Russia-Ukraine Crisis: How to Mitigate Risk With Segmentation

The conflict in Ukraine is forcing organizations around the world to revisit their threat modeling and reevaluate cyber risk. President Biden’s warning on March 21 that “the Russian government is exploring options for potential cyber-attacks” on the United States' critical infrastructure has caused a flurry of activity in boardrooms across the country. But beyond this, what about organizations with operations in Ukraine, Russia or Belarus?

Illumio customers in this position have already reached out asking what we can do to prevent threats from the region spreading to IT systems based in the US and elsewhere. We are generally hearing from two different groups:

1. Multi-national organizations with locations in Ukraine, Russia or Belarus are worried that malicious actors may compromise their IT estates in these regions. As such, they could provide attackers with an opportunity to move laterally and infiltrate networks closer to home in a manner similar to the infamous destructive computer virus NotPetya spread from Ukraine in 2017.
    
2. Even those without a presence in the region are concerned about the possible repercussions of Western sanctions on Russia, which Putin has already argued are akin to an act of conflict. As CISA’s “Shields Up” initiative maintains, and President Biden’s warning asserted, all organizations in the U.S. and allied countries should be ready for retaliatory attacks. This is especially true of those in critical infrastructure sectors like financial services, healthcare, utilities and energy.

Fortunately, Illumio's granular network visibility and segmentation capabilities form a formidable set of tools to safeguard organizations from cyberattacks.

How segmentation from Illumio can help

Illumio can assist customers in both scenarios. For those with assets and networks in high-risk countries such as Ukraine, Russia and Belarus, there are three ways to protect your digital assets:

1. Illumio provides rich risk-based visibility and application dependency mapping to highlight any dangerous connections, down to the individual workload level. Before they’ve even decided to block traffic from Eastern Europe, customers can build a clear picture of the interactions between assets in Ukraine, Russia and Belarus and the rest of the organization.
   
   They may spot new traffic flows never seen before or significant increases in the volume of data being sent from these assets, for example. This intelligence can then be fed into threat detection and response playbooks and have mitigations applied.
    
2. If Illumio is deployed on the estate outside of these countries and the organization knows what IP addresses they’re running in Ukraine, Russia and Belarus, then mitigating cyber risk is fairly straightforward. In minutes, you can implement a policy in Illumio blocking traffic to and from those networks. It’s also simple to write exceptions to ensure you have forensic access to these systems.
   
   This is made possible by Illumio’s Enforcement Boundaries, which allow organizations to quickly and easily create a protective perimeter around any port, workload, group of workloads or IP range. It can be done in minutes and applied at scale to effectively create “allow list” rules with minimum hassle.
    
3. If Illumio is deployed across all assets, including any based in Ukraine, Russia and Belarus, then customers can achieve the same blocking capability using labels. Simply write a policy that says: "If assets are located in these countries, then block that traffic." This is also an easy, fast action that takes a few minutes to set up.

Shields up with microsegmentation

For organizations not directly exposed to the conflict in Ukraine but who are concerned about the potential “spill over,” now is a good time to think about updating security policies.

To understand risk exposure, it’s important to not only gain visibility at a perimeter level but also know what’s going on inside your digital hybrid infrastructure. After all, it’s easier than ever for determined attackers to breach network perimeters using phishing, compromised credentials and other techniques.

By enforcing the right restrictions, security teams can limit suspect traffic flows to block lateral movement and shut down command-and-control calls by attackers. This could be as coarse-grained as blocking ports for services commonly used by ransomware, such as RDP, SMB and SSH. Or it could be more fine-grained to protect high-value applications and assets.

You can also write policies to isolate critical IT infrastructure like DNS, authentication systems and Active Directory.

Organizations without assets in Ukraine, Russia or Belarus won’t have specific IP addresses they can use to block traffic. Leveraging threat feed information, they could reinforce the wholesale blocking of all malicious IPs at the perimeter with more targeted blocking in their segmentation policies, building multiple layers of defense.

The need to update risk management strategies has added urgency, not only because of the potential for Russia to unleash a barrage of destructive attacks, but also from a compliance perspective. The U.S. federal government, for example, recently made it a legal requirement for critical infrastructure operators to disclose cyber-attacks within 72 hours.

Want to learn more about how Illumio's segmentation capabilities can help you build greater defense-in-depth to protect your organization from today's growing cyber threats? Contact us today.