The White House has warned about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed. To prepare, we recommend all organizations implement the following cybersecurity practices as soon as possible.
Improve Network Monitoring at Your Perimeter
Ensure you have visibility for incoming and outgoing traffic with appropriate safeguards.
- Monitor and consider blocking high-risk outbound network traffic:
- SSH (TCP 22)
- MSRPC (TCP 135)
- SMB (TCP 139, 445)
- Unsecured LDAP (TCP 389)
- Secured LDAP (TCP 636)
- MSSQL (TCP 1433)
- RDP (TCP/UDP 3389)
- WinRM (TCP 5985, 5986)
- Review your WAF configuration and set to blocking mode to mitigate zero-day attacks.
- Log, correlate, and review events. Focus on threat intelligence, lower alerting thresholds if possible, and be aware of risk patterns associated with Russian actor tactics, techniques, and procedures (TTPs).
Create Contingency Plans to Disconnect High Risk External Connections
Preparedness, control, and proactiveness are key in a successful defense.
- Inventory any unfiltered VPNs and other vendor/contractor connections. Make sure you have monitoring in place and understand access risks.
- Limit traffic destinations for high-risk protocols wherever possible (see column to the left).
- Watch for collateral damage and propagation via automation. NotPetya showed us that poorly monitored and unpatched interconnected systems provide reliable attack surfaces.
- Perform tabletop exercises to ensure readiness during any disruptive event and at least annually. Ensure all your key resources have current contact information and can support business continuity on short notice.
- Validate your backup and recovery processes.
Bolster Your Security Awareness Program
Educating end users will lower your risk from malware and social attack vectors.
- Implement or execute a simulated phishing campaign. These attacks are usually carried out via email but now are frequently delivered via SMS, phone calls, and social
- media. Ensure your employees are vigilant.
- Reassess your password standard. Encourage pass phrases and strong passwords: easy to remember, hard to guess. Use a secure password manager to reduce call
- center events due to users who use complex, hard-to-guess passwords.
- Implement MFA on any external ingress points. Consider expanding scope to those that don’t store or transmit sensitive information. If they pose a risk by being able to pivot to other systems if compromised, assume the worst.
- Timely and effective communication is paramount. Consider the human factor: most people are scared during conflicts. You’ll receive the best outcome by keeping your communications simple, actionable, and direct while delivering with calmness.
Improve Your Rigor Around Patching and Update Consistently
Poorly monitored, unpatched assets create additional risk.
- Ensure your assets are patched and up to date (computer systems, mobile devices, applications, etc.). Automatic updates are strongly encouraged.
- Ensure your endpoint detection and response agents are active, receiving threat intelligence feeds, and set to protect/block risks.
- Enable an allow-listing policy on your EDR solution (which files can execute). Recent attacks have showed Russian actors have misused legitimate drivers from trusted vendors, such as EaseUS (Partition Master), to weaponize wiper attacks and in some cases bypass poorly configured or mismanaged EDR/MDR.
- Look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored TTPs. Table 1 from CISA’s Alert (AA22-011A) lists commonly observed TTPs.