The uncertainty surrounding the armed conflict in Ukraine also raises numerous questions: How can companies protect themselves from getting caught between the fronts and becoming a target? There is only one thing that is certain: There are currently more questions than answers.
The information described here represents the current status at the time of publication. Should there be any changes, these will be added subsequently and marked accordingly.
Overall, there is a lot of movement on the subject of Ukraine, and the warnings have not been very specific so far. The BSI speaks of an "abstractly increased threat situation". The overall impression comes down to "Actually, we all don't know anything for sure either, but we have to be careful". It seems that no one really knows what to do in this situation as a business owner. However, if we take a look at what is happening in the crisis area, we get a different picture. Authorities, banks and media seem to be the primary targets at the moment. Further attacks in Ukraine are directed against the water and electricity supply. In Germany, the Funke Mediengruppe has already suffered DDoS attacks.
Citizens, businesses and industry associations are - rightly - demanding information about the situation, but that is exactly what is thin on the ground at the moment. And the information that does exist does not always come from reliable sources or leaves plenty of room for interpretation.
The question remains, however: What can and should companies do now? Below are some answers to the most pressing questions.
1. What dangers are there in the first place?
The German Federal Office for Information Security (BSI) has already provided the answer to this. The short version is: At present, the threat level is elevated, but there have been no concrete activities on a broad front so far. This answer has left many even more perplexed, and there is also criticism of the BSI's reticence (Source in German). However, this does not change the situation for the time being.
2. Which attack scenarios are realistic?
The most frequently described scenarios from the crisis area are DDoS attacks designed to specifically overload certain systems. The primary targets here are critical infrastructures, which include broadcasting and media as well as government agencies and banks. This does not mean that other business sectors are not at risk, though: individual companies can become accidental victims if an attack tool gets out of hand or if simply destroying data is the goal. So-called wipers, which have no other function than to delete as much data as possible, have often been used for this purpose. However, these wipers can also disguise themselves as other malicious programs, such as ransomware.
3. Who are the attackers?
This question is more difficult to answer. That's because there are no clearly defined fronts. In recent days, numerous volunteer "online guerrillas" from all parts of the world have started to get involved in the action and want to make a contribution to support Ukraine or Russia. These are only very loosely organized, and their activities are rather uncoordinated. The level of experience is also very different. It is therefore hardly possible at present to make clear statements about the origin of attacks. The fact that even within established cybercrime groups there is not always unanimity regarding the Russian government's actions does the rest.
Overall, it should also be noted that not every action on the part of these hacktivists can be assessed as meaningful, because it either does not achieve a measurable effect or affects parties that are not involved in the conflict.
4. What should I pay special attention to?
To be able to attack systems successfully, attackers usually scan them for vulnerabilities beforehand. This is done with the help of specialized scanning programs that look for open network ports, for example. Systems that are exposed to the Internet thus become at least potential targets. Increased scanning activity can even overload systems. In addition, it is now more important than ever to check whether all systems are up to date. Even a supposedly old security vulnerability for which patches already exist but have not been installed can quickly become a company's Achilles' heel.
5. How can I reduce my attack surface?
The measures for improving security that have been strongly recommended again and again for years continue to apply. Systems that are exposed to the Internet offer a potential attack surface. Therefore, careful consideration must be given to whether a particular system generally needs to be accessible from the Internet. If there is no valid reason why it needs to be accessible from the Internet, then it should not be exposed in this way. In addition, the usual precautions for employees in dealing with mails and file attachments apply. Here, the workforce can become a critical component of the security strategy. Those who train employees accordingly have an advantage here.
Attacks on business-critical applications have shown that the speed with which patches are installed alone can make the crucial difference between a prevented attack and a full-blown security incident. Even an installed protection solution can only be as good as it is allowed to be. For example, anyone who deliberately deactivates individual proactive components is depriving themselves of the chance to detect and prevent attacks in good time without any need.
6. What can I do if my network is under attack?
The most important thing in this case is to implement the emergency plan. If there is no such plan yet, it is high time to develop one now. Even the simplest information is valuable in an emergency: For example, who are the internal contact persons or external service providers that employees can turn to, along with contact details. Specialized providers can provide support in this regard. Existing emergency plans should also include an contingency plan that allows continued operation even if external incident response is not available at short notice and the company is left on its own for the time being.
The crucial thing at the moment is not to panic. Doing things just for the sake of "doing something and taking action" serves no good purpose. In an information vacuum, there is always the risk that incomplete or incorrect information will take on a life of its own. Half-knowledge and one's own convictions or beliefs quickly combine into something that can change the situation for the worse under these circumstances. Anyone who wants to change security providers because of current events, for ethical or other reasons, against the backdrop of the Ukraine conflict, cannot be dissuaded from doing so - but a change must not take place at the expense of security and, above all, not in a disorderly manner.
Update: On the BSI's recommendations
After the German Federal Office for Information Security (BSI) warned against the use of some competitor products, taking a careful look at one's own security solution has once again become more urgent. What is remarkable about the BSI's announcement is that it deviates fundamentally from everything that has been communicated in the past on similar issues. In many cases, IT managers and executives take the BSI announcement as an opportunity to immediately uninstall competitor products, even if a replacement is not yet ready. From a purely technical point of view, this kind of "head over heels" replacement makes only limited sense, even if it is politically understandable. That being said, the primary goal of IT managers should always be to protect corporate assets. Therefore, a change is only recommended if an alternative is ready to go and a seamless transition is guaranteed. Going without protection is never a good idea, even if it's only for a day or two. That's a day or two in which potential attackers have a clear shot. And as described above, it's never clear from which direction such an attack will come - even if we weren't in the geopolitical situation we are all facing right now. So this is a risk that any company willing to switch should weigh up very carefully.
Tim Berghoff
Security Evangelist