WARTIME ATTACK PLANNING
WARTIME RESPONSE PLANNING
A NEW TYPE OF PLAN
A study of how Russia attacks companies today may offer some practical guidance for actions you can be taking now to be better prepared and help fortify your collective cyber defenses. This is very different than current incident response planning. Engage the Cyber Defense Center for additional assistance.
START ON YOUR OWN
Russian tactics for cyber warfare include a well-prepared battlefield. Therefore, we advise that you plan using an "Assume Compromise" approach. Expect that Russia or a hostile nation state has the tactical advantage and has already compromised your network with a dormant or an otherwise ready cyber weapon. This will get you and your company in the right mindset to prepare and respond to a wartime nation-state sponsored attack.
ASSUME COMPROMISE
The CYBER DEFENSE CENTER advises that you consider taking an “Assume Compromise” posture in your wartime preparedness because it is simply not reasonable to think that a company standing alone on the front lines of a cyberwar can stop a nation-state like Russia from successfully infiltrating their systems. Additionally, it is not reasonable to think that individual companies can move from peacetime readiness to wartime readiness overnight.
RESOURCE PLANNING
Wartime Cyber-War preparedness should be considered an all-hands-on deck situation for your company. Since we have transitioned to a wartime defense posture, it may be time to set aside product development, transformation projects, or compliance requirements. This effort may require your entire IT department to shift priorities and support your defense efforts. It is time to prepare for a wartime attack with potential outcomes that your company has likely never planned for.
WARTIME PLANNING SUGGESTIONS
We recommend you use the following scenarios for preparedness to continue conducting electronic commerce and maintain critical infrastructure operations during times of geo-political unrest and wartime:
10 WARTIME PREPAREDNESS SCENARIOS
- Assume that Ransomware is dormant and awaiting activation on a sensitive system on your network;
- Assume Malware has infected areas of your IT infrastructure and was not detected;
- Assume that one or more privileged account usernames and passwords that are used to administer or manage sensitive IT resources are actively compromised;
- Assume your external-facing systems are being targeted for an active DDoS campaign;
- Assume a supplier, managed service provider, or IT software (security or network management) OEM is compromised;
- Assume that an insider has been paid or blackmailed by Russia to install a cyber weapon within your network on demand;
- Assume that the attackers have knowledge of your network topology and have access to the most sensitive data or systems you are protecting;
- Assume that an executive or average user account is already compromised and being used for internal access with the intention to install malware or escalate privileges;
- Assume all external e-mails are phishing attempts and that phishing campaigns will become more advanced and increase at least 10-fold during wartime;
- Assume all vulnerabilities, not just critical and high, are actively being exploited.