The Democratization Of Cybersecurity – Ukrainian Conflict 2022

For most people, the term cyber security invokes defensive measures. However, cyber security has always included both offensive and defensive postures. In the world of cyber security, there are “Red” teams that focus on offensive security and “Blue” teams that play defense. Of course, there are purple teams, and they play a hybrid role.

This structure in cyber security is modeled after military training exercises, and each roles plays a critical role in an organization.

The red team takes on the role of an attacker to find and exploit weaknesses in an organization. These may be technical, process, or human weaknesses. The tools of the red team’s trade are the same ones that the hackers use such as social engineering, phishing, and vishing attacks, exploiting systems vulnerabilities, etc.

The blue team, on the other hand, is tasked with detecting and blocking the advances of the red team. They do this by establishing baselines of what normal activities look like on their network and spotting anomalies. The likely have a several hundred use cases defined with each use case having playbooks that need to be executed to mitigate an attack. Their main responsibility is to detect, prevent, and manage incidents.

For instance, if your website typically serves 3,000 clients in an hour. However, a huge spike in the activities on your website, let’s say to 10,000, which is more than 3x your expected traffic, should raise alarms. A spike like this might suggest that you’re experiencing a denial-of-service attack (DoS – essentially clogging the network pipe or system resources so that your systems are inaccessible or overwhelming the capacity of your systems). A mature cyber security practice would have baseline statistics and have use cases for 2x and 3x traffic with different levels of priority and escalations already defined.

Now that you understand the basics of the red and blue team, I want to share what’s happening behind the scenes with the Russian-Ukrainian conflict. I would like to state that I have no stake in the matter, no investments in either of the countries, and that I’m more concerned about the individuals on either side than I am about the politics or “rightness” of the situation.

For years we’ve been hearing about social media and the information war, but few have been paying attention to the cyber war that’s been raging non-stop for the better part of the last decade. Highly skilled professionals sponsored by states (countries) are conduction thousands of attacks a year on critical infrastructure such as power and water treatment plants, hospitals, police departments, government websites, and financial institutions.

This current Ukrainian-Russian conflict has seen war on both the traditional fronts and on the cyber front. A recent BBC article highlights some activities.

“Viktor Zhora, deputy chairman of the State Service of Special Communications, said that his cyber-security teams have been working to defend critical Ukrainian web services successfully and that “they are not afraid of Russian” attacks on their power grids or nuclear sites.”

 Cyber war typically has been state-sponsored but with the Ukrainian conflict, something changed. Ukraine is facing a foe that is much stronger in all aspects of traditional and cyber warfare. While Ukraine has asked for traditional support from other countries, it is seeking help of individual hacktivists (hacker-activists), and the cyber security community at large, to help with bringing down Russian’s cyber army. Essentially, Ukraine has crowd sourced their cyber army. And the world has responded. From script kiddies (inexperienced hackers) to specialists in this field have taken up digital arms to bring down Russian government websites, the Russian stock exchange, leak information about Russian forces, tracked the movement of jets belonging to Russian oligarchs, and perhaps even infiltrated Russian utility systems.

In response, Russia has released the IP addresses of where they claim the attacks originated from. IP addresses are like phone numbers as they can be loosely associated with an entity, country, etc. While the map alone leaves a lot to be unpacked including the masking methods of hackers, it can be said with some degree of confidence that Russia’s retaliation will not take those masking methods into consideration.

Russia is sure to retaliate. And when they do, they might start with attacking businesses and organizations in countries unfriendly to them. This according to CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation).

“Although the two malware strains have only been deployed against Ukrainian networks so far, the threat actors deploying them could also accidentally hit other targets, and US organizations should be ready to prevent such devastating attacks.\

 Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”

CISA has provided a list of mitigations and best practices. Key topics include:

• Communication flow

• Access control

• Monitoring

• File distribution

• System and application hardening

• Recovery and Reconstitution planning

• Incident response

The Ukrainian-Russian conflict has provided an additional motivation to the Russians to attack businesses in Western countries such as the United States, Canada, Germany, France, and England.

Will your organization be one of those attacked by Russia?

What does it mean for your business if hackers lock you out from your systems?

Do you know what “normal” is for your business?

Will you be able to spot anomalies?

Do you have backups of your critical systems that you can rely on?

If these high-level questions have left you stumped, get in touch with us. While we have experience in working with larger agencies and organizations, we realize the importance of simplifying cyber security for small and medium sized businesses. We understand the constraints of small businesses and therefore provide specific, economical, and easily actionable solutions to become a smaller target for hackers. Our goal is to make small and medium sized business cyber safe.

P.S. We highly recommend visiting websites such as CISA as they do an amazing job of cataloging the current threat landscape and providing useful information to protect both individuals and business.