Executive Summary

Many businesses are looking to bolster their cyber defences at the moment, as a result of the uncertainty surrounding the conflict between Russia and Ukraine. With the heightened cyber threat, the National Cyber Security Centre (NCSC) has published some advice, as well as the best steps to take to ramp up your security in times like these.

We recommend implementing the following actions swiftly in order to improve your organisation’s security posture and reduce your attack vector, as well as the risk of any cyber threats.

• Patch Critical and High Vulnerabilities – Scan your cyber environment for vulnerabilities and administer critical and high updates to the attack surface of your organisation.

• Close Unessential Open Ports – Scan your business’s public-facing IP addresses utilising tools such as Shodan.io and search.Censys.io (which is free to use) to identify ports that are unnecessarily open, and close them to reduce the attack surface via the firewall.

• Update Endpoint Antivirus Software – Antivirus platforms come out with new detection signatures regularly. Ensuring your antivirus product is updated as soon as new detection signatures are available will put the endpoint in a much better position during these times.

• Regular ‘Offline’ Backups – Ensure an ‘offline’ backup is kept of all critical business systems (one that’s physically taken away from the company network). Making a backup that’s kept separate from your organisation’s network will allow for a recovery point if the network becomes compromised, so in a worst-case scenario you can revert to this point.

• Test Backup Process – Creating a backup is only part of the recovery plan. Testing your backup procedure to ensure that rapid recovery can be achieved will increase your likelihood of success tenfold in the event of a cyber incident.

• Administrator Passwords - Ensure user accounts which have a higher level of privilege (administrators, for example) reset their passwords, and enact a password policy following NCSC guidelines.

• Deploy Microsoft Local Administrator Password Solution (LAPS) – This free tool will allow you to manage local administrator accounts on the domain’s endpoints. Passwords are stored in the Active Directory and protected, so only eligible users are able to access the credentials of an endpoint’s local administrator account.

• Password Reset Policy – Ensure the Service Desk has a process in place to verify any users requesting a password change or reset.

• Active Directory Cyber Health Check – Disable all accounts that haven’t logged into the company network within the last three to six months. If staff require use of that account again, then they will let you know. There are many services and easy-to-use tools out there which will assist with providing a risk score of your Active Directory.

• Removal of Stale Profiles – Stale profiles are an often-overlooked cyber risk, and should be removed.

• Adhere to the Principle of Least Privilege (PLP) - Ensure users have the minimum level of access required to accomplish their duties, and limit administrative credentials to designated admins.

• Validate Remote Access – check and confirm remote access is approved and if not already implemented, ensure you configure multi-factor authentication (MFA) for access.

• Promote Speaking Up – encourage staff to call out any unusual activity on endpoints and suspicious emails, as this could result in the early identification of compromise.

For CSA’s analytical view into the new malware strain being actively exploited in Ukraine (called HermeticWiper), you can take a look at our new threat report - it contains the lifecycle of the malware as it has been currently researched, alongside the indicators of compromise, which can be used to help detect the threat.

If you have any concerns about your cyber security, or are looking for advice on how to strengthen your organisation’s cyber defences, then don’t hesitate to get in touch with us - we have the expertise and knowledge to help out.