Top 10: Cybersecurity Lessons CISOs Should Take from the Russia-Ukraine Conflict

Russia’s invasion of Ukraine is set to transform many different sectors for the foreseeable future, with impacts ranging from the cost of goods to energy access and production. Cyber is another area heavily affected by the conflict, which began nearly three weeks ago. For example, significant cyber and information operations have been observed both before and since the fighting started, perpetrated by nation-state-sponsored actors and individual hackers and hacktivist groups.

Organizations like the UK’s NCSC predicted that cyber operations arising from this conflict would expand beyond government institutions and hit private businesses, too, especially those involved in critical infrastructure and services.

new report by research and consultancy firm Forrester goes even further, arguing that Russia’s invasion of Ukraine has permanently altered the cyber-threat landscape, and security leaders across all organizations must be prepared for this new environment. The report stated: “If Russia’s invasion drags on for months, with more military losses and economic sanctions, enterprises should expect Russia to use cyber-attacks and cyber espionage to sow chaos and seek retaliation against Ukrainian allies and supporters. We predict state-sponsored cyber-attacks on Ukrainian military targets, government services, and critical infrastructure. There will also be cyber-attacks on similar institutions in countries supporting Ukraine – even if government cybersecurity agencies and threat intel providers can’t incontrovertibly attribute them to Russia. Whether you’re a government agency or retailer, you must prepare for a permanently changed threat landscape; no organization will be immune.”

Here are the top 10 lessons CISOs from across all sectors should take from Forrester’s report:

1) Any Brand That Has Taken a Stand Against the War Will Be at Heightened Risk of Attack 

Numerous businesses have signaled their condemnation of the invasion, both through words and actions. For example, iconic brands like Coca-Cola, McDonald’s and Starbucks have suspended operations in Russia, while many have issued statements criticizing the Kremlin’s actions. While many people will consider this laudable, it does make these organizations more likely to be targeted by Russian state-sponsored threat actors, and they should be prepared. The report noted: “Whether your organization is taking direct economic steps or merely using words such as ‘war’ and ‘invasion’ in your public communication of support – words that contradict Russia’s narrative – this makes you a target for cyber retaliation or cyber espionage today and long into the future.”

2) There Will Be More Insider Threats to Contend With

The researchers believe many organizations that have issued a condemnation of Russia’s actions will be at a higher risk of insider threats. They argue it would be naïve to assume entire workforces will agree with such a viewpoint, particularly in large, global firms. As a result, some workers may become disillusioned with their employer, increasing the risk of insider attacks. In addition, Russian operatives may reach out to users to convince them to share authentication credentials or plant malware in systems. Therefore, organizations should ramp up measures such as user monitoring and access controls.

"Russian operatives may reach out to users to convince them to share authentication credentials or plant malware in systems"

3) Cryptocurrency Theft and Use Will Rise

Amid unprecedented economic sanctions leveled by Western countries against Russia, we are likely to see Russian actors raise digital currency to circumvent these measures, which are harder to track than traditional currencies. Attempts to extort and steal cryptocurrency are also likely to intensify due to this new reality. It should be noted that even before the current crisis, cryptocurrency was heavily linked to Russian cybercrime gangs. These concerns have led to the US Department of Treasury advising financial institutions to increase vigilance for Russian attempts to evade sanctions via cryptocurrency. Therefore, companies involved in legitimate cryptocurrency transactions must be extra vigilant of this heightened risk

4) Be Aware of Increased Spying/Cyber-Espionage

Even once the current conflict has concluded, the researchers observed there is likely to be a period of heightened tensions between Russia and Western nations. This, in turn, means Russian threat actors are likely to increase cyber-espionage attempts to uncover vital information about particular countries, including by accessing corporate communications. Therefore, the authors advise organizations to take extra steps to protect these communications, such as using encryption tools.

5) Stay Up to Date With Advice From National Cybersecurity Authorities

National cybersecurity authorities, such as the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s NCSC, have sought to provide up-to-date information on cyber-threats emanating from the conflict. These include advice and recommendations regarding specific actions organizations can take to protect themselves. The report noted that organizations would be well served to stay up-to-date with such guidance and implement their recommendations.  

6) Improve Communication With Security Vendors

At a time of heightened cyber-threats, organizations should work more closely with their security vendors to ensure their most critical assets are as strongly protected as possible. In addition, the researchers advised organizations to request specific communications regarding threats relating to the conflict from these security firms.

7) Enhance Threat Intelligence Practices

As the Russia-Ukraine conflict continues, cyber-threats are likely to evolve and intensify. Therefore, security teams must ensure they have accurate intelligence to respond to new types of threats rapidly. Forrester analysts advised organizations to create a list of trusted international relations and cyber-threat intelligence experts to help in this regard and gain trusted advice on ways to respond. They added that security teams’ threat hunting efforts should focus on related, trusted intelligence.

8) Proactively Communicate With Business Executives

CISOs should take the mantle and proactively provide regular updates to senior executives and board members in their organization, according to the report. This will put business leaders’ minds at rest by knowing that a strategy is in place for dealing with new threats. In addition, this increased interaction with the board will help ensure a clear line of communication is maintained in the event of a cyber-incident and for requests for extra security investments.

9) Review DDoS Protections

DDoS attacks have been a prominent feature of the Russia-Ukraine conflict, with websites of both governments taken offline at various points. Organizations must also ensure they are prepared to deal with such attacks. Forrester analysts offered the following advice: “Take three steps immediately: 1) ensure that you have agreements with one or more DDoS providers; 2) audit your web properties to ensure that they either have DDoS protection or that it can be marshaled quickly in the event of a direct attack or collateral damage; and 3) review your incident response plan to ensure it includes procedures and contact information in case of a DDoS attack.”

10) Ramp up Incident Response Preparation

The researchers stated that organizations need to review their incident response strategies to deal with the increased risk of a targeted attack from sophisticated threat actors. Actions they can take include creating and running simulations for targeted attacks and varying them by region and employing extra incident responder personnel.

What’s Hot on Infosecurity Magazine?