HOW TO OPTIMIZE AND STRENGTHEN YOUR CYBER POSTURE IN TODAY'S GEOPOLITICAL CONTEXT

In the midst of the heightened awareness of cybersecurity threats coming from today’s geopolitical?context, I wrote an article to provide a high-level overview of the major cyber-related developments and recommended services to help mitigate against potential impacts.

Proactively managing the crisis

As the tragic events have unfolded in Ukraine, we are and continue to be concerned and saddened for all who are impacted by the resulting humanitarian crisis. We also are mindful of the global impacts resulting from the crisis. With the latest economic sanctions imposed upon Russia and their ejection from Society for Worldwide Interbank Financial Telecommunication (SWIFT), many companies fear retaliation from state-sponsored cyber groups.

These disruptive and destructive cyber operations have the potential for far-reaching impacts on business and infrastructure, supply-chain integrity, social opinion and reputation, product and services value loss across various industries, including government, aerospace and defense, energy, transportation, oil and gas and banking and financial services.?

Known key attacks recorded to date

Our security practice operates with the mindset to expect and mitigate evolving threats at all times. As such, we are actively monitoring the evolving cyber threats, which at this time of publication include:

• Distributed Denial-of-Service (DDoS) attacks on critical entities, such as government and financial institutions have been increasing in intensity even prior to the commencement of Russia’s military operations in February. [Ref links: 1 [computerweekly.com], 2[wired.com], 3[zdnet.com]]
• “Conti Group,” a very prolific ransomware operator, has extended their support to Russia to “strike back” at Russian detractors. [Ref link: threatpost.com]
• “CoomingProject,” a hacker group that steals data, received first instructions to attack France and Canada. [Ref link: IT World Canada]
• “Stormous,” a new ransomware operating group, announced its support for the Russian government and carried out attacks against the government of Ukraine and a Ukrainian airline. [Ref links: Stormous Hacker, Digital Shadow]
• A number of hacktivist groups like “Anonymous” and “AgainstTheWest” have declared cyberwar on Russia and its allies. “Anonymous” recently shutdown Russia’s space agency, Roscosmos. [Ref links: threatpost.com, Cybernews]
• Data wipers such as “HermeticWiper” have been discovered on Ukrainian infrastructure, and were likely planted weeks before the formal invasion took place. They often are bundled with other types of malware infections, such as DDoS or Trojan attacks. The pace at which these new, destructive malware families are being deployed and discovered is unprecedented, and further highlights the need for organizations to have an active and informed defense strategy that expands beyond signature-based defenses. [Ref links: sentinelone.com, microsoft.com/security, welivesecurity.com, trendmicro.com]
• Spearphishing and password brute-forcing to obtain credentials (i.e. Windows credentials) and/or deploy malware. [Ref links: Asylum Ambuscade, Spearphishing (SaintBot/OutSteel), Spearphishing (FormBook)]
• Social engineering to promote misinformation, chaos and spread confusion. [Ref links – Phishing Scams, Fake website – link 1, link 2]

The current geopolitical climate indicates a need for hypervigilant active defense measures across both private and public sectors. The modus operandi of cyber threat actors is disruption and/or destruction whereby most of the indicators of compromise received from various intelligence sources have been for wiper-style malware.

How can our cybersecurity team help?

CGI is strongly committed to the security of its clients and their data.

We are here to help you quickly evaluate your state of preparedness across a broad spectrum of cyber defense capabilities: detection, prevention, and response.

Our cybersecurity teams are on heightened alert and are actively monitoring for any indication of active threats, exploits and compromises, including malicious cyber activity associated with and adjacent to the escalating military conflict.

CGI offers a suite of high impact, targeted areas of capability to secure your organization. These rapid response capabilities can help realize immediate value and improvement to your security posture. CGI has vast experience securing and protecting clients’ IT assets and infrastructure across many enterprise sizes and industry sectors.

Below are five key questions that executives should ask to determine whether their enterprise is appropriately protected and prepared in the event of a cyber attack:

Do I have the mechanisms for early detection and proactive threat hunting across my enterprise?

CGI Enhanced Detection and Response (ENDR)

Enhanced Detection and Response (ENDR) is a CGI Managed Security Service that provides complete endpoint visibility within your organization, extending across your network, servers, cloud and/or applications. The ENDR Offering (as opposed to EDR/MDR) allows for centralized and normalized collection of all endpoint data, with enrichment through correlation with network data. ENDR solutions use a diverse range of processes, which include analysis of both internal and external traffic, integrated threat intelligence, and machine learning to enable earlier detection. These elements culminate to form a complete, informed, and robust rapid response process. CGI brings the added knowledge of quickly reading, identifying and implementing vendor provided hunt queries / detection rules, which require manual intervention and tuning. CGI is able to review and dissect malware samples (i.e. Russian malware) to enhance hunting and detection capabilities, improving an organization’s security posture beyond out-of-the-box capabilities provided by EDR tools alone.

Am I prepared to respond and recover should an incident occur?

CGI Digital Forensics and Incident Response (DFIR)

Security breaches are an unpleasant fact for any organization. Being proactive in preparing for and managing incidents is crucial for clients to accelerate remediation timelines. CGI’s managed DFIR service provides pre- and post-breach support, designed to ensure timely response and mitigation response activities, should an incident occur. The DFIR process is composed of two components: digital forensics and incident response.

The digital forensics component helps to assess an organization’s overall breach preparedness, develop CGI-partner incident playbooks that address all aspects of response, and deploy forensic ready tools in the client’s environment for threat detection and response. Additionally, CGI resources will collect, examine and analyze forensics data in order to provide the client with high value, ongoing reporting on critical findings.

Upon identification of a breach, CGI’s incident response capability will provide incident command services (such as security triage), and breach coaching (advice and assistance with appropriate incident responses). Active threat hunting is a core component of the service; CGI’s incident response team will search for active attacks within clients’ systems and processes, especially in those adjacent to the site of the existing breach. Malware analysis is performed to determine the origin of the attack, identify the risk of further attacks, and implement immediate fixes required to secure the client’s environment.

Do I have the necessary network visibility and control needed to protect my environment?

CGI Distributed Denial of Service (DDoS)

CGI’s managed DDoS prevention service is designed to take a holistic approach to protecting our clients from DDoS attacks; an item of particular importance in light of current events. DDoS attacks pose a unique challenge to the modern enterprise, with threats coming in various forms including Traffic, Network and Application attacks. Loss of network availability for critical services is the core result of a DDoS attack. DDoS attacks are random in nature, impossible to predict, thus requiring advanced planning in order to effectively mitigate.

The unpredictable nature of and motivations behind DDoS attacks require organizations to regularly assess their exposure and risk posture. Individual customer risk and exposure profiles will differ. CGI recognizes this, and will offer bespoke client-to-client considerations when designing, evaluating, and implementing DDoS prevention strategies. We are committed to working closely in partnership with our clients to provide a solution which will align closely with the needs and risk profile of the organization in question.

Am I prepared to prioritize, remediate and mitigate vulnerabilities?

CGI Vulnerability Management Service (VMS)

Many organizations struggle with the complexity and high overhead of various endpoint security controls such as patch management and application of appropriate vulnerability fixes. CGI’s Vulnerability Management Service (VMS) assesses discovered vulnerabilities and works directly with clients to agree on remediation plans. Our offering allows for flexibility with respect to the target assets that need to be scanned; using this service model, CGI can dynamically scan a network segment and provide asset discovery that can be used as the basis for any scheduled scan. Considering the current crisis, CGI has placed a special emphasis on the most relevant APT groups, and are closely monitoring a wide breadth of sources to make use of any newly created and verified indicators.

Additionally, our delivery model includes a security advisor assigned to the account. The security advisor will work with clients’ asset owners to facilitate any remediation action required and track clients’ vulnerability management posture as a result of the scans.

Are our employees being appropriately trained on cybersecurity?

CGI Phishing Defence Suite

Without training, organizational awareness, and advanced response tools, phishing attacks will succeed. The best method for defeating these attacks, especially those incoming from Russia and its allies, is to empower clients’ staff to become a critical line of defense and provide them with the analysis and tools they need to manage and mitigate incoming threats. CGI offers a managed Phishing Defence Suite that will raise user awareness of potential threats.

Through phishing simulations and customized computer-based training. Our service will additionally support users in detecting and reporting phishing attacks, as well as enable security teams to prioritize reported emails, quarantine suspect messages, and destroy phishing threats in the client environment.

Per CISA’s recommendations, organizations should consider how to isolate and monitor those connections to protect their data, infrastructure, financials and reputation from potential collateral damage.

Recommendations

• IP geofencing: Geolocation filtering (which is only so effective).
• Identify unusual inbound activity or trends: Monitor the delta of traffic inbound to your perimeters, (both accepted and blocked) from various “sensitive geolocations” and watch for anomalies.
• Identify unusual outbound activity or trends: Monitor your outbound traffic to anomalous or sensitive locations.
• Adjust alerting threshold: Temporarily reduce your alerting thresholds for threat and information sharing.
• Continuous risk monitoring: Consider enhanced monitoring (or block) known TOR exit nodes, VPN providers, etc.
• Reduce risk of exposure: Reduce exposures to only the services specifically needed to serve your critical business functions.
• Endpoint detection and response: Verify that your endpoint protection, antivirus, and firewall filter signature updates are being applied either automatically or manually by your team (depending on the vendor and product) at an increased frequency.
• Diligent and thorough vulnerability and patch management: Increase the frequency and depth of your vulnerability scans, and accelerate the vulnerability/configuration remediation timeframe. i.e. ensure discipline and timeliness as it pertains to patching.
• Cybersecurity awareness and training: Leverage incidents to perform user awareness for their personal devices: ensure both your system and antivirus are patched and updated, be extra vigilant while using email, your phone, and social media.

I am concerned about my security posture and have questions about what to do next…

Next steps

The above capabilities are just a sample of the cybersecurity services that can help accelerate prevention, detection and response readiness in a geopolitical climate, which demands robust solutions to counter increasingly sophisticated threats being deployed by a range of threat actors across the globe.

Connect with me today to learn more about how we be your partner to call for cybersecurity solutions that best protect your enterprise.