Written by Uwe Sievers
The cyber war that was feared has not happened so far, but this can change daily. It can therefore do no harm to prepare for possible escalations. This also includes processes to be able to react to a case of damage.
The threat situation created by the Ukraine conflict is a cause of concern for the German security authorities. However, they warn not only of possible direct attacks, for example on critical infrastructure (CRITIS), but also of "spill-over effects". This means that undirected attacks can cause collateral damage that could also affect companies in Germany. The numerous Wiper attacks that have occurred impressively illustrate how easily such damage can occur. The malware used in these attacks usually works quite similarly to ransomware. Wiping operations have also been observed in ransomware attacks. Ransomware is still the most common malware variant and remains very popular among cyber criminals because it is easy to deploy. In the meantime, a veritable ransomware market segment has formed in which individual malware are offered for sale or rent for various actions. However, other new types of malware are constantly appearing, so it is not easy to get an overview of the different variants.
The basis of all protection concepts are functioning backups. They are also considered the most important measure in the security sector. They not only protect against IT failures caused by technical defects and operating errors, but also against malicious activities in the IT network. However, both wipers and ransomware also try to delete backups if they can reach them. To do this, they wait, for example, until an external disc is connected or a remote device becomes accessible.
However, backups alone are not enough. As Log4J recently showed, supply chain attacks pose their own danger, especially for the CRITIS sector. Especially since attacks on a supply chain are usually very difficult to detect, as security expert Christian Avram warned in an interview.
Great importance is still attached to the classic forms of protection, first and foremost end device protection. End devices often have a sensor function in the company, because this is often where the attack is first noticed. If it is then detected and reported by the endpoint protection, the company can ramp up the protective measures. For this reason alone, the effect of this protection should not be underestimated. At the same time, an infected end device can be the gateway into the IT network and malware can spread quickly through it.
As attacks on end devices are often carried out via phishing attacks and corresponding phishing campaigns have already emerged in the context of the Ukraine conflict, precautions should also be taken for this variant. The protection of access data is a top priority. An important component here is multifactor authentication (MFA), because it usually renders a captured password worthless. Still, establishing a company-wide MFA solution is not that easy, as Angelika Steinacker, European head of identity and access management (IAM) at IBM, explained in an interview.
Many companies only realise very late that they are affected by a security problem. That is why they often fall back on SOC providers. Larger companies usually set up their own SOC instead, but this is not very easy. One task of the SOC is to respond to security incidents, also known as incident response or incident management. If there is no SOC, the security department must take care of this. This process is typically divided into three phases, which are explained in more detail elsewhere. The BSI also provides important information on this, in particular BSI Standard 100-4 or its revision 200-4, which is to be published soon. Details on the changes and important points of emergency management were revealed to us by the BSI experts responsible for this. When an emergency occurs, however, the security incident is already in the escalation phase. At this point, it may already be advisable to think about setting up a crisis team, so that a possible further escalation can be sensibly countered. There are different approaches to the work and composition of a crisis team. Companies that have incident management, emergency plans and a crisis team in place should also be well positioned in the current situation.
