WARTIME ATTACK PLANNING
WARTIME RESPONSE PLANNING
A NEW TYPE OF PLAN
A study of how Russia attacks companies today may offer some practical guidance for actions you can be taking now to be better prepared and help fortify your collective cyber defenses. This is very different than current incident response planning. Engage the Cyber Defense Center for additional assistance.
START ON YOUR OWN
Russian tactics for cyber warfare include a well-prepared battlefield. Therefore, we advise that you plan using an "Assume Compromise" approach. Expect that Russia or a hostile nation state has the tactical advantage and has already compromised your network with a dormant or an otherwise ready cyber weapon. This will get you and your company in the right mindset to prepare and respond to a wartime nation-state sponsored attack.
ASSUME COMPROMISE - WARTIME MINDSET
The CYBER DEFENSE CENTER recommends adopting an “Assume Compromise” wartime mindset as the foundation of all preparedness efforts. It is no longer realistic for a single organization—standing alone on the front lines of a cyberwar—to expect it can fully prevent or repel infiltration from a nation-state adversary such as Russia. Likewise, it is unreasonable to believe that a company operating in normal peacetime conditions can rapidly transition into wartime readiness without deliberate preparation.
Preparing for cyber conflict requires a shift in posture, mindset, and operational behavior. The CYBER DEFENSE CENTER supports organizations in building this wartime footing through:
- Assume Compromise Strategies
- Wartime Playbook Activation
- Enemy Tactics Analysis
- Defensive Battlefield Preparation
- Operational Resilience Under Fire
- Critical Infrastructure Defense
- Nation-State Attack Pattern Recognition
- Digital Fortress Hardening
This approach enables organizations to strengthen their defensive stance, anticipate adversary intent, and operate with the resilience required in modern cyber conflict.
RESOURCE PLANNING
Wartime cyber-war preparedness must be treated as an all-hands-on-deck commitment across the entire organization. Once operating in a wartime defense posture, traditional priorities such as product development, transformation initiatives, routine projects, or even certain compliance activities may need to be paused or deprioritized.
A nation-state cyber assault requires focus, unity, and rapid mobilization. Your entire IT and cybersecurity workforce may need to shift their attention toward defense, resilience, and response activities. Organizations should be prepared to redirect personnel, realign budgets, suspend nonessential work, and concentrate all available resources on safeguarding critical systems.
It is time to plan for wartime conditions and the kinds of operational, technical, and strategic consequences that most companies have never previously anticipated. Building this readiness now will determine how effectively your organization withstands and recovers from a coordinated nation-state cyber attack.
WARTIME PLANNING SUGGESTIONS
Assume Compromise. Assume Adversary Advantage. Assume Operational Risk.
During wartime or periods of heightened geopolitical conflict, traditional incident response assumptions no longer apply. The Cyber Defense Center recommends using the following 10 wartime scenarios as the foundation for private-sector readiness, tabletop exercises, and operational continuity planning.
These scenarios reflect the tactics, timing, and operational patterns used by nation-state adversaries such as Russia.
Each scenario should be treated as active, simultaneous, and credible during wartime, regardless of existing security controls.
10 WARTIME PREPAREDNESS SCENARIOS
1. Assume RANSOMWARE is already deployed and dormant on a sensitive system.
Plan for timed, coordinated, or remotely triggered activation across multiple systems with no opportunity for negotiation, decryption, or ransom payment.
2. Assume MALWARE has already breached IT infrastructure and remains undetected.
Expect deep persistence, lateral movement, valid credential use, and malware designed specifically to evade your tools.
3. Assume one or more PRIVILEGED ACCOUNTS are compromised right now.
Treat domain admins, service accounts, cloud administrators, and ICS operators as potentially under adversarial control.
4. Assume EXTERNAL-FACING SYSTEMS are already targeted for DDoS and saturation attacks.
Prepare for simultaneous overload, misdirection, and blended operations intended to distract from other intrusions.
5. Assume a SUPPLIER, MSP, or OEM in your ecosystem is compromised.
Expect cascading impact from upstream software management, updates, or third-party remote access.
6. Assume an INSIDER has been paid, coerced, or blackmailed to assist an adversary.
Plan for insider-enabled access, credential misuse, sabotage, or insertion of a cyber weapon on demand.
7. Assume the ADVERSARY has full knowledge of your network topology and crown-jewel systems.
Treat your architecture diagrams, VPN configs, and cloud deployments as already in enemy hands.
8. Assume EXECUTIVE or STANDARD USER ACCOUNTS are compromised and actively exploited.
Plan for trusted access being used to escalate privileges, move laterally, or deploy malware internally.
9. Assume ALL external email is hostile and phishing volume increases 10-fold.
Expect highly convincing, personalized, and AI-generated lures tailored to wartime themes or crisis events.
10. Assume ALL vulnerabilities—critical, high, medium, and low—are actively exploited.
Adversaries will weaponize any foothold they can obtain, especially during wartime. Patch prioritization must shift accordingly.