With recent sanctions levied on Russia due to the conflict in Ukraine, there is an increased risk of cyber attacks for US businesses. All organizations, large and small, should be prepared to detect and respond to disruptive cyber activity in the coming days & weeks.

In the coming days and weeks, we encourage all organizations to take a more proactive approach to their cybersecurity and protect their most valuable cyber assets.

Actions to take that reduce the likelihood of cyber harm

Ensure that all remote access to the organization’s network and privileged or administrative access is protected by multi-factor authentication.

Prioritize updates that address published exploits and vulnerabilities, specifically those identified by CISA that are highest in risk to this campaign.

Disable all services, ports, and protocols not being used for business purposes. It is recommended to configure alerts and automated notifications for indicators of attack or Compromise to critical services, ports, and protocols.

If the organization has a cloud-hosted infrastructure, ensure that I.T. resources have assessed and employed strong security controls recommended by CISA.

Sign up for CISA’s free cybersecurity vulnerability scanning services to help reduce your exposure to anticipated threats.

Steps to optimize detecting indicators of attack

Ensure that cybersecurity resources are dedicated to detecting and quickly responding to any unexpected or unusual network behavior.

Ensure that your organization’s log settings are tuned for adequate logging detail to have the most adequate investigative information to respond to cyber-attacks.

Confirm that every asset in your organization’s network, or externally connected device, is protected by an antivirus/antimalware tool. Verify that these tools’ antivirus/antimalware signatures are updated automatically.

Identify any associations of any asset, system, or cross-organizational connection to Ukrainian organizations and tag or identify them by similar labeling means. Take extra care to monitor, inspect, and isolate traffic while giving additional risk considerations to any alerts or indicators from those assets or associations.

Steps to optimize Responding to indicators of Compromise

Designate a response team with predetermined notification procedures for a suspected cybersecurity incident. Response teams should represent I.T. Resources, Cybersecurity personnel, Public Relations representation, Legal Department resources, and Business Stakeholders from every business unit. Make sure to confirm the availability of key personnel from each identified department.

Identify the means to engage surge support from Cybersecurity consulting firms specializing in incident response.

• Contact the organization and identify the process to request a response.
• Ensure they have adequate resources to support your organizations.
• Validate that your organization is authorized to request its services outside of regular business hours in the event of an emergency.

Take the time to conduct a tabletop/practice cyberattack exercise soon to ensure that your organization is prepared for every possibility before an actual incident.

Maximize your organization’s ability to quickly recover from a cyber incident

Test backup procedures to ensure that I.T. resources can quickly restore critical data if the organization is affected by ransomware or any destructive cyberattack. Ensure that backups are inaccessible from outside network connections.

If using industrial control systems or automated technology, conduct a test of manual controls to ensure that the business will remain functional if the organization’s network availability is compromised.

By following the steps outlined above, all organizations can make significant progress toward enhancing their Cybersecurity and resilience in the short term.