By Kerri Hatt
WASHINGTON, D.C. — FirstWatch has distributed an alert concerning possible Russian cyberattacks in the coming week to 10 days, targeting communications and public-safety critical infrastructures.
The alert included a recent White House Statement from President Joe Biden noting Russia is in the planning phases of a significant barrage of cyber attacks against the United States, and reported Russian-sponsored cyber aggression at sustained levels never seen before.
In the White House Statement, President Biden urges infrastructure owners and operators to “accelerate efforts to lock their digital doors.”
The FirstWatch statement notes, “Just like with COVID it’s easy to let our guard down or ignore these warnings.” But according to Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, this warning is based on “evolving threat intelligence” that the Russian government is “exploring options for potential cyberattacks on critical infrastructure in the United States.”
FirstWatch noted the federally identified critical infrastructures being targeted include communications, public safety and healthcare operations. “We know that interference with 911 systems by disabling their phone trunk lines and their radio systems is a prime target of Russian state-sponsored actors,” the statement reads. “Many of our colleagues will be in the direct crosshairs of impending attacks.”
FirstWatch also reported a sudden and sharp increase of cyberattacks against public safety targets on Saturday, Jan. 29, 2022.
The team notes, “at FirstWatch, we’ve seen network attacks against our primary firewalls increase from 75 per second to over 1,500 per second and stay at that level over the past three months. In just the past 10 days we’ve seen an increase from 1,000 per second to 1,500 per second. Other companies, government agencies, and universities are seeing the same numbers. Nearly all of this traffic is being generated by Russian actors and spread from Russia and from ISPs that they have taken over in other countries.”
The FirstWatch team shared the following actions public safety agencies can take to be better positioned for increased cyber aggression:
Preparation
- Document your network and systems in detail, clean up your networks
- Develop business continuity plans for handling a breach
- Step up the seriousness of cyber-related threat training as an organizational priority
Enhance security posture
- Backup your data – real-time, incremental, offsite, glacial
- Develop best practices for keeping all hardware patched
- Implement multifactor authentication, ideally with phone-based or stand-alone tokens
- Ensure in policy and practice that there are no rogue devices on your network with IP and MAC scanning and 802.1 authentication
- Don’t leave “hot” network ports open for connection
- Encrypt data at rest and data in motion; PCs, tablets, phones should all be fully encrypted with auto-wipe after set number of failed logins
- Geo-block the known bad actors in your firewalls
- USB devices and ports are not your friend
- Improve training for personnel regarding social engineering and phishing – take a look at www.knowbe4.com
- Think “Zero Trust” as an overall concept – operating as if you are already working with a breach
Organizational vigilance
- Cyber safety and security must be a concern of everyone in the organization
- Understand any regulatory compliance items you are required to meet
- Stay updated on daily and weekly cyber updates issued from official government sources
- Dedicate education budget and time for cyber education and awareness
- If the organization makes cyber security and hygiene a consistent priority, personnel will too
- Encourage personnel to point out cyber concerns and weaknesses to help improve overall positioning, get stronger
Monitor – detect
- Develop logging systems to capture every action passing in and out of your firewalls and edge routers
- Capture traffic bouncing off of your firewalls
- Maintain at least a year of this logging data, it is vital for forensics in tracking down culprits in a breach
- Establish alarms to notify the player and stakeholders when certain firewall events occur
- Develop logging systems for user activity within your network for the same reasons as firewall logging
- On larger networks, consider “honeypot” systems to help identify intruders that leverage access via third-party products
- Study the logs regularly, know what normal looks like so that abnormal jumps out
- Always follow up on the odd things
Response
- Have a planned response to a breach, practice the plan
- Be certain that everyone knows how to sound the alarm as soon as an anomaly is discovered. Most targeted breaches occur at night, on weekends and holidays when more junior staff is usually working – junior staff can be hesitant to sound the alarm
- Know who you will be notifying, such as local and federal law enforcement
- Two to four times per year, confirm that your plan is workable in the ever-changing environment
Additional cybersecurity resources
Learn more about cybersecurity with these resources:
- FACT SHEET: Act Now to Protect Against Potential Cyberattacks | The White House
- Cyber alert: Public safety systems are currently under attack
- On-Demand Webinar: The growing threat of ransomware attacks on public safety agencies
- https://www.cisa.gov/
- https://www.cisa.gov/uscert/
- https://www.cisa.gov/stopransomware
- https://www.dhs.gov/
- https://www.fbi.gov/investigate/cyber
- https://www.ic3.gov/
- https://threatpost.com/
- https://attack.mitre.org/versions/v9/techniques/enterprise/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
- https://www.knowbe4.com/
EMS One-Stop With Rob Lawrence
Listen for more: