Staying Resilient Against Cyberattacks to Your Organization

As has been widely reported in the media, there is a heightened cyber threat due to the ongoing conflict in Ukraine. A range of Russian governmental and nongovernmental entities have been observed taking preparatory steps for offensive computer actions targeting Western infrastructure. While there is no specific and credible threat to the Chicago real estate community from the most recent information from the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS), staying alert to such attacks is of the utmost importance for all organizations regardless of industry.

There are steps that all organizations can take in assuring they are following the best methods to avoid cyber threats to their operations. First, for your reference, review documents from the DHS regarding protecting vital internal components known as building automation systems (BAS) or supervisory control and data acquisition systems (SCADA).

Second, verify and update your emergency contacts. Cyber-attacks are often intentionally launched on weekends or holidays to maximize confusion within the targeted organization. It is vital that all staff have access to an updated list of after-hours phone and email contacts for key operational leadership.

Finally, please share information about potential threats with your information technology (IT) professional and/or your engineers or engineering contractors. Not only are these professionals responsible for large segments of your cyber infrastructure, but they have also been specifically targeted in spearphishing attacks seeking to compromise these systems.

As outlined by the Cybersecurity & Infrastructure Security Agency (CISA), there is a three-step process to help organizations improve their resilience and reduce vulnerability against such attacks: Prepare, Mitigate, Respond.

Prepare

• Determine your critical operational processes’ reliance on key IT infrastructure.
  • Maintain a current asset inventory to assist in determining components and devices that support your operational processes.
  • Understand and evaluate cyber risk on “as-operated” operational technology assets.
  • Create an accurate “as-operated” operational technology (OT) network map and identify operational and IT network inter-dependencies.
• Identify a resilience plan that addresses how to operate if you lose access to or control of the IT and/or OT environment(s).
  • Plan for how to continue operations if a control system is malfunctioning, inoperative, or actively acting contrary to the safe and reliable operation of the process.
  • Develop workarounds or manual controls to ensure your industrial control system networks can be isolated if the connection to a compromised IT environment creates risk to the safe and reliable operation of OT processes.
• Exercise your incident response plan.
  • Regularly test manual controls so that critical functions can be kept running if OT networks need to be taken offline.
• Implement regular data backup procedures on both IT and OT networks.
  • Regularly test backup procedures.
  • Ensure that backups are isolated from network connections that could enable the spread of ransomware.

Mitigate

CISA recommends critical infrastructure organizations apply the following mitigations to defend against potential future threats and prevent severe functional degradation if the organization falls victim to a ransomware attack.

• Practice good cyber hygiene. Most ransomware attacks exploit known vulnerabilities and common security weaknesses.
  • Update software, including operating systems, applications, and firmware, on IT network assets, in a timely manner.
  • Implement application allowlisting.
  • Ensure user and process accounts are limited through account use policies, user account control, and privileged account management.
  • Require multi-factor authentication for access to OT and IT networks.
  • Enable strong spam filters to prevent phishing emails from reaching end users.
• Implement and ensure robust network segmentation between IT and OT networks.
• Implement a continuous and vigilant system monitoring program.

Respond

Step 1: Should your organization become a victim of ransomware, CISA strongly recommends implementing your cyber incident response plan by using the checklist below. Be sure to move through the first three steps in sequence.

Step 2: Determine which systems were impacted and immediately isolate them.

Step 3: If and only if you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.

Step 4: Assign impacted systems for restoration and recovery.

Step 5: Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.

Step 6: Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident. Strongly consider requesting assistance from a third-party incident response provider or CISA.

If no initial mitigation actions appear possible:

Step 7: Take a system image and memory capture of a sample of affected devices. Additionally, collect any relevant logs as well as samples of any “precursor” malware binaries and associated observables or indicators of compromise. Note: take care to preserve evidence that is highly volatile in nature—or limited in retention—to prevent loss or tampering.

Step 8: Consult federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.

About Titan Security Group

Titan launched in 1994 with a vision for a better way to provide security services to the Midwest. Today, Titan is one of the largest security companies in North America, scheduling approximately 80,000 hours per week, employing more than 2,000 security staff, and have enjoyed over twenty-seven consecutive years of successfully serving our clients across a wide range of industries. Titan delivers results to clients through flexible, customized security solutions, and superior customer service. The Titan approach combines traditional security staffing with electronic security systems to provide integrated, efficient, and customized safety and security solutions from a single source.