Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
July 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
At the end of last week, Digital Shadow’s CISO, Rick Holland, released his blog Russian Cyber Threats: Practical Advice For Security Leaders. In that blog, Rick emphasized the importance of developing intelligence requirements to help understand the Russian threat to your organization. As the war between Russia and Ukraine continues, we in the Photon Intelligence team thought it would be helpful to share a public-facing version of our Priority Intelligence Requirements (PIRs). In doing so, we hope they inspire you to create your own, or adopt ours, to better prepare for the cyber threats arising from Russia’s invasion of Ukraine.
While the PIRs we use at Digital Shadows (now ReliaQuest) could be helpful to you, the reality is that you will need PIRs that adequately capture the potential threat from offensive Russian cyber activity unique to your business. As such, it would always be best to create and adapt your own PIRs if you can. We published a blog last year titled Let’s Talk About Intel Requirements that will be a good read for anyone new to this concept. Simply put, intelligence requirements translate to questions that need answering regarding the threat landscape. These overarching requirements could come from your CISO, the Security Operations Center (SOC), or you might be working on a proactive project. But the questions are designed to help you gather the information you need to answer the original request. In this case, your CISO might say, “tell me everything you know about Russian cyber attacks.” Using intelligence requirements can help you cover every conceivable angle of that wide-reaching question. You don’t have to be MI6 or CIA to see the practical value of intelligence requirements.
PIRs are essential to any good response plan. They provide direction for an intelligence analyst to collect information. They also help plan resources and identify gaps in your current capabilities – both so important at a time like this. Research can become disjointed without the focus that PIRs bring, meaning you miss potential threats.
Below are our shareable PIRs that we’re using at Digital Shadows (now ReliaQuest) to drive our intelligence collection on the Russia-Ukraine war, along with a short explanation about why we’re interested in this information. For context, after some careful consideration, we’ve assessed some geographies and sectors to be at greater risk from Russia-linked cyber attacks – I’ll refer to these throughout this blog as “at-risk entities.” We assess these entities to be at greater risk because they are most likely to be affected by retaliation to the imposed sanctions. Clearly, Ukraine is most at risk, but so too are NATO and EU member states, and other countries that have imposed sanctions against Russia. The sectors we consider to be most at risk from Russia-linked attacks – where an attack would be most appealing to Russia and would cause the most impact – during the current crisis are below:
We can also drill down on these PIRs with some sub-IRs. Sub-IRs help focus collection further, ensuring you get the specific detail you need in each scenario. Some appropriate sub-IRs could be:
Now, let’s dive in.
Offensive cyber activity targeted towards an at-risk entity could come in any form; destructive malware, DDoS attack, or perhaps extortion attempt. Any offensive cyber activity conducted during the current conflict will likely be difficult to attribute, although suspicions will point towards the Russian state. Learning from previous attacks is one of the best ways to defend against a future attack. And just because an attack hasn’t been attributed to a particular threat actor or group doesn’t mean there aren’t learning points.
Here are some things you could glean from an unattributed attack;
You can pool all this information into planning for a tabletop exercise that Rick suggested was essential to defense and planning in his blog. Not only that, network defenders would do well to collate the TTPs, IoCs, and targeting preferences of prominent Russian APT groups like “APT28”, “APT29”, “Gamaredon”, and “Sandworm.” Use this information to protect against a Russia-linked cyber attack, rather than respond to one.
While the focus is on cyber and kinetic attacks emanating from Russia, let’s not forget that Russia is also likely to be targeted. As the world condemns Russia’s actions, that condemnation could result in an offensive cyber attack directed at Russian infrastructure. An offensive attack on Russia by anyone, particularly governments in at-risk geographies, is interesting in its own right. But, what will be more interesting is what comes next.
While nothing suggests that Western states plan an imminent cyber attack on Russia, it is realistically possible, particularly if the war escalates further. Any such cyber attack would likely be disruptive and conducted to hamper Russia’s internal communications, causing their progress through Ukraine to slow. Such an attack would highly likely spark retaliatory action from Russia directed at the aggressor and potentially the aggressor’s allies. Any cyber attack on Russia should put us all on high alert and adopt the strategies considered in PIR1.
We’ve already seen two new types of malware, WhisperGate and HermeticWiper, being used in attacks against Ukraine. Both are designed to be destructive and mimic ransomware to throw security teams off the scent. Although only observed targeting Ukraine for now, it is realistically possible that these, or other, destructive malware could be used against any entity deemed a threat by the Russian state. With that in mind, it’s crucial to stay up to date with new malware campaigns so that new TTPs or IoCs can be incorporated into playbooks as soon as possible.
While campaigns to date have been for disruption purposes, it is realistically possible that Russian threat actors could deploy new malware for intelligence gathering purposes as the conflict continues. They may also consider attacking the supply chain in at-risk geographies to cause maximum impact and damage. Collecting information on these threats improves preparedness for these situations.
The threat from ransomware attacks is unlikely to wane for any business during this troubled time. On top of that, the ransomware group “Conti” has stated that even though they do not support the ongoing conflict, they are supportive of Russia. The group claims they are willing to “use our full capacity to deliver retaliatory measures” against Western entities that target Russian Critical National Infrastructure (CNI), or the CNI in Russian-speaking countries. We also know that the cybercriminal group “Evil Corp” is linked to the Russian state, and they frequently dabble in ransomware. Therefore, it is realistically possible that Russia will direct Russia-associated ransomware groups to conduct a cyber attack against an at-risk entity during this time. Any such direction will likely remain a well-kept secret between the Kremlin and the ransomware operators. Regardless, keeping watch on ransomware developments, and gathering TTPs and IoCs, will improve your organization’s chances of responding successfully to an attack should it come.
The most active ransomware group in Q4 2021, “LockBit”, also released a statement over the weekend claiming they are apolitical and are just in it for the money. While that’s not entirely bad news for organizations concerned about threats arising from the Russia-Ukraine war, I suppose it’s not really good news either. LockBit’s activity levels have been very high for at least the past six months, and I’m guessing they won’t let geopolitical events stand in the way of maintaining that record.
Clearly, all attacks on CNI are a big deal for any nation. Targeting CNI sends a direct message from the perpetrators – they are there to cause the most significant impact on the targeted country. In 2016, the Russian government conducted a cyber attack on the Ukrainian power grid using the “KillDisk” malware. The malware overwrote critical system files on operator machines, causing them to crash and become inoperable, resulting in a power outage for over one hour. Russia is a heavyweight in oil and gas production. It stands to reason that Russia might target this sector in response to sanctions imposed against them – hit ‘em where it hurts, so to speak.
Any attack on CNI during this period of conflict will likely highlight Russia’s targeting interests and which nation is causing them the most concern. Being aware of any such attack will help other countries prepare for an attack in kind. Incorporate TTPs and IoCs into playbooks at the earliest opportunity and position security teams to be on high alert. Organizations that provide support to CNI should also be on high alert. With cyber threat actors often favoring supply-chain attacks, it’s realistically possible that Russia-linked threat actors will compromise third parties as a means to disrupt the critical processes of a nation opposing their regime.
While we don’t need to monitor every kinetic action that Russia or Ukraine take, keeping up to date with significant changes to the geopolitical situation is key to planning cyber defenses. Russia’s expulsion from SWIFT is a key example of a development likely to have a demonstrable impact on cyber risk. For a while, it wasn’t clear if the West would take this step, but now having done so, it’s realistically possible this could steer Russia towards conducting additional cyber attacks. Likewise, were Kyiv city to be taken or Ukrainian President Zelensky deposed or assassinated, it’s realistically possible that the developments could trigger a cyber response from Ukraine’s allies. Staying up to date with geopolitical developments will likely help predict if a cyber attack may come your way.
It’s always interesting to know what cybercriminals are talking about when it comes to current events. Usually, we’re looking for reactions to law enforcement takedowns and arrests, but their opinions on geopolitical events could also provide us with clues on how best to defend our networks. We’ve already started collecting cybercriminal reactions to the Russian invasion. Perhaps cybercriminals might discuss whether they plan to suspend or increase their activity. They might even discuss likely targets in the Western world that could fall victim to a Russia-linked attack. They might not. But tracking cybercriminal reactions typically provides insight into what comes next in the cybercrime threat landscape and, therefore, should not be forgotten when deciding PIRs.
Hacktivist groups have already waded into the Russia-Ukraine war, launching attacks against several Russia-linked entities. At the time of writing, the hacktivist group “Anonymous” has claimed responsibility for DDoS attacks on Russian government websites and the state broadcaster Russia Today (RT). Anonymous says they plan to keep Russian IT systems and hackers busy, so they don’t have a chance to conduct a cyber attack on Ukraine or the West. However, pro-Russian hacktivists have also been active against Ukrainian websites, launching DDoS attacks in their spare time. While hacktivism is typically not directed by the states with which these groups affiliate themselves, it is an excellent indication of political feeling amongst the hacking community. Like cybercriminal reactions, tracking the reactions of hacktivist collectives could prove helpful when creating PIRs and planning responses.
Once you have developed your requirements or questions, you’re probably wondering how you go about answering them. After planning, the next stage in the intelligence cycle is collection. Creating an intelligence collection plan is ideal for structuring your collection efforts and identifying what resources and sources you’ll need to answer your PIRs. Look out for more Digital Shadows (now ReliaQuest) content on this in the next week. Digital Shadows (now ReliaQuest) has been closely monitoring cyber threats associated with the Russia-Ukraine war. For more Digital Shadows (now ReliaQuest) intelligence on events in Ukraine and Russia, please visit: https://resources.digitalshadows.com/russian-news-and-updates. While this blog focuses on threats emanating from Russia, Rick’s final sentiment remains as important as ever; don’t hyperfocus on a single threat; build a program that protects against most threats.