Geo-political tension is metastasizing in cyberspace. Last week, CISA, the NSA and FBI issued an unprecedented advisory on imminent Russian cyberattack campaigns detailing the modus operandi of these groups. Destructive cyberattack campaigns are being spawned by Russian cyber-militias. Microsoft discovered DEV-0586 a master boot record (MBR) Wiper that is detonating within Ukrainian government agency networks. The malware, according to a CISA alert, DEV-0586 destroys the MBR and other targeted files. In 2022 organizations must defend themselves against rogue nation states. Given that stark reality, organizations must assume there is a breach, and that the adversary will become punitive. A paradigm shift is required, a pivot away from prevention to intrusion suppression.
Mitigating a digital home invasion
The burglary has become a home invasion. We must accept that they will get into the environment but to prevent escalation we must suppress their campaign.
With that in mind, visualize a heavily secured compound in Latin America as a metaphor for your organization. There is fortified wall, external guards, bars on the window, and a guard dog. Inside the house, there is an alarm, a bodyguard, and a panic room. Within this metaphor of the Latin American compound, think what happens when intruders bypass the perimeter defenses. You must have contextual telemetry to suppress the intrusion. The goal should be to detect, deceive, divert, contain, and hunt unbeknownst to the adversary; that is intrusion suppression.
Your external security (endpoint protection platform) must be integrated with internal security (network detection and response). And as you head to your safe room, access to the corridors should be locked (micro-segmentation) while using decoys (deception technology) to divert the intruder. The guard dog should silently track and hunt an intruder (Hunt Team). You must have the security measures to suppress intruders who are searching for you and that electrical panel (active directory). The safe room must be resilient and have out of band communication channel (Backups).
The Stratagem of Intrusion Suppression
Given nation state attack campaigns hijack digital transformation and subsequently leverage integrity attacks, we must embrace the construct of intrusion suppression to combat these advanced cyberthreat adversaries.
Follow these 10 critical Intrusion Suppression best practices:
- Deploy multi-factor authentication for all access.
- Disable all ports and protocols that are not essential.
- Integrate your NDR with your EPP.
- Apply micro-segmentation.
- Automate vulnerability management.
- Deploy decoys.
- Activate Application control in high enforcement.
- Deploy Workload security.
- Automate an identity compromise detection and response program.
- Conduct weekly threat hunting.
In 2022, cyber vigilance is paramount. We must accept that destructive attacks will increase and therefore we must invert the security paradigm to defend from within.
Tom Kellermann is head of Cybersecurity Strategy at VMware. Follow @TAKellermann