Global Tensions Trigger Surge in Cyber Attacks: 5 Key Preparedness Steps
In the past few weeks, governments around the world, including the UK, US, Australia and New Zealand, have issued warnings that Russia’s invasion of Ukraine could lead to intentional or spillover cybersecurity attacks on organizations outside the region. It Is clear from our conversations with third parties and our threat intelligence partners that there is without a doubt increased malware activity, as well as scans targeting corporations.
A number of agencies have issued helpful alerts in response. For example, the United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) issued a joint alert about new malware dubbed Cyclops Blink.
A common question our global cyber team is receiving is: what activities should I now prioritise? Businesses understand that it takes a good amount of time to achieve cyber maturity that has embedded optimal operations and defences. In light of the recent alerts, which suggest that that time may not be available, outside of any immediate technical priorities identified by their cybersecurity teams, companies’ current focus is therefore on the minimum steps that they can take to improve their ability to respond and recover from an event.
Now is the time to take some simple, yet critical steps to prepare, as follows.
- Response Plans: Review and (if needed) update your incident response plans to ensure the right roles and responsibilities are accounted for. Make sure that contact information is listed for all the responsible people in the plan and that you have succession planning in place for key team members. Update your internal escalation points in light of the heightened risk. And print the plans out (if the plans are stored on a computer locked by ransomware they could be impossible to retrieve).
- Out-of-Band Communications: Make sure that you have a way to interact with your incident response team outside your typical communications bands. Hackers have been known to read emails of compromised companies, or even to join crisis calls that are scheduled on compromised systems. Use business continuity and disaster recovery communications systems, or at the very least, distribute passwords to Zoom, Teams, or Webex calls using a separate system.
- Incident Response Vendors: Identify and engage (proactively) with your incident response vendors. Every hour counts in incident response, and spending 4 hours finding a vendor and entering into contracts could be precious time lost in an incident. Think about your incident response vendor, ransomware negotiations vendor, and crisis communications firm, among others. Engage these through your lawyers to protect attorney-client privilege. Make sure the vendors you choose have deep cyber incident response experience and are not just information security firms or PR firms that also do cyber.
- Backups: Test that your backups are actually working and can be restored. All too often in incident response we find that the presumed backups had gaps or integrity issues. We also see that the speed of restoration could be the difference between choosing restoration or paying a ransom. Test now so you can make informed decisions later.
- Threat intelligence: Continue to review the latest threat intelligence from the government and threat intelligence firms and feed that threat intelligence into your own activities. Fast patching could make the difference. See CISA’s guidance of additional technical prep steps (Additional tips).