Russia’s invasion of Ukraine over 100 days ago sent an earthquake rippling through the global landscape, and the ramifications have been profound. The war has made waves in the political, military, economic, and of course, cybersecurity spheres.
Ukraine’s government agencies, banks, and other institutions have been struggling against a rising tide of cyberattacks executed in parallel with the invasion. These include misinformation and disinformation campaigns, data-wiping malware, distributed denial of service (DDoS) attacks, and the spear phishing of Ukrainian executives and high-level officials. These attempts to compromise Ukraine’s public and private institutions are meant to support Russian interests and further incapacitate an already beleaguered nation.
Conventional warfare is typically confined to the geographic area in which adversaries are capable of causing destruction. Cyber belligerents, however, realize that our shared digital space has no borders, treaties, or terrain. When war erupts in cyberspace, it creates an opportunity for attackers to hide their activities, cover their tracks, and otherwise plausibly deny their involvement. Malware intended to target a specific country can quickly spread beyond it. Worse, financially motivated threat actors (like ransomware operators) can easily leverage the invasion to lure victims residing beyond Ukraine's borders. In other words, this invasion increases the cyber risks for everyone, not merely those associated with the nations involved.
Organizations worldwide continue monitoring the situation, moving data, assets, and bolstering cyber defenses to fortify their security postures. As a world leader in cybersecurity, Zscaler offers vital guidelines for creating suitable cybersecurity strategies during this challenging period. With no resolution to the war in sight and the danger of escalation looming, it's important organizations refine their strategies on an ongoing basis.
Minimize the attack surface
The most critical step for improving security is implementing a buffer between your organization's digital services and the public internet. The goal is to hide all possible resources from the globally viewable and attackable internet. For instance, Zscaler Private Access (ZPA) provides access to applications and services, regardless if they are hosted on-premises, in a cloud, or any combination thereof. As outbound traffic from the Zscaler cloud, the IP addresses of all endpoints, including user devices and servers, are invisible to the external world and the number of publicly available applications is minimized. Those apps only meant to be accessed by employees, partners, and contractors become truly private, dramatically the organization’s attack surface. Threat actors can’t exploit what they can’t see.
Following the principles of least-privileged access also significantly reduces cyber risk. In cases where complete obfuscation isn’t possible, implement stringent security controls to make it as difficult as possible for attackers to compromise exposed services and use them as a beachhead from which to launch further attacks.
Double down on the basics
Installing security patches as quickly as possible is a critical component of good cyber hygiene, yet the sheer number of OS and application-layer vulnerabilities discovered daily make it difficult in practice. But, during global upheaval, accelerated patch rollout is a necessity, not a goal. It must be a priority for all publicly accessible systems, without exception.
Automated provisioning solutions can assist in meeting this challenge, but additional effort may still be required to pull in developers and application owners, which increases the mean time to patch and lengthens vulnerability remediation. It’s only a matter of time before a motivated attacker locates and exploits a target's unpatched vulnerabilities.
This is why incident responders are critical to containing and limiting the impact of a breach, should one occur. To remain in business and out of the headlines, incident response plans addressing all attack scenarios must be clear, easily referenced, and well-practiced. Every team member must be intimately familiar with their role in responding to a cyber incident.
Zero trust architecture: The time is now
If your organization isn’t already implementing zero trust principles, it’s time to act. Start with users by vigorously authenticating identities on a per-session basis before providing access to apps and data. Familiarize IT leadership with zero trust principles and ensure they design cybersecurity strategy around them, from the highest level of abstraction to the lowest.
The easiest and most impactful way to start a zero trust journey is to limit the impact of application vulnerabilities via session-based micro-tunnels using the connection methods described above. Rather than grant network-wide access to an authenticated entity, you restrict its access solely to the specific application or system needed for their narrow business purposes.
Invasion-specific considerations
Users’ access rights in impacted regions are points of particular vulnerability. Therefore, their authentication process must be particularly rigorous. Geographically sensitive users must reauthenticate themselves daily or even more frequently to mitigate the added risk they pose.
It may even be necessary to deploy geo-location blocks within network egress points using a service like Zscaler Internet Access (ZIA). This prevents users from accessing services, applications, or connecting with other end users in impacted regions or countries deemed high-risk or undesirable due to the invasion.
For many organizations, SSL/TLS traffic is a literal blind spot. Encryption leaves security teams with no way to inspect or filter packets possibly containing malware or other malicious payloads. Comprehensive SSL/TLS inspection at scale restores oversight and is especially useful where authenticated users may have had devices compromised.
Finally, implement additional security controls to protect critical assets and those that may be especially attractive to state-backed actors. Stringent data loss prevention (DLP) policies and controls are important for preventing intellectual property exfiltration.
Naturally, this overview only scratches the surface of the possibilities for compromise and defense relevant in times of war. All organizations should create a custom strategy for their particular business objectives. We suggest interested parties start a dialogue with us – our expertise and capabilities are literally at your service in this time of global turmoil.
What to read next
Zero trust as a framework for fighting back against cyberwarfare
Public sector zero trust fundamentals: Moving ahead in uncertain times