On March 21st, President Biden released a warning about the possibility of Russian cyber warfare attacks against targets in the West as a response to sanctions. This is apparently backed by “evolving intelligence” and specifically mentions American companies and critical infrastructure. The President encouraged companies to collaborate with the government through the CISA “Shields Up!” effort collects information about compromises in order to share pertinent details with the public. Using this information, companies can better understand the active threats and prioritizes mitigations or look for signs of compromise in their own environment. It is not common for warnings such as this to come from the President, so it is important to understand what this might look like and how to defend ourselves.
Attacks coming from Russia against Western organizations will likely take a different form than what is common. Most cyber attacks have a goal of stealing information, or financial gain. The kinds of attacks we will see would be more focused on causing disruption and destruction.
There is a difference between the two doctrines, collectively known as Computer Network Operations (CNO). Nation-states regularly participate in CNO as part of their foreign policy and wartime activities, this is where cyber security comes into play. NIST defines CNO as:
“Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations”
Computer Network Exploitation (CNE) is generally associated with espionage activities and is what many organizations worry about in everyday security. Data breaches would fall under this category of attack. During a military conflict Computer Network Attack (CNA) operations take priority over CNE. NIST defines CNA as:
“Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”
It is important to note that CNA and CNE are not mutually exclusive. A nation-state will often gain access to an organization for both purposes in case either becomes necessary. CNA attacks, in the form of Ransomware, are pretty common and of great concern to organizations. However, Ransomware is often a result of being a target of opportunity. The attacks are also run by “unfocused” attackers whose goals will be different from a nation-state. It is dangerous to assume that if protections have been deployed for Ransomware that CNA operations are also mitigated.
CNA operations can take many forms, here are some examples:
- Disk wiping or corruption (including Ransomware)
- Network based Denial of Service attacks
- Website defacements to deny information to users
- Configuration changes (system or network)
- Firmware attacks to disable key systems
- Attacks against SCADA/OT
- Insider threats to disable systems
Stopping Cyber Warfare Attacks Requires a Different Approach
Since a lot of effort in cybersecurity is directed against stopping data breaches and other similar attacks, a different tactic has to be taken when dealing with CNA operations. The first step is the same for both though, stopping initial access. This is easier said than done, but is still worth mentioning. With a determined attacker, which a nation-state would be, this might not be possible due to non-public exploits or insider threats. Mitigation is the key to dealing with a CNA operation directed at your organization. There are several ways to prepare for this possibility.
It is critical to understand how a CNA operation might look for your circumstances. It will vary greatly between different organizations. The best way to start to deal with this threat is to start talking about what might occur. Tabletop Exercises are great for this purpose. If you have never been in one, a Tabletop generally goes through all phases of an attack and often leads to very valuable discussions and discoveries. These are discussions, not actual attacks. Incident response and other security firms often offer this as a service where they will send out a consultant to conduct the exercise. You should come away from it with a list of areas and issues which need to be addressed.
When creating a Tabletop Exercise, deciding on a scenario is very important. You can leave this up to the person conducting the exercise or recommend one based on your concerns. A CNA attack that would disrupt your operations for a specified amount of time would be a perfectly valid scenario.
You don’t want your first indication of an attack to be the resulting damage or an outage. Deploying tools which provide visibility to your critical infrastructure is a must. Traditionally, this has been endpoints and servers or Operational Technology (OT) segments. Cloud, Kubernetes, and containers may also be critical to an organization’s operations. Those technologies must not be forgotten, and there are now tools that can provide that visibility.
Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) tools are a good place to start when it comes to gaining visibility to your cloud and container environments. CSPM tools can provide you with an overall look at your cloud environment and point out any risky issues. CWPP will let you get an in-depth look at workloads during runtime just like you might with EDR on endpoints and servers.
Follow Best Practices
Getting the basics right is still the best thing you can do to secure your organization, especially when it comes to cloud workloads. Sysdig has created several guides which can help you get started:
- Container security best practices: https://sysdig.com/blog/container-security-best-practices/
- Cloud vulnerability management best practices: https://sysdig.com/blog/vulnerability-assessment/
- Kubernetes monitoring best practices: https://sysdig.com/resources/webinars/kubernetes-monitoring-best-practices-2/
- Google Cloud Platform best practices: https://sysdig.com/blog/gcp-security-best-practices/
If you feel your organization has the basics taken care of (i.e. a threat detection program) a purple team may be a solid next step. A purple team consists of a coordinated red team and blue team attempting to reach a goal set by the organization. In the case of CNA, it might be to gain access to a key system that could disable the organization’s operations. The red team would be the attacker, while the blue team would work with the defenders to understand where there are gaps and what aspects of the attacks are being seen or missed. It also provides a great training opportunity.
Key assets will vary between organizations, but having the goal for the red team to gain access to your routing infrastructure or an AWS administrator account would be a good example. With that kind of access, an attacker wanting to deny or disrupt your operations would have very little trouble accomplishing their goal.
Incident Response Plan
In the event that a compromise does occur, it is important to have the capability to respond quickly and effectively. This can be accomplished two ways: in-house IR or a 3rd party. If your organization does not have the resources to perform incident response, a 3rd party service should be used. Most IR companies use a retainer system, which makes it much more likely that you will get the help when needed. Customers with a retainer will be helped first, during widespread incidents it may be difficult to find the help you need without one. It is also worth noting that many cyber-insurance policies either come with a retainer or have special pricing with IR companies should you get a retainer.
Ensuring that you have the proper tools available is also important. This is especially true if you have an in-house incident response capability. EDR is the tool of choice for traditional incident response. But what if you have a large cloud presence using Kubernetes and containers? CWPP tools can provide that in-depth visibility and forensic capabilities that an IR team would need to do their job.
This is probably the least enjoyable option, but it is the most important. What happens if a CNA operation succeeds and your organization is offline for an extended period of time? If you are delivering critical services this may be unacceptable, especially during a conflict. A robust disaster recovery (DR) plan is required and it must be tested on a regular basis. These tests should be full-scale in which all aspects of the plan are accounted for and run through. It is also worth noting that a determined attacker might be aware of your DR plans, so your security operations must also cover any DR assets.
For many organizations in a situation where there is a military conflict the technology aspect may not be a priority at all. However, if your organization needs to stay operational during such a time, CNA operations must be considered and defended against just as much as traditional data-focused attacks. Contacting a security services organization, or using an internal group, to conduct a Tabletop Exercise should be your first step which will help lead continuing efforts in plugging gaps in tooling and procedures.
About Michael Clark
Michael is the Director of Threat Research at Sysdig, managing a team of experts tasked with discovering and defending against novel security threats. Michael has more than 20 years of industry experience in many different roles, including incident response, threat intelligence, offensive security research, and software development at companies like Rapid7, ThreatQuotient, and Mantech. Prior to joining Sysdig, Michael worked as a Gartner analyst, advising enterprise clients on security operations topics.