Security in a world of conflict

Over the past several years, the security world has seen an increase in cybersecurity activity with nation states. In the past there have been cases of viruses being used to shut down part of government research or utilities. Countries have had to adapt by ensuring they have adequate defenses to try and protect their most sensitive data and infrastructure. Lately, the US government issued alerts to the private sector on security concerns involving malware or nation state activity that may affect private businesses.

When nations look to disrupt another nation, they can achieve this in a few ways. One is to cast a wide net and target companies that do business with the federal government. Rather than hacking the government directly, they will try to break into contractor systems, and use the trust (accounts or network connection) to penetrate the government network. Phishing is a popular way to perpetrate this attack. An employee of the private company will be targeted (many times by using open source intel like LinkedIn) and a phishing attempt made to compromise credentials.

Another method of attack is to use malware to target the infrastructure of an advisory. Malware can be custom designed to exploit a known or potential weakness of the target. An example of this in the real world is the Stuxnet virus. It was created to target the industry control systems of a country's nuclear program. It was extremely effective in its purpose of disrupting the nuclear activities of the country. The problem is that it's nearly impossible to specifically target one computer or one set of computers. A virus designed to affect one organization or government program will inevitably spread beyond the intended target and into private organizations. Sometimes private industry can be collateral to government cybersecurity operations.

With the situation currently unfolding in Eastern Europe, it would be prudent for private industry to be extra vigilant in the monitoring of its resources. The US government provides guidance in this area with the release of a recent CISA Insight document. It provides guidance in several areas. One area relates to patching and maintenance of infrastructure. They recommend that companies review their security posture and ensure all infrastructure (workstations included) are patched and updated.

Another guidance is related to monitoring. Companies should monitor their production workloads for unexpected activity. This could include servers, containers, cloud activity, and network activity. There are several activities to look for in cases like this.

• Unusual login activity - Users normal log in from location A, but now they can be traced to logging in from location B

• Usual user activity - Users normally perform one activity in your environment (like creating EC2 instances), but have started perming a different activity (like creating Lambda functions)

• Usual workload activity - Workloads normally perform similar activities every day. An indication of compromise can be when workloads being performing activities outside the normal. For example, every day an application server talks to a database server. If it starts communicating to other servers in the environment, it's worth investigating.

• Connections to known bad sites - IPs from known bad sites like ransomware, malware, and cryptomining are tracked. Any outbound connecting to the known IP addresses should be reviewed for compromise

Conflicts in the world will come and go over time, but one thing that will remain constant is that the internet will increasingly be used as a tool for future conflicts. Companies are increasing their usage of the cloud exponentially. More devices and systems are connected to the internet than ever before, and that increases the attack surface for those looking to get a foothold in an environment. The good news is that the Cloud provides visibility and automation that on-premises environments were lacking. Lacework can help provide the monitoring and visibility that your teams are ready to respond to new threats, even before they are made public.