The Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning that American companies should be extra cautious about potential hacking attempts from Russia as tensions with the country rise, particularly during the Russia-Ukraine crisis.

The Russian government understands that disabling or destroying critical infrastructure — including power and communications — can augment pressure on a country’s government, military and population and accelerate their acceding to Russian objectives, CISA says.

Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy. All organizations in the U.S. are at risk from cyberattacks that can disrupt essential services and critical infrastructure and impact public safety. Therefore, CISA recommends that all organizations — regardless of size — adopt a high posture when it comes to cybersecurity and protecting their most critical assets by following four steps:

  1. Reduce the likelihood of a damaging cyber intrusion
  • Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organization uses cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
  • Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

2. Take steps to quickly detect a potential intrusion

  • Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging to better investigate issues or events.
  • Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

3. Ensure that the organization is prepared to respond if an intrusion occurs

  • Designate a crisis-response team with main contact points for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.
  • Assure availability of key personnel; identify means to provide surge support for responding to an incident.
  • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

4. Maximize the organization’s resilience to a destructive cyber incident

  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

“The “Shields Up” initiative is a well-timed reminder that without sound security measures, a myopic focus on productivity is not sufficient to sustain business continuity,” says Gadi Naveh, Cyber Data Scientist at Canonic. Nation-state adversaries present a clear danger to business continuity, so now it’s an excellent opportunity to step up security controls and reduce the attack surface associated with third-party security. “Such an alert backs the office of the chief information security officers (CISO) when presenting security priorities to the board and other senior executives.”

Sandy Dunn, Chief Security Officer at BreachQuest, says the warning is a call to action to every business leader, CISO and cybersecurity team. Dunn recommends that CISOs act on the Shield’s Up Message the same way a person listens and acts when the weatherman warns that a hurricane may be headed to the area you live in. “For a hurricane, you check the windows, the pantry for food supply, buy extra water, and batteries for a working flashlight,” she explains. 

In this case, a cybersecurity team needs to double down on their environment, Dunn says, by calling a team meeting to ensure teams are on high alert, review the incident response plan and have it available. Security leaders should also send a message to the users to watch for suspicious activity. “It’s critical to send a message to the executive leadership in the organization that the Shield’s Up message is a call to action, and that you are prepared.”

While identifying the signal in the noise is a skill developed through experience, a CISO needs to curate the threat information feed to align their urgency to action from the message, Dunn says. “They need to protect their organization and team from alert fatigue, so when there is an important alert such as the Shield’s UP warning from CISA, the organization takes appropriate action.”

Yesterday, CISA, the Federal Bureau of Investigation and the National Security Agency also issued a warning to the U.S. cleared defense contractors (CDC) — including those who support the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs —  whom nation-state actors have targeted to obtain sensitive U.S. defense information and technology. The warning details the industries and information Russian actors have targeted, common adversary tactics, detection and incident response actions, and mitigation recommendations. 

All CDCs are encouraged to apply the following mitigations in the advisory to reduce the risk of compromise by Russian state-sponsored cyber actors. CDCs should use the list of mitigations as a checklist to identify areas of improvement that they can prioritize, says Tim Erlin, VP of strategy at cybersecurity company Tripwire, commented. “While these mitigations are core security controls that organizations should be implementing already, it’s important that we not let the perfect be the enemy of the good.”