The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently issued an alert Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, against the background of Russian troops massing on the border of Ukraine.
Although the alert (co-authored with the FBI and NSA) focuses on possible direct attacks on U.S. infrastructure, it’s also a guide to cyber war defense for any large organization – as we saw with the 2017 NotPetya malware, a cyber attack on Ukraine can go wild and take down systems around the world.
CISA encourages organizations to update their incident response and resiliency plans and stay tuned for alerts from the cybersecurity agency. It also lists 13 vulnerabilities (CVEs) commonly used by Russian-sponsored advanced persistent threat (APT) groups that should be prioritized for patching. The alert goes on to link to reports on Russian-suspected operations such as the SolarWinds software update compromise, for further guidance.
The alert lists common tactics, techniques, and procedures (TTPs) of Russian state-sponsored attackers – from supply chain compromise to password spraying to PowerShell subversion -- mapped to the MITRE ATT&CK for Enterprise framework.
CISA Wants You to “Enhance Your Organization’s Cyber Posture”
The alert also recommends a lengthy checklist of steps to “enhance your organization’s cyber posture,” such as:
- Multi-factor authentication for all users
- Enforcing least-privilege principles
- Enabling strong spam filters
- Prioritizing patching for vulnerabilities often exploited by Russian-sponsored actors
- Network segmentation
and many more.
But like other best-practice lists (see the NIST CSF), the CISA alert doesn’t tell you how to prioritize these mitigations against the day-to-day requirements of budgeting and running an information security program, outside of a couple general references to taking a “risk-based” approach to vulnerability management. How do you turn all this information into a punch list?
The RiskLens Platform with FAIR™ Cyber Risk Quantification Shows You How to Prioritize Your Response to the CISA Warning on Russian State-sponsored Cyber Threats
The RiskLens platform leverages the FAIR standard (Factor Analysis of Information Risk) to enable organizations to prioritize and justify cybersecurity initiatives based on quantitative cyber risk analysis in financial terms. The platform comes stocked with loss event scenarios and industry-specific data to speed analysis.
Train on FAIR quantitative analysis with the RiskLens Academy
RiskLens clients typically start their cyber risk quantification programs with a Rapid Risk Assessment on the RiskLens platform to identify their top risk scenarios ranked in terms of probable loss exposure.
To respond to the CISA alert, the next step could be to map those top risks to the security controls and practices recommended by CISA and MITRE ATT&CK to see which would be applicable to which scenarios. A starting point would be the CVEs, followed by the TTPs. Next, run Risk Treatment Analysis on the platform for a cost/benefit analysis to prioritize any mitigations for return on investment
Alternatively, a RiskLens platform user could review first the listed CVEs, then the TTPs and define what types of loss events (data breach, outage, etc.) could result, then for each event identify the crown jewel assets that could be impacted, then run a risk analysis followed by the cost/benefit analysis for the recommended controls. Also figure in your prioritization whether any of those assets do not already have one or more of the recommended mitigations.
RiskLens is the leader in analytics and data for cybersecurity risk management. Contact us to learn how strategies informed by risk quantification can enhance your organization’s cyber posture.
Related: 3 Steps to Combine MITRE ATT&CK and FAIR to Focus Cyber Risk Management