Uncle Sam wants businesses and other organizations, especially those that protect critical infrastructure networks, to bolster their defenses against possible cyberattacks sponsored by Russia.
The buildup of Russian troops near the border with Ukraine has raised fears of on invasion accompanied by a wave of cyberattacks targeting not just the Ukrainians but also the United States and other NATO members that have rejected Russian demands that NATO bar Ukraine from ever becoming a member.
In a recently released joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) strongly urged the adoption of several mitigation strategies to help protect networks from the techniques and tactics commonly used in Russian-backed cyberoperations. The document also outlines approaches organizations can use to detect cyberattacks.
Among the mitigation actions recommended are the following:
- Patch all systems with a priority on patching known exploited vulnerabilities.
- Implement mandatory multifactor authentication for all uses and establish a strong password policy.
- Use antivirus software.
- Develop internal contact lists and surge support.
Russian-backed cyberoperations have shown the ability to maintain long-term access in compromised enterprise and cloud networking environments. The cybersecurity advisory recommends steps for detecting persistent cyberbreaches:
- Implement robust log collection and retention using native tools such as M365's Sentinel and third-party tools such as Sparrow, Hawk, or CrowdStrike's Azure Reporting Tool to review Microsoft cloud environments and to detect unusual activity.
- Look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored cyberattack techniques such as password spray activity and the use of compromised credentials.
Organizations that detect potential breaches should do the following, the advisory says:
- Immediately isolate affected systems.
- Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
- Collect and review relevant logs, data, and artifacts.
- Consider soliciting support from a third-party IT organization to provide subject-matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Report incidents to CISA and/or the FBI via your local FBI field office or the FBI's 24/7 CyWatch at 855-292-3937 or CyWatch@fbi.gov.
— To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.