War Games Aren’t Just for Warriors Anymore
By Mark Sangster, VP and Chief of Strategy / Adlumin, Inc.
April 21, 2022
Starting weeks into the Russian invasion of Ukraine, the North Atlantic Treaty Organization’s (NATO) Cooperative Cyber Defense Center of Excellence is hosting the event in neighboring Tallinn, Estonia. These virtual exercises come at a time when Russia again demonstrates its preference to wage a hybrid cyber and kinetic war.
This era of hybrid warfare means that it is not only military and government organizations that need to prepare for cyberattacks from nation-states like Russia and China or state-sponsored actors and sophisticated cybercrime gangs. In this hybrid era, there is no distinction between combatants and non-combatants. Civilian targets across all industries are in the cross-hairs, and we have yet to develop the equivalent of the Geneva Convention that established international legal standards for humanitarian treatment in war.
Leading up to the invasion, Russia allegedly launched cyberattacks against 70-plus government websites, services, and banking. Throughout the campaign, they’ve gone after utilities and telecommunications infrastructure. Additionally, it appears the UK and its international allies are investigating a report from the UK National Cyber Security Centre (NCSC) alleging that Chinese actors had targeted more than 600 Ukrainian targets, including the defense ministry.
Before the invasion, it was no secret that criminal cyber gangs operated within friendly borders, such as Russia, from which they launched repeated campaigns against western government and civilian targets in the United States, Canada, the United Kingdom, Ireland, and Australia. These gangs operate with impunity or from districts that lack the enforcement wherewithal to prosecute criminals. It’s generally accepted that as long as these gangs don’t attack domestic targets, then the “the enemy of my enemy” ethos applies. But when Russia elected to invade Ukraine, it’s likely that Russian officials called in the favor and recruited domestic criminals to operate as state-sponsored actors in coordinated attacks against strategic assets in Ukraine.
Oftentimes, state-sponsored actors are civilian affiliations, like the Conti ransomware gang, sharing resources and even funding while directed by government institutions. In other words, civilians participate in aggression alongside their military comrades. This blurring of the line between combatants and civilians is not the only erosion of its kind in the war against Ukraine. As Russian forces attack civilian targets such as schools and hospitals and fight to capture non-military targets and territory, it’s a reminder that we now live in a world with little distinction between legitimate war targets (military) and protected participants (civilian).
Perhaps not since World War II that Europe has witnessed this level of aggression against civilians and the destruction of cities and civil infrastructure. This is not the only relevant comparison. It was the end of World War II that ushered in the cold war, in which NATO and Soviet powers maintained an adversarial posture while avoiding all-out military aggression. The cold-war tensions between the superpowers of the East and West were balanced on the cantilever of nuclear devastation and ran its course in a gray world of espionage, theft, and sabotage.
Espionage is no longer spy-vs-spy crossing the Berlin Wall in a digital world. It’s full-out cyber espionage, digital theft, financial fraud, and extortion. Until the invasion of Ukraine, I called it the “gray cyberwar,” keeping the global temperament just below the boiling point. It seems Russia’s determination to push the west to the brink means it’s no longer a cold war. And it no longer discriminates between military participants and defenseless civilians. As a result, businesses with no government or military affiliations are an open target for unleashed cybercriminals. Industries of all kinds often feel the aftershocks of the tectonic geopolitical events such as tensions in the Middle East, trade wars with China, and now the Russian war on Ukraine. And it reiterates what I’ve been saying for years.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) published a joint Cybersecurity Advisory warning against attacks on US and international targets. CISA also regularly publishes alerts about Russian state-sponsored actors, such as Conti, operating against western targets.
Well before the Ukraine war, cybercriminal gangs operated like Fortune 500 companies, relying on an ecosystem of criminal expertise to minimize operational costs and maximize returns from their activities to generate record profits. These groups go after healthcare providers, manufacturers, law firms, accounting services, etc. They use well-established tactics, techniques, and procedures (TTP) to infiltrate and exploit these targets.
Ransomware-as-a-service mirrors similar SaaS services but offers small criminal groups the opportunity to leave or revenue share sophisticated malware sets and experts. These cartels often operate under a common brand name (Conti, Ryuk, DarkSide, etc.) and offer services to assist victims in paying ransoms or other extortion fees.
The Truth About Cybersecurity:
As I wrote in my book, No Safe Harbor: The Inside Truth About Cybercrime, there is no longer collateral damage. There is only damage, and it’s inflicted on businesses like your own. As an IT security practitioner and business leader, you must defend. And one of the first steps is to identify the risks that face your operations and plan a response that can mitigate or minimize the impact on your business.
Take a page from NATO and run a cyber wargame. Perhaps not to test your skills in attacking targets, but to predict attacks and test your security defenses and your ability to make the critical decisions that make the difference between a close-call event and a massive, public disruption. Running cross-company table-top exercises that simulate cyberattacks is one of the best ways to test your metal when making difficult choices during a cyberattack, like a ransomware offensive that shuts down your operations.
As I am fond of saying, cybersecurity is not an IT problem to solve; it’s a business risk to manage. Many of the decisions made have nothing to do with IT or technical decisions, leading to the second-order effect that has a business consequence. For example, a reasonable decision to suspend compromised credentials or internet-facing services can lead to public disruptions eliciting media attention. A technical decision leads to crisis communications and awkward interviews on the evening news.
Far too many companies paid ransoms as their go-to response. Now insurers are pushing back with increasing premiums, tighter security requirements as part of the policy, and a growing trend to refuse claims when those policy requirements are not mine. I am not referring to complex requirements. Unmandated multi-factor authentication, missing security awareness training records, or the lack of security management using a SIEM lead to denied claims, canceled coverage, or refused renewals.
What’s more, paying ransoms can put corporate officers on the wrong side of several federal laws. The US Treasury issued advisories warning against payment to individuals, groups (ransomware gangs), affiliations, institutions, or nations on the Office of Foreign Assets Control (OFAC) sanctions lists. The issue is more complicated, but it reminded me of the quip I used to apply with the C-suite that ROI now stands for Risk of Incarceration. Yes, I’m joking—sort of.
The laundry list of business decisions that confront leaders as they face shutdowns, mounting operational costs, and lost revenue, goes well beyond the simple examples I’ve provided.
How to Run Incident Response Simulations:
When it comes to running table-top exercises or incident response (IR) simulations, here are some suggestions:
- Engage all facets of the business: technical, operations, legal, human resources, sales, marketing, etc. Each member plays a crucial role in the decisions and actions required during an incident.
- Identify likely scenarios and test your response plans. You can use public events like the Colonial pipeline attack or the TTP outlined by CISA to mimic the actions and effects of Russian ransomware attacks.
- Test the strength of your responses and throw a wrench into the mix. For example, start with an incident that seems to be linked to an insider, and then drop in evidence that shows their account was compromised and external actors have control of your network. Or make decisions about not notifying unaffected clients and then simulate the threat actor publicly leaking client data or contacting affected clients directly with evidence of the breach.
- Work with your legal advisors to determine your obligations and how to engage insurance carriers, law enforcement agencies, and regulators.
- Test, test, and test. The more you prepare, the more you not only hone your skills and you build rapport with your incident response teammates. And that trust is critical when it comes to making decisions based on the information your team provides. As the veteran Navy Seal and author, Richard Marcinko, says: “The more you sweat in training, the less you bleed in combat.”
The war on Ukraine is a humanitarian disaster and serves as a warning for what our hybrid cyber-kinetic world looks like when aggression boils over. Remember, no matter the size or nature of your business, and you are a target for cybercriminals. They are smart; they will gain access if they want into your organization. The best thing you can do is hope for the best and prepare for the worst. As Winston Churchill famously said, “Never let a good crisis go to waste.” The war on Ukraine is a crisis. Don’t waste this opportunity to prepare your organization for a cyberattack.