Demonstrators from cars wave flags as Georgians rally in support of Ukraine after Russia began its military invasion of the country on February 24. The other night, Russia began a large-scale attack on Ukraine, with explosions reported in multiple cities and far outside the restive eastern regions held by Russian-backed rebels. As tensions mount, the threat of increased cyberattacks looms large. Today’s columnist, Etay Maor of Cato Networks, offers eight strategies for security teams looking to protect their organization’s during the current Russia-Ukraine crisis – and beyond. (Photo by Daro Sulakauri/Getty Images)

As the latest Ukraine-Russia conflict unfolds, security teams are holding their breaths for its looming cybercrime spillover. Cyberattacks have a way of getting out of control and escalating beyond borders. Case in point, the NotPetya malware meant for Ukraine which ended up paralyzing international giants like Maersk and Merck for weeks. Every organization, no matter size or significance, can expect to get caught in the crossfire. Given how Russia’s cyber offense capabilities have wreaked havoc on western critical infrastructure and corporations in the past, it will be a shame if we find ourselves unprepared yet again.

In that effort for mitigation, the UK’s National Cyber Security Center (NCSC) has urged British organizations to strengthen their cyber defenses in anticipation of the worst. Its warning comes with some actionable advice based on historic lessons learned the hard way. The advice resonates with what the cybersecurity community has been preaching all along.

Companies doing business with the U.S. Defense Department should also consult the joint advisory released last week by the Cybersecurity and Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). 

Starting right now, organizations must reassess their cyber risks and reprioritize resources based on the current cyber dynamic.

Here’s what organizations can do to bolster their security in accordance with the new NCSC directive:

  • Patch hardware and software.

Ensure all devices accessing the corporate network are patched, including the software and productivity suites they run. If for some reason a system or service has unpatched vulnerabilities, reassess the risk it poses amid the heightened threat. Put other mitigations in place accordingly. Finally, review and revoke API keys that are no longer required.

  • Leverage least privileged access.

Implement the principle of least privilege, which dictates that users are given only the access and privilege they absolutely need to fulfill their job role. For instance, auditors who don’t need to make changes to accounts and resources should only have view privileges.

Organizations need multiple access control features, including device authentication, enterprise application access (EAA), and multi-factor authentication (MFA). However, simply investing in all these capabilities is not enough. It’s important to implement and configure them correctly to take full advantage of the features these solutions offer.

  • Lock down administrative access.

Organizations must know and limit who has exactly what privileges. They can analyze authorization events from their SIEMs to discover and remove the privileged users who haven’t recently logged in. Also, enable MFA across the board.

Reviewing all admin accounts is complicated, but essential for organizations using disparate network and security solutions each with its own management interface. SASE users can utilize their single-pane-of-glass management console to manage and control access across the network.

  • Remove unused user accounts.

In addition to administrative accounts, companies must review and delete any old, unused user accounts. Synchronize the changes across all systems and user directories. Also, if a user-specific configuration overrides global policy, it must do so with good reasons. Again, a unified management console can improve visibility and simplify user and access management.

  • Revisit firewall rules.

Organizations need to integrate their identity-aware and application-aware next generation firewalls (NGFW) with a secure web gateway (SWG) for secure and controlled access to the web and cloud. Sometimes encrypted traffic entering enterprise networks can contain malicious elements. It’s crucial to enable Transport Layer Security (TLS) inspection to analyze encrypted traffic to and from the network regardless of source and destination.

In the current situation, companies should inspect all firewall rules again, and implement a final “block all” rule to block any traffic that isn’t specifically allowed. Now’s also a good time to invest in a professional firewall review service.

  • Log all network activities.

Heightened threats mean that organizations must start logging everything. They need to monitor key logs and retain all logs for at least a month for early detection and diagnostics. The cloud can give organizations an edge in that they can scale up features, such as logging, in real-time. They can then use SIEM and other analytics tools to generate alerts and reports on security incidents.

  • Enable enhanced threat protection.

Increased risk of state-sponsored threats does not diminish the usual risk of cyberattacks by cybercrime syndicates and zero-days. Comprehensive threat prevention requires multiple capabilities and technologies. Business executives must collaborate with their in-house security teams and external providers to ensure they have all the features they need and that they are properly configured.

Companies using converged security solutions should consider implementing all the features their solutions offer. Others will need to acquire the features they lack and integrate them with their existing security stack.

  • Enact 24x7 detection and response.

Cyber incidents are unpredictable and threat actors won’t care for off-hours and weekends. Considering the volatile situation, organizations must have 24x7 incident response capabilities, whether through in-house expertise or through a managed detection and response (MDR) service. Again, scaling up or down detection and response capabilities at whim needs the elasticity of the cloud.

Many of these NCSC recommendations are easily implementable or even accounted for in SASE deployments because of their cloud-native and consolidated nature. Cloud gives the elasticity to scale up or down security provisions. Consolidation gives the freedom to pick and choose capabilities as and when needed. Finally, a unified management console for the entire network also removes visibility loopholes and the vulnerabilities they create, allowing organizations to fully leverage capabilities they’ve invested in.

Gartner has been predicting that the future of network and security was in the cloud and convergence. The efforts to rapidly adapt to unforeseen circumstances, like a global pandemic and a looming cyberwar, continue proving that the prediction couldn’t have been more accurate. For organizations that haven’t already, it’s time to head in that direction to prepare for whatever the future holds. 

Etay Maor, senior director, security strategy, Cato Networks