Cyber Security

Internal code: 4.1

Target groups:

General description
 * (Wired) "A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions."

Interventions
 * (Wired) Cryptodonations to white hacktivists
 * (Mikhailo Fedorov on Twitter) The Ukrainian Defense Ministry is asking for infosec help from its citizens. It’s calling up volunteers to join a cyber force that would defend against Russian attacks.
 * Anonymous hacks Russian state media and websites:
 * - (Anonymous on Twitter) "The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine"
 * - (Anonymous on Twitter) "Russian state TV channels have been hacked and are broadcasting the reality of what is happening in #Ukraine"
 * - (Anonymous on Twitter) "More than 6 Russian government websites are down. #Anonymous #Ukraine"
 * - (Anonymous on Twitter) "Anonymous has ongoing operations to keep .ru government websites offline, and to push information to the Russian people so they can be free of Putin's state censorship machine.

We also have ongoing operations to keep the Ukrainian people online as best we can."
 * (Mick Douglas on Twitter) "This is the playbook you need... but it's not going to be what you think it will be. ... Watch your egress. Firewalls work both ways. Carefully monitor outbound traffic. DMZ servers RESPOND to external requests. Look for DMZ systems initiating outbound. This is what "phoning home" (aka C2) looks like. ... Don't get too hung up on IP address blocks. Geo blocking has some advantages, but the only time Russian groups come from Russian IP space is when they want to rub it in. Start treating the entire internet as hostile... because it is. You 100% must know what is "normal" exes on your systems. App control (used to be call white listing) is no longer a "nice to have" it's IMO table stakes. Anyone who claims otherwise is giving dated & dangerous advice. If building an app control list sounds hard, you're doing it wrongly. Use native logging functions to know the apps that are running on systems. ... You *must* know how your systems are being used for two reasons. 1. you need to block any app not on your accepted list. (set block alerts at highest priority. It might be legit need, and you'll want to fix that right away) 2. Living off land attacks... ... The reason it's key that you DEEPLY understand LOL attacks... they are what state sponsored attackers use when pressured to do so. ... Super critical: Don't buy vendor tools to catch the attackers. No matter how good the demo is... it's a demo. ... If your IR plan doesn't have a rapid (host and network level) isolation workflows. Make it just after the stuff I've talked about in prior tweets. Drill it. You're going to need to work at a speed you likely haven't before. Have a frank talk with your cyber insurance provider. It might get *real* bad. Ask where you will be on the priority list. Chances are if you're not a fortune single digit org, you're going to be way down the queue. Find some alternate DFIR firms that will take you on. Increase your logging, while both filtering out stuff you don't care about at your aggregators, and SHORTENING the retention length for the data you don't need long term."

Cyber Security Impact measurement

Assumptions
 * Cyber Security cheat sheet
 * Security Operations cheat sheet
 * Threat Intelligence cheat sheet
 * Network Security cheat sheet
 * Cyclops Blink
 * (MIT Technology Review) The USA is unmasking Russian hackers faster than ever

Recommendations

Cyber Security projects