Statement by President Biden: What you need to do (or not do)
Yesterday, President Biden released a statement warning of a possible escalation of cyberattacks from Russia. The statement does not offer a lot of specifics. But it does link to two valuable documents:
Fact Sheet: Act now to protect against potential cyberattacks.
CISA "Shields Up" site.
So what does this mean for you? What should you do (or not do), and what kind of attack should you expect? The answers depend in part on your organization.
If you are part of a government network (or contractor) or part of critical infrastructure: Reach out to your specific ISACs or other information-sharing organizations if any details are available. For everybody else: Keep reading.
Let me first mention a few things that will not help:
- Blocking all traffic from Russia (and Belarus)
"Random" blocklists are unlikely going to block the attack. It may be helpful for other purposes, for example, if you no longer would like to do business with these countries or to "cut down the noise" as you may see some politically motivated nuisance scans from these countries. The same may be true for other countries. Double-check that there is no legitimate need for access from these countries.
- Starting a major security initiative and rushing it to "be ready" (like rolling out MFA by the end of the week).
This is not the time to make significant, rushed changes to the network. If anything, you want to reduce your workload at this point to have capacity if something terrible happens. This is true for any significant (disruptive) change. A change freeze may be worth considering in some cases.
- Sending a lot of updates to staff and management about what should/should not be done.
Again: Do not add to the noise. If there is something actionable to communicate and share: Share! But this isn't the time to send lengthy emails reminding people of impending doom if they click on an attachment. They either know not to by now, or your email will not make a difference.
Things you should do:
- Keep senior leadership informed (if you are leading the team/security department)
One purpose of a presidential statement is to raise awareness. Non-tech news outlets widely covered this statement, and your boss or boss's boss likely heard about it and may have questions about how you or your team are preparing. Have a brief ready to keep them informed. Use the "Fact Sheet" above, and explain how you address the controls the fact sheet mentions. Be honest, show that you got the issue under control, and outline what may be missing (and how they can help, for example, by providing resources).
With a high visibility announcement like this, there may be a lot of pressure to "do something." Make sure what you are doing makes sense. This kind of management pressure can often become a DoS attack against your staff. Avoid it by having answers ready for senior management. This isn't the time to do "something." But to do things that make sense, that are planned, and things that fit into your larger security strategy.
- Avoid busywork
The statement is vague and does not contain any specific information about what threat to expect. Avoid keeping your team busy with "double-checking" or "rescanning" things they just recently did. Trust your team. If anything, encourage them to take a day off now. Whatever will happen (if it happens) will likely happen soon, and you need a rested team to work the extra hours once the attack hits. Now is not the time for long hours and overtime.
- Review recent events
The best you can do is look at recent events in Ukraine and review the TTP associated with them. For the most part, wipers were used in an attempt to disrupt networks. They typically didn't use any new vulnerabilities to enter the network. In addition, a denial of service attack is a likely scenario.
- Share!
Share what you are seeing. Some things may not make much sense to you, but with the help of others may solve your puzzle and help them understand theirs.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago