Sorry, you need to enable JavaScript to visit this website.
Are Your Shields Up? May 23, 2022

by Jeanne Zepp

The threat Russia poses to Ukraine – and the free world – is not lost on anyone. Missiles and other armament daily kill the Ukrainian people and destroy its cities, utilities, transportation hubs and more. Even before the physical invasion, Ukrainian organizations experienced cyberattacks that turned off power and affected critical IT systems. Now, with a Russian escalation underway and the impact of economic sanctions likely to be felt, the potential for cyberattacks within and beyond Ukraine’s borders is high, especially those involving ransomware.

Early on, the federal government sounded the alarm for U.S. organizations to harden their infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) launched the Shields Up initiative to provide updates on cyberattacks and guidance for protecting against malicious cyber activity. The guidance is specific to three audiences: organizations, corporate executives and individuals.

SHIELDS UP GUIDANCE

Shields Up recommends organizations take four overall steps:

1. Institute preventive measures.

  • Require multi-factor authentication for network access.
  • Update software, giving priority to those addressing known exploited vulnerabilities.
  • Disable all nonessential ports and protocols.
  • Implement strong controls over cloud services, as applicable.
  • Use CISA's no-cost cyber hygiene services, including vulnerability scanning.

2. Detect potential intrusions as soon as possible.

  • Monitor networks, focusing on atypical behavior.
  • Install antivirus/antimalware software and update regularly.

3. Implement an incident response plan.

  • Form a crisis response team with specified roles and responsibilities.
  • Ensure availability of team personnel for incident response and make provisions for surge support.
  • Practice team roles by conducting tabletop exercises.

4. Maximize resilience.

  • Back up data in locations separate from the network. Test backup procedures to verify their capability to achieve quick network restoration.
  • Test manual controls (when relying on industrial control systems or operational technology) to verify operability of critical functions.

Shields Up encourages organizations to report cyber incidents as soon as possible so that CISA can assist in recovery efforts and share the tactics employed with others.

RESPONDING TO A RANSOMWARE ATTACK

A Ransomware Guide, jointly developed by CISA and the Multi-State Information Sharing and Analysis Center, offers a detailed checklist to follow should a ransomware attack occur. A summary follows.

  • Determine the systems affected and isolate them.
  • Power down devices that cannot be disconnected from the network to limit ransomware spread.
  • Prioritize affected systems for restoration and recovery.
  • Have the incident response team document the findings from their preliminary analysis.
  • Reach out to relevant parties and communicate how they can assist incident mitigation, response and recovery.
  • Create a system image and capture the memory of a sample of affected devices.
  • Contact the Federal Bureau of Investigation or other appropriate federal law enforcement agency regarding the availability of a decryptor specific to the ransomware employed.
  • Consult guidance from trusted sources specific to the ransomware variant and follow any additional recommended actions.
  • Specify the systems and accounts involved in the initial breach, including email accounts.
  • Contain systems associated with the breached systems/accounts to prevent ongoing unauthorized access. Recognize the possibility of credential exfiltration and safeguard against it.
  • Determine whether an infected workstation is encrypting server-side data.
  • Examine detection/prevention systems (antivirus, Endpoint Detection & Response, Intrusion Prevention System, etc.) and logs to ascertain whether other systems or malware were involved.
  • Extend analysis to identify persistence mechanisms (outside-in/inside-out).
  • Rebuild systems in order of priority.
  • Perform password resets for all affected systems and address any associated vulnerabilities and gaps in security or visibility.
  • Declare the incident over once established criteria have been met.
  • Reconnect systems and restore data.
  • Document lessons learned and update/refine organizational policies, plans and procedures.
  • Consider sharing lessons learned with CISA.

A Ransomware Guide offers a detailed checklist to follow should a ransomware attack occur.

ASSISTANCE IS AVAILABLE

There are many free resources available to assist in prevention, detection, response and resilience maximization. CISA lists them by category here.

• • •

The Shields Up initiative offers optimum ways to address the cybersecurity threats Russia poses. CISA is constantly adding new information and guidance, so be sure to consult the Shields Up webpage often.

Return to Electroblog
Top