As the war in Ukraine continues to escalate the UK National Cyber Security Centre (NCSC) is urging British organisations to prepare for a major increase in cyber-attacks and has heightened the national cyber threat level.
With the UK playing a leading role in imposing sanctions on Russia and providing military and humanitarian aid we should be under no illusion that this is not a war being fought thousands of miles away. There is a new front line, the internet.
Russia has been launching relentless cyber-attacks on Ukraine. Recently, Ukrainian banks and military websites have been taken offline by DDoS attacks and new, highly advanced “wiper” attacks like HermeticWiper are removing data on any machine that becomes infected. These have quickly spread across the country affecting thousands.
Putin has so far been picking his battles, but the longer the war in Ukraine continues to escalate the greater the chance of all-out cyber warfare. GCHQ believes that this evolving threat will quickly spread to the UK as the infamous NotPetya malware did in 2017. It is widely assumed that NotPetya was created by the Russian military specifically to target Ukraine but ended up costing the global economy around $10 billion after it spread across the world.
It is not just the UK that is worried either. Just yesterday US President Biden released an official statement to the public:
“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners.”
“It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
“If you have not already done so, I urge our private sector partners to harden your cyber defences immediately by implementing the best practices we have developed together over the last year.”
CEOs need to understand the risk to their critical business systems that are dependent on the internet and show that they have taken appropriate action to reduce the risk of a cyber-attack. Every organisation can take steps right now to ensure systems are secured and plans are in place to help mitigate the inevitable attacks.
The NCSC has provided a helpful checklist to ensure businesses have all the basics covered.
| Task | Action | How we can help |
| Check your system patches are up to date | Ensure all desktops, laptops and mobile devices are running on the latest software versions including 3rd party systems like browsers and productivity programmes.
Make sure all of the business devices are running the latest firmware releases. Patch your internet-facing services for known security vulnerabilities. If patching is not possible ensure other Vulnerability Management mitigations are in place. |
Our managed Vulnerability Management Service includes regular scanning of your entire IT estate to identify any systems that are not patched and up to date and therefore present a vulnerability risk.
We can also work with your business to put a robust vulnerability management plan in place. |
| Verify Access Controls | Check that all staff use passwords that are unique to your business and not shared with other personal accounts.
Enable Multi-Factor Authentication (MFA) and ensure it is configured correctly. Ensure that you have a Role-Based Access Control (RBAC) policy in place with all users of all levels having the precise privilege level required for the systems they interact with. Monitor all accounts with high privilege levels and look for any unusual behaviour patterns. Make sure all old, unused or unrecognised accounts are checked and deleted if no longer required. |
Our Dark Web Monitoring Service searches for compromised accounts linked to your domain and raises alerts when new ones are discovered.
Our Consultancy Team can help build a custom RBAC policy for your business. Our SOC Team can monitor your users accounts for suspicious behaviour using our User and Entity Behaviour Analytics (UEBA) tool. |
| Ensure defences are working | Check that antivirus software is up to date and installed on all machines within your corporate network.
Maintain firewall rules and make sure there are no temporary rules left in place beyond the expected timescale. |
A Managed Endpoint Detection and Response (EDR) service will ensure all of your corporate devices are protected with the latest antivirus software. In the event of a breach the automated service will contain and remediate the threat at machine speed before the malware can replicate and spread. |
| Logging and Monitoring | Retaining and monitoring logs is key to early identification of a cyber-attack.
As a minimum, antivirus logs should be monitored and stored for at least one month. If PCI DSS compliance is required for your business then the logs must be stored and searchable for at least 3 months. |
Our Managed SOC provides a cheap and efficient way to monitor all of your logs either 8×5 or 24×7. It also provides remediation plans in the event of a breach so your systems are recovered quickly. |
| Review your back ups | Confirm your backups are running correctly.
Perform test restorations from your backups to ensure the restoration process is familiar and understood. Check there is an offline copy of your backup- and that it is always recent enough to be useful in the event of an attack resulting in loss of data or system configuration. Ensure machine state and any critical external credentials are also backed up (private keys, access tokens), not just data. |
Our Consultancy Team can work closely with your business to audit your current processes and help build a bespoke Disaster Recovery and Business Continuity Plan for your business. |
| Incident response plan | Check your incident response plan is up to date.
Confirm escalation routes and contact details are all up to date. Make sure your incident response plan shows clarity on who has the authority to make decisions, especially outside of normal office hours. Ensure your incident response plan and the communications methods it uses will be available, even if your business systems are not. |
Our Consultancy Team can help you to define a streamlined incident response plan.
As part of our SOC offering, our senior analysts will form the backbone of your incident response team and can lead or work closely with key stakeholders in the event of a breach to ensure swift remediation. |
| Check your internet footprint | Check that records of your external internet-facing footprint are correct and all up to date.
Ensure that domain registration data is held securely and that any delegations are as expected. Perform an external vulnerability scan of your entire IT landscape and check everything you need to patch has been patched. |
Our Testing Teams can perform red- teaming exercises and penetration tests to understand how prepared your organisation is to defend against a highly skilled and persistent hacker.
They can also regularly scan and monitor your entire IT environment for potential security weaknesses which can be exploited. |
| Response to Phishing emails | Ensure staff understand how to report phishing emails.
Make sure you have a process in place to deal with reported phishing emails. |
Our Security experts can provide Phishing Protection which includes regular training and simulation exercises. They can also assist with investigation and remediation in the event of a breach. |
| Access to Third Parties | Make sure you have a comprehensive understanding of what level of privileges third party organisations hold within your IT network and estate, as well as to who.
Remove any access which is no longer required. Make sure you understand the security practices of your third party suppliers. |
Our Consultants can provide guidance and templates for a secure Third Party Access Control policy including questionnaires that must be completed by all suppliers.
They can also perform an audit of existing suppliers and provide a report on any improvements required. |
| Register for NCSC Services | Check your CiSP account works so you are able to share threats with other organisations and receive updates from NCSC.
Register for the Early Warning service so that NCSC are able to inform you of any reported malicious activity regarding your systems. |
On top of the Threat Intelligence services provided by NCSC, our SOC Team has access to the most comprehensive and up to date TI databases in the world.
Data from these sources are automatically uploaded to our SIEM tool so our customers are protected within minutes of a new threat being detected. |
| Educate your wider organisation | Ensure that your wider teams understand the situation and the wider threat. In order to complete the actions described it is crucial you get buy- in from the rest of the business.
Make sure colleagues in all areas understand the potential impact on their team’s workload. Confirm staff know how to report suspected security events and understand why reporting during a period of heightened threat is so important. |
Our Consultancy Team can conduct internal training modules to educate and inform your wider teams on potential impacts.
They are also able to support or assist in ensuring wider teams understand how and where to report suspected security events. |
Mondas is a UK based specialist cyber security company that can, within days, implement a cost-effective protective security shield around your business or help you to extend the capabilities of your internal security team, to reduce the impact of a traumatic and disruptive cyber-attack on your digital assets, data and staff.
We are here to help so please Get In Contact…
Or, follow our socials for all the latest tips and trends within Cyber Security.
