling sophisticated attacks.
Managed detection and response (MDR) refers to a consolidation of highly specialized staff, technology, and protocols that deal exclusively in threat detection and response. MDRs consolidate machine learning, edge computing, artificial intelligence, and human intelligence to deliver an effective, 24/7/365 approach to threat hunting and remediation.
Highly specialized staff and automated tools carefully track network activity for any anomalies, analyzing and responding to these in real time. They also log network activity and correlate it with a vast library of threat intel and data.
These services provide constant and robust security, making them a smart choice for any company looking to increase threat prevention and remediation in anticipation of a wave of cyberattacks.
Security operations centers (SOCs) refer to a specific subset of MDR that without them, MDR is “incomplete”. SOCs constantly monitor and review threats and the level of exposure networks have towards said threat, perform data analysis, perform threat identification and analysis, and gather threat intel. They also provide organizations with guidance and recommended steps to take in the event of a breach or anticipation of one. They closely analyze an organizations’ ability to withstand an attack. Like the wider domain of MDRs, SOCs operate on a constant basis.
You can read more about MDR and SOC and what they provide and how they function in our featured blogs here:
What Is Managed Detection And Response (MDR)?
What Is A Security Operations Center (SOC)?
Email Encryption And Secure Email Gateways
Email-based communication is the business world’s go-to form of communication—and also its largest attack vector.
Emails are often sent with valuable information and data attached (which can be harvested via man-in-the-middle attacks and other methods) and can also serve as a gateway for malware and ransomware via phishing attacks, making it a lucrative and highly attractive target for attackers.
A great way to secure emails is via email encryption. While standard email servers do come with some level of encryption, it’s often not as secure as it could be. So, adding email encryption to your email server is a great way of making sure your information and data remains secure.
Email encryption works in two main ways:
- Transport layer security (TLS) encryption, which secures emails when they’re in transit only. TLS encryption is effective in helping to prevent man-in-the-middle attacks, although if an account is compromised then an attacker would be able to read the contents once an email has arrived at its destination. TLS is also ineffective in dealing with and preventing phishing attempts.
- End-to-end email encryption encrypts mail as it leaves a user’s inbox and stays encrypted throughout transit and once it arrives at its destination, making it incredibly difficult for an attacker to compromise and get ahold of any information and data that is either in transit or at rest. End-to-end encryption offers the most secure form of email encryption but can be quite complex to configure and often takes time setting up.
It can be hard to decide providers, as there are so many on the market. To make it easier, we’ve compiled a list of the best email encryption platforms below:
The Top 10 Email Encryption Platforms
With email servers being insecure as they are and subsequently an attractive target, email is definitely something worth securing twice over.
Adding an extra layer of security in the form of secure email gateways (SEGs) can help bolster defenses by doing a further, deeper inspection of email traffic—which is beneficial for filtering out particularly evasive, hidden forms of malware or spoofed IP packets.
The Top 11 Email Security Gateways
Compromised passwords continue to be one of the largest contributors to data breaches, losses, and other forms of attack. In the same 2021 from Verizon, it was noted that 61% of hacking stemmed from compromised credentials. Password reuse and the use of weak passwords is the leading culprit in this instance, as they’re easy to guess and acquire.
Yet despite the warnings against using simple passwords or reusing them across many accounts, it’s easy to see why they can be a problem. “Password fatigue” refers to the phenomenon of users struggling to remember or manage the number of passwords they need to perform their job—according to Asana’s 2021 Anatomy of Work Index Report, the average business worker uses up to 13 apps a day, all of which need accounts and all of which need passwords.
Password fatigue is also what leads to the temptation of auto-saving passwords to browsers (leaving them vulnerable to certain types of harvesting malware), reusing passwords across multiple applications and sites, or using passwords that are easy to guess.
With so many credentials to remember—and not only that, but to make sure passwords are long and unpredictable to avoid being compromised—it’s easy to see why poor password hygiene can be such an issue. Enter password managing tools.
Password managers are essentially encrypted password vaults that can auto-generate complex passwords for all accounts and save them, auto-filling in credentials and logging users in without them having to enter the credentials themselves. The only password users need to remember will be the one used to sign into the vault, which they can do once at the beginning of a session or using biometric scans.
Particularly good password managers can also alert users when they detect password reuse, notify users of malicious or fake websites, and alert admins if their organizations credentials have been spotted in a breach.
The Top 10 Password Managers For Business
While no one can say for certain what the cyber threat landscape is going to look like in the coming months, expecting and preparing for an increase in Russian-based attacks is a recommended approach.
Major organizations, especially those in finance, government, and others that have a public function, can potentially expect an increase in these attacks. The majority of organizations that may see an increase will already have most of the right protocols in place; however, they stand to benefit from updating, reconfiguring, and testing the protocols, policies, and security measures already in place–adapting and improving where needed.