Adaptive Segmentationmicro-segmentation April 15, 2022

How to Stop Global Cybersecurity Threats Emerging From the Ukraine-Russia Conflict

Ron Isaacson, Field CTO, US East

The Ukraine-Russia conflict began when the Russian military invaded Ukraine on February 24.

Yet the cybersecurity and cyber warfare elements of this conflict began before initial combat action. Ukraine was hit with numerous cyberattacks against its government and banking systems in the lead-up to the conflict, with experts blaming Russia for the cyberattacks. And within the first 48 hours, multiple U.S. agencies noted that cyberattacks from suspected hackers in Russia increased by over 800%.

Since then, cyberattacks have been a key and consistent element of the conflict against Ukraine and its Western allies. Ultimately, it has become clear that organizations must strengthen their cybersecurity during this conflict.

In this article, we will detail:

  • Why these cyberattacks are relevant to any organization in every country.
     
  • How organizations can strengthen their cybersecurity against the specific cyber threats emerging from this conflict.
     
  • How Illumio can help organizations rapidly build the cybersecurity capabilities they need to protect themselves from these risks.

Why is the Ukraine-Russia conflict a global cybersecurity threat?

There are multiple reasons to believe the Ukraine-Russia conflict may develop into a global cybersecurity threat for nations and organizations that are not directly involved with the conflict.

As U.S. President Biden noted in a recent statement on cybersecurity, “malicious cyber activity” is “part of Russia’s playbook.” In the same statement, President Biden warned that Russia could likely launch cyberattacks against Western nations in retaliation against sanctions. He also noted that intelligence agencies already discovered “the Russian Government is exploring options for potential cyberattacks."

In addition, NATO has released their own statements that recommend providing cybersecurity assistance to Ukraine. NATO is actively increasing its own "cybersecurity capabilities and defenses" and "providing support to each other in the event of cyberattacks."

Given this evidence, the global cybersecurity threat emerging from this conflict could be vast.

As noted by Accenture’s most recent incident report on cybersecurity in the Ukraine-Russia conflict, Russian ransomware operators are openly threatening to attack Western infrastructure. Entities in NATO “should expect potential disruptive activity and information operations,” including ransomware and cyberattacks. Numerous ransomware and distributed denial-of-service attacks have already been launched against countries that imposed sanctions on Russia.

In short: Even if the physical side of the Ukraine-Russia conflict remains limited to the region, the cybersecurity aspect of the conflict has already become a global crisis — between Russia and its allies and Western countries responding to their actions.

The global cybersecurity response to the Ukraine-Russia conflict

Many Western countries have already mounted a cybersecurity response and provided recommendations related to the Ukraine-Russia conflict. Hundreds of thousands of multinational hackers have volunteered to fight back against Russian cybercrimes. And in his previously cited statement, U.S. President Biden explicitly discussed cyber threats to national security and asked the private sector to “harden your cyber defenses immediately” by implementing best practices.

Many of these best practices have been discussed in previous executive orders on cybersecurity and reiterated by the Cybersecurity and Infrastructure Security Agency (CISA), which has launched the Shields Up initiative in response to the Ukraine-Russia conflict. This initiative provides guidance for organizations on how they can bolster their defenses to improve their resilience and response to incidents — with particular emphasis placed on improving ransomware protections.

The risk of cyber threats and cyberattacks from Russia

The Ukraine-Russia conflict is forcing organizations around the world to re-evaluate their cybersecurity risk, revisit their threat models, and build new capabilities in response to potential Russian cyberattacks on critical infrastructure and services.

There has been a flurry of activity in boardrooms across the country as companies scramble to mount an effective response to these cyber threats and develop new cybersecurity strategies and solutions.

At Illumio, many of our customers have asked what they can do to prevent threats from spreading to their IT systems. We have identified two primary sources of risk emerging from this conflict — one highly specific to cyber threats particular to the region and the other more general.

  1. Multinational organizations with locations in Ukraine, Russia or Belarus are worried that malicious actors may compromise their computer networks in these regions. Doing so would give attackers the opportunity to shut down critical assets and to move laterally and infiltrate networks closer to home. This threat is similar to the NotPeya virus that spread out of Ukraine in 2017.
     
  2. Organizations without a presence in this region are worried about the potential repercussions of Western sanctions on Russia. As President Biden’s warning stated, all organizations in the U.S. and allied countries need to prepare for retaliatory cyberattacks. This is especially true for organizations in critical infrastructure like finance, utilities and healthcare.

For the rest of this article, I will outline how organizations can strengthen their cybersecurity and build resilience against the general and specific cyber threats they face as the Ukraine-Russia conflict continues to develop.

Types of cyberattacks to worry about: Focus on ransomware

Many types of cyber threats and a wide range of cyberattacks will likely occur as part of the Ukraine-Russia conflict. However, we anticipate that ransomware will remain the primary cyberattack pattern and type of threat during this moment of crisis.

There are a few reasons for this perspective.

First, ransomware was specifically highlighted by CISA in their Shields Up initiative as the primary threat for which they discuss building a response.

Second, ransomware has already emerged as today’s biggest cybersecurity threat, and we have seen it deployed to disrupt critical infrastructure and supply chains for financial profit. Ransomware has proven that it can cause major damage to the operations of most any kind of organization. We expect to see more of it.

Third, ransomware is a complex cyberattack pattern with many discrete steps and tactics — most of which are used by other cyberattack patterns. This means if you build your resilience against ransomware, you will also build your resilience against most other cyber threats.

Finally, successful ransomware incidents highlight how traditional cybersecurity architectures fail to stop new threats. Ransomware has made it clear that prevention is no longer enough, breaches are now inevitable, and conventional cybersecurity tools and protocols can’t keep up with the speed and scale of today’s cyberattacks.

How to establish a resilient cybersecurity architecture and environment that stops ransomware and other cyberattacks

To build resilience against ransomware and other modern cyber threats, you must first understand how they operate.

I'll break down the common attack pattern most of these threats follow and then provide simple steps to counter this attack pattern and build a more resilient architecture and environment.

Most ransomware attacks are built around three behaviors.

  1. They exploit common pathways. Most modern cyberattacks succeed with fundamental tactics like exploiting software vulnerabilities, misconfigurations, or user errors. To do so, they automatically scan the Internet for open, exploitable ports into a network. They typically target a small set of high-risk pathways (like RDP and SMB), and they follow these pathways to spread quickly through open environments.
     
  2. They are multistage campaigns. Often, modern cyberattacks have to complete many stages of action in between breaching a network and compromising enough assets to shut down systems and demand a ransom. To do so, they typically compromise a low-value asset in the initial breach, connect to the Internet to pull down tools to advance the attack, and gradually work their way through the network to reach high-value assets.
     
  3. They go undetected for months. After breaching an organization’s perimeter, they hide in its network and spend as much time as possible silently building a foothold and increasing their leverage. To do so, they often exploit assets that organizations don’t know they have, travel network pathways that organizations don’t know are open, and leave hard-to-follow trails of data — only making themselves known when they strike.

Fortunately, building cyber-resilient architectures and environments that stop these attacks is simpler than you think. Just take the above attack pattern and build cyber defense capabilities to counter each component. Here’s how.

Cybersecurity capabilities that stop cyber threats and build resilience

There are three main cybersecurity capabilities that can help you counter common attack behaviors and build resilience against ransomware and other related threats.

To learn more details about each of these capabilities — and how to develop them quickly — you can check out our full guide, How to Stop Ransomware Attacks. But here's a quick overview of what capabilities can stop most ransomware threats.

  1. Comprehensive visibility into communication flows. With the right visibility, ransomware and other modern cyber threats will have nowhere to hide. If you have real-time visibility into how your applications communicate with each other, you will have a better chance of detecting these attacks early enough to prevent harm.

    This visibility can also help you identify the unnecessary cybersecurity risks in your environment, centralize and correlate multiple sources of risk data into a unified view of your communication flows, and prioritize which actions to take to harden your environment.
     
  2. Ransomware-blocking. If you can reduce obvious pathways of attack for cybercriminals, you can limit a breach's impact and harm. To do so, you should proactively close as many high-risk pathways as possible, monitor those you have to leave open, and create a reactive emergency containment switch that can lock down your network in seconds during an incident.
     
  3. Isolating critical assets. Finally, if you can limit the ability of an attack to spread from one system to the next, you can prevent ransomware from reaching your critical assets and causing major damage. To do so, you first have to identify your highest value assets and then implement segmentation to isolate and protect those assets within your network — closing outbound connections to unknown and untrusted sources.

If you develop these fundamental cyber defense capabilities, you will rapidly improve your cybersecurity against the attack patterns you'll most likely face over the course of the Ukraine-Russia conflict.

While these capabilities might sound complex and challenging to develop, your ability to rapidly spin them up in your environment depends primarily on which security and network tools you decide to use. Though most legacy tools can't build these capabilities fast enough to respond to the Russia-Ukraine conflict, modern technology like Illumio can give organizations these capabilities in minutes, hours and days.

For the rest of this article, I will explore how Illumio works and explain how it can help you quickly build these capabilities and address the specific security challenges created by this conflict.

How Illumio stops cyberattacks from the Ukraine-Russia conflict

Illumio is a platform that provides visibility and Zero Trust Segmentation controls (including micro-segmentation) to give you new layers of cyber resilience against ransomware and other modern digital threats. Illumio takes a new approach to segment global networks at both broad and granular levels.

With Illumio, you can rapidly build cybersecurity measures for multiple scenarios related to the Ukraine-Russia conflict. If you have assets and networks in high-risk countries — like Ukraine, Russia and Belarus — then Illumio can help in several ways:

  1. Illumio can give you rich, risk-based visibility and application dependency mapping. It can give you a clear picture of how your assets in Ukraine, Russia and Belarus interact with the rest of your organization, highlight any dangerous connections, and help you decide where you may want to block traffic.
     
  2. In minutes, Illumio can block traffic to and from IP addresses running in Ukraine, Russia and Belarus. You can also write exceptions to maintain forensic access to these systems using Illumio’s Enforcement Boundaries capability, which can create a perimeter around these IP addresses in minutes.
     
  3. If you have Illumio deployed across all of your assets, including your assets based in Ukraine, Russia and Belarus, you can use labels to achieve this same blocking capability by writing a policy that says, “If assets are located in these countries, then block that traffic.” With Illumio, you can do this in just a few minutes.

If you are not directly exposed to the conflict but are concerned about “spill over” cyber threats, Illumio can help you update a few core cybersecurity capabilities:

  • Illumio can give you visibility inside your digital infrastructure. With this visibility, you can better understand your risk exposure and better detect breaches, in-progress attacks, and lateral movement from bad actors.
     
  • Illumio can build cyber defense by rapidly enforcing access restrictions at scale, letting you limit suspicious traffic flows, block lateral movement, and shut down command-and-control calls by attackers. Illumio can apply both coarse-grained policies — such as blocking ports for common ransomware pathways like RDP and SSH — and fine-grained policies to protect your unique high-value assets.
     
  • If you have threat feed information that identifies malicious IP addresses related to the conflict, you can use Illumio to block those IP addresses at both the perimeter and within your network, all to build defense-in-depth against likely sources of attacks.

Illumio makes it fast, simple and easy to take these actions and improve your cybersecurity against direct attacks related to the Ukraine-Russia conflict and indirect attacks that might come your way.

Here’s how Illumio does it.

Cyber defense capabilities Illumio provides

Illumio offers a unique approach to building risk-based visibility and segmentation — and meaningfully improving cybersecurity resilience — in minutes, hours or days.

To do so, Illumio:

  • Delivers real-time, risk-based visibility. Illumio creates a comprehensive application dependency map and a real-time picture of the traffic flows across your hybrid digital infrastructure. With this visibility, you will see where you connect to assets and IP addresses in high-risk countries, understand how your high-value assets can be accessed, and see what cybersecurity policies you must enforce in each area of your network.
     
  • Performs host-based segmentation. Illumio configures the native firewall controls that already exist in your operating systems to manage traffic between different systems or between a system and outside networks. By doing so, Illumio can rapidly segment networks and systems at both broad and granular levels, and without the need to reconfigure your network architecture.
     
  • Segments diverse environments. Illumio creates segmentation across multi-cloud, hybrid and on-premises environments. Illumio can segment workloads, endpoints and cloud assets from a single platform and applies policy to any system, including bare-metal, virtual machines, containers and more.
     
  • Simplifies policy management. Illumio makes it fast and simple to apply and maintain policy across any size environment — from five systems to 500,000. Illumio streamlines, simplifies and automates the key stages of segmentation policy management.
     
  • Maintains segmentation as networks evolve. Illumio does not force you to rearchitect your network or manually reconfigure your segmentation tools every time your network changes. Instead, Illumio segmentation policies automatically follow systems even as they move and change.

With Illumio, you can enhance your cyber defenses, gain application-level visibility, distribute new cybersecurity policies at scale, and respond to new cyber threats and developments within the Ukraine-Russia conflict in minutes, hours or days.

How Illumio stops cyber threats in the real world

Many of the world’s most innovative organizations use Illumio to segment their networks and improve their security defenses.

Illumio is used by:

  • More than 15 percent of the Fortune 100
  • 6 of the 10 largest global banks
  • 5 of the leading insurance companies
  • 3 of the 5 largest enterprise SaaS companies

Our customers have used Illumio for visibility and segmentation within modern, enterprise-scale networks. A few recent examples include:

  • An e-commerce site secures 11,000 systems and successfully passes a critical audit
  • A leading SaaS platform protects 40,000 systems under full DevOps automation, including policy and enforcement
  • A large custodial bank isolates $1 trillion per day of financial transactions under federal regulatory scrutiny

Here’s what customers say about Illumio.

“Illumio has filled a gap for which there was previously no solution. In addition to meeting compliance regulations, we have seen drastic improvements in our overall security posture."
— Steffen Nagel, Head of Information Technology, Frankfurter Volksbank (Read the full case study)
 

“Illumio Core enables us to roll out firewall changes much faster than before. Previously, it would be days or weeks. Now it’s minutes or hours.”
— Nick Venn, Global Collaboration and Cyber Infrastructure Manager, QBE (Read the full case study)

“Illumio Core proved to be technically superior, not just in terms of what it offers but also its functionality and how it works. It was the most mature solution that actually delivers on its promises in a way that’s stable and consistent.”
— Jacqueline Teo, Chief Digital Officer, HGC Global Communications (Read the full case study)

Defend yourself against cyberattacks and cyber threats from the Ukraine-Russia conflict — today

We face an uncertain future. There’s no way to predict how the Ukraine-Russia conflict will evolve, how it will end, or what consequences it will bring to the world.

However, we do know one thing — you can no longer wait to improve your cybersecurity defenses. We have watched in real-time as this conflict created dramatic cybersecurity implications for the entire world in a matter of weeks. You must build as much cyber resilience as possible — as quickly as possible — to prepare for whatever comes next.

Contact us today to schedule a consultation and demonstration of how Illumio can help strengthen your organization's cyber resilience.

Or learn more about how to better protect against ransomware. Download our guide How to Stop Ransomware Attacks.

Adaptive Segmentationmicro-segmentation
Share this post: