Start your day with intelligence. Get The OODA Daily Pulse.

Guide For Business: Final checks for reducing risks in the face of nation state cyber attacks based on White House advisory

The President has just announced he has indications that the Russians are targeting our national infrastructure for a possible cyberattack, saying all companies should prepare and raise defenses asap.

This is an important announcement that should be taken seriously by all companies in every sector of the economy and by individuals as well. It is also the first time in history that a President has announced specific indications of a potential cyber attack from an adversary nation. This is absolutely worth paying attention to and worth thinking through your actions in response.

Here is more context:

  • The administration is not publicly revealing the source of the information that resulted in this alert. But assume it is valid enough for the President to put his name on the White House release, so probably a sensitive intelligence source.
  • We do know that specifics of the information were provided directly to the leadership of over 100 firms that operate critical infrastructure last week to enable early action. This release is designed to be more openly shared to encourage action far beyond those initially briefed.
  • The White House also provided advice for improving protections to mitigate cyber threats. The type of advice listed there is widely known and consistent with the type of advice we give to clients and write about for the OODA network, including in our December report on Improving Cybersecurity Posture Before Russia Invades Ukraine.

OODA Recommendations

To help contextualize recommendations to be as actionable as possible, the following is broken down by organization size:

Large Businesses/Large Federal Government Agencies

Most all large businesses and large government agencies will already have a security program, but if there are any questions about what this should look like reach out to experts immediately to improve your program (contact OODA here). It can be very hard to make fast changes to a large organization, but starting an improvement plan now is better than waiting till you are under siege.

We recommend large businesses and large federal agencies convene their leadership team immediately to discuss worse case scenarios regarding infrastructure attack and response, to include quick table-top exercises to ensure the entire leadership team is aware of what the threat may mean for continued business operations. The IT and security team should be questioned regarding backup and recovery capabilities including last time that recovery was tested. The IT and security teams should also ensure core business communications links are redundant so operations can continue in outages of primary links. And security out of band communications should be put in place including means for the executive team to communicate directly with each other with security (using apps such as Wickr Pro).

This is also a good time to reconfirm appropriate relationships with external partners including the appropriate ISAC for your business sector. Contact the ISAC now and start a dialog on the nature of the Russian cyber threat to your sector. The US DHS security team at CISA has been providing exceptional cybersecurity leadership on topics like countering ransomware and patching big vulnerabilities like Log4j and during a conflict with Russia will no doubt be providing key info to business leaders. One particularly relevant initiative of CISA which we believe will prove instrumental in improving collaboration in time of crisis is the Joint Cyber Defense Collaborative (JCDC).

Continue to push towards a zero trust architecture and continue to train employees on the importance of security.

The White House release is focused on cyber attacks. Also consider what to do in the face of misinformation/disinformation attacks. Large businesses and governments should put plans in place to inform employees, customers and partners of what to do in the face of misinformation and disinformation attacks. Employees should know who to contact inside the organization to confirm questionable information. Leadership should be prepared to rapidly communicate to the public, employees and partners to counter intentionally deceptive information.

Small To Mid-Sized Businesses/State and Local Governments

It is an unfortunate reality that most small to mid-sized businesses and most state and local governments have very thinly manned security teams. Leaders in these organizations should understand it is incumbent on them to ensure the business can continue when under cyber attack. Fortunately there are best practices that can be followed to help prioritize actions (see OODA’s Cybersecurity Sensemaking Page and Best Practices for Agile Cyber Defense). The The US DHS security team at CISA also has insights and advice relevant for mid-sized businesses and state and local governments. We most strongly recommend all small to mid sized organizations including governments review the specific, actionable advice of the Global Cyber Alliance.

Key items to check into immediately include:

  • Ensure you are patching your operating systems and applications. This sounds so basic, and it is so basic. But it is too frequently overlooked and it gets both individuals and companies hacked, again and again. So if you are a home user make sure you do this yourself and if you are a small business make sure you have processes in place for it to be done for all. Leaders in organizations of all sizes should realize it is a common mistake to just assume systems are being patched. Don’t just assume it is going on. Check it.
  • Put multi-factor authentication in place for every employee, including on their use of cloud based services, and encourage all to do this at home as well. Depending on your business model, you may need to do this for customers and suppliers too. This is very important for a good defense. Some multi-factor methods are still open to attack. Important accounts should be protected by a hardware token too, like the YubiKey.
  • Configure your DNS to make it harder on the bad guys. There are simple configuration changes you can put in place that will greatly reduce the risk of malicious code and privacy attacks. There are many options for the changes to make to your DNS, but for most we recommend changing your DNS server to 9.9.9.9 (learn more at Quad9.net and see more options and info at: DNS Configuration Tips).
  • Configure your email to make it harder to be spoofed/phished. By using widely used configurations called DMARC you can significantly reduce the chance that your email will be spoofed and your partners or employees tricked because of you. Learn more about DMARC here.
  • Prepare for the worse. Know what your incident response plan is and make sure it is well documented and reviewed. Ensure it includes notification procedures. Ensure your team is also prepared to respond to “digital swiftboating,” which can come at any time and may involve trolls and haters sponsored by your competitors or even hostile nations. Preparing for incidents means more than just planning. Exercise the plan by realistic scenario driven table top exercises.
  • Ensure you are able to communicate with others in a way that cannot be monitored by criminals/hackers. This is important in day to day business and urgent in incident response. Our recommendation: Wickr Pro, which will allow secure messaging, secure audio and secure video as well as document exchange.

Individuals

Your home and personal IT can be used as a launching pad for Russian attacks against others so it is critically important to take personal responsibility to defend your part of cyberspace. One thing all who are more technically savvy can do is to help others protect themselves. We strongly recommend reaching out to friends, family and small business partners to help others understand and execute on:

  • Implementing multi-factor authentication on all accounts.
  • Automating the updating of software.
  • Being aware of fraud methods and the way adversaries make people click links.
  • Using strong passwords, preferably with a password manager.

Stay Informed

It should go without saying that tracking threats is critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

 

Bob Gourley

About the Author

Bob Gourley

Bob Gourley is an experienced Chief Technology Officer (CTO), Board Qualified Technical Executive (QTE), author and entrepreneur with extensive past performance in enterprise IT, corporate cybersecurity and data analytics. CTO of OODA LLC, a unique team of international experts which provide board advisory and cybersecurity consulting services. OODA publishes OODALoop.com. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.