Although companies should always prepare for attacks, there is an increased likelihood of them now in retaliation for the sanctions. Many banks and other organizations will be looking to increase their active threat hunting inside their networks as well as ensuring their cloud services are protected. Cloud services are where organizations are often the most vulnerable. Because of this there is an increased focus on services like GCP, AWS, and Microsoft Azure. The pressure isn’t just on the groups using the platforms, but on the platform owners so that they can ensure they are not leaving their clients vulnerable to an attack.
One of the most anticipated types of attacks would be ransomware. A large-scale ransomware attack on the banking infrastructure (including SWIFT) would leave western banks helpless and would also impact global trade. As with Russian citizens, the people that will be the most impacted would be the common people who suddenly find themselves without access to their funds and unbale to pay for goods and services (like food). As most modern ransomware also includes exfiltration of data it would have other consequences even if a ransom was paid.
Other potential areas of attack are infrastructure (electricity, oil, water etc), defense contractors, air traffic controls, and military targets. Hitting infrastructure targets could have a similar effect to hitting the banks as it could potentially deny millions basic services. Air traffic systems would ground travel and shipping which would have its own economic impact. Lastly defense contractors and miliary control systems, although an unlikely target at this stage, would hinder any response to a “shooting war” and would give Russian forces an edge if they were to start a full-scale war.
Russia is meeting with Ukraine today to see if they can come to a peaceful agreement. If that effort fails, things are going to escalate quickly as Russia looks to complete their goal of annexing the Ukraine by force. The Ukraine and their allies are not going to sit idly by, so we full expect to see targeted attacks on Russian infrastructure, command and control facilities and their banks as well. Anonymous has announced they are going to be targeting Russian organizations and already claim to have broken into the Russian Ministry of Defense.
Organizations are advised to get their responses and security teams in order (they should already have been doing this). Their programs should include aggressive access and account controls for both internal networks and cloud services. They should either already have or acquire cloud service monitoring along with behavior based anti-malware that works on standard endpoints, mobile devices, and containers. Active threat hunting, if not already in place, should be combined with an aggressive red-team program. Red-teams and pentesters should not just be looking for known vulnerabilities, but also the unknown ones. Think of this as “best practices” on steroids.
The attack warnings are not just for large organizations, but also smaller ones that tie into larger services of companies. If you have not gotten your security where it should be, now it the time to start.