On March 21st, President Biden released a warning about the possibility of Russian cyber warfare attacks against targets in the West as a response to sanctions. This is apparently backed by “evolving intelligence” and specifically mentions American companies and critical infrastructure. The President encouraged companies to collaborate with the government through the CISA “Shields Up!” effort collects information about compromises in order to share pertinent details with the public. Using this information, companies can better understand the active threats and prioritizes mitigations or look for signs of compromise in their own environment. It is not common for warnings such as this to come from the President, so it is important to understand what this might look like and how to defend ourselves. Attacks coming from Russia against Western organizations will likely take a different form than what is common. Most cyber attacks have a goal of stealing information, or financial gain. The kinds of attacks we will see would be more focused on causing disruption and destruction. There is a difference between the two doctrines, collectively known as Computer Network Operations (CNO). Nation-states regularly participate in CNO as part of their foreign policy and wartime activities, this is where cyber security comes into play. NIST defines CNO as: “Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations” Computer Network Exploitation (CNE) is generally associated with espionage activities and is what many organizations worry about in everyday security. Data breaches would fall under this category of attack. During a military conflict Computer Network Attack (CNA) operations take priority over CNE. NIST defines CNA as: “Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.” It is important to note that CNA and CNE are not mutually exclusive. A nation-state will often gain access to an organization for both purposes in case either becomes necessary. CNA attacks, in the form of Ransomware, are pretty common and of great concern to organizations. However, Ransomware is often a result of being a target of opportunity. The attacks are also run by “unfocused” attackers whose goals will be different from a nation-state. It is dangerous to assume that if protections have been deployed for Ransomware that CNA operations are also mitigated. CNA operations can take many forms, here are some examples:
- Disk wiping or corruption (including Ransomware)
- Network based Denial of Service attacks
- Website defacements to deny information to users
- Configuration changes (system or network)
- Firmware attacks to disable key systems
- Attacks against SCADA/OT
- Insider threats to disable systems
Stopping Cyber Warfare Attacks Requires a Different Approach
Since a lot of effort in cybersecurity is directed against stopping data breaches and other similar attacks, a different tactic has to be taken when dealing with CNA operations. The first step is the same for both though, stopping initial access. This is easier said than done, but is still worth mentioning. With a determined attacker, which a nation-state would be, this might not be possible due to non-public exploits or insider threats. Mitigation is the key to dealing with a CNA operation directed at your organization. There are several ways to prepare for this possibility.Tabletop Exercises
It is critical to understand how a CNA operation might look for your circumstances. It will vary greatly between different organizations. The best way to start to deal with this threat is to start talking about what might occur. Tabletop Exercises are great for this purpose. If you have never been in one, a Tabletop generally goes through all phases of an attack and often leads to very valuable discussions and discoveries. These are discussions, not actual attacks. Incident response and other security firms often offer this as a service where they will send out a consultant to conduct the exercise. You should come away from it with a list of areas and issues which need to be addressed. When creating a Tabletop Exercise, deciding on a scenario is very important. You can leave this up to the person conducting the exercise or recommend one based on your concerns. A CNA attack that would disrupt your operations for a specified amount of time would be a perfectly valid scenario.Visibility
You don’t want your first indication of an attack to be the resulting damage or an outage. Deploying tools which provide visibility to your critical infrastructure is a must. Traditionally, this has been endpoints and servers or Operational Technology (OT) segments. Cloud, Kubernetes, and containers may also be critical to an organization’s operations. Those technologies must not be forgotten, and there are now tools that can provide that visibility. Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) tools are a good place to start when it comes to gaining visibility to your cloud and container environments. CSPM tools can provide you with an overall look at your cloud environment and point out any risky issues. CWPP will let you get an in-depth look at workloads during runtime just like you might with EDR on endpoints and servers.Follow Best Practices
Getting the basics right is still the best thing you can do to secure your organization, especially when it comes to cloud workloads. Sysdig has created several guides which can help you get started:- Container security best practices: https://sysdig.com/blog/container-security-best-practices/
- Cloud vulnerability management best practices: https://sysdig.com/blog/vulnerability-assessment/
- Kubernetes monitoring best practices: https://sysdig.com/content-library/webinars/
- Google Cloud Platform best practices: https://sysdig.com/blog/gcp-security-best-practices/