UK NCSC pushes to bolster cyber defences after Russia attacked Ukraine

The NCSC – which is a part of UK’s Government Communications Headquarters (GCHQ), has urged organisations in the UK to follow its guidance on steps to take when the cyber threat is heightened.

While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been a historical pattern of cyber attacks on Ukraine with international consequences.

The guidance encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.

Balancing cyber risk and defence

The NCSC advises that the threat an organisation faces may vary over time. At any point, there is a need to strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defences and the overall risk this presents to the organisation.

There may be times when the cyber threat to an organisation is greater than usual. Moving to heightened alert can:

• Help prioritise necessary cyber security work.
• Offer a temporary boost to defences.
• Give organisations the best chance of preventing a cyber attack when it may be more likely and recovering quickly if it happens.

Factors affecting an organisation’s cyber risk

An organisation’s view of its cyber risk might change if new information emerges that the threat has heightened. This might be because of a temporary uplift in adversary capability, if for example there is a zero-day vulnerability in a widely used service that capable threat actors are actively exploiting. Or it could be more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions.

VIEW ALL

These diverse factors mean that organisations of all sizes must take steps to ensure they can respond to these events. It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing the vulnerability to attack in the first place and reducing the impact of a successful attack. Even the most sophisticated and determined attacker will use known vulnerabilities, misconfigurations or credential attacks (such as password spraying, attempting use of breached passwords or authentication token reuse) if they can. Removing their ability to use these techniques can reduce the cyber risk to an organisation.

Actions to take

The most important thing for organisations of all sizes is to make sure that the fundamentals of cyber security are in place to protect their devices, networks and systems.

The actions below are about ensuring that basic cyber hygiene controls are in place and functioning correctly. This is important under all circumstances but critical during periods of heightened cyber threat.

An organisation is unlikely to be able to make widespread system changes quickly in response to a change in threat, but organisations should make every effort to implement these actions as a priority.

• Check your system patching
• Verify access controls
• Ensure defences are working
• Logging and monitoring
• Review your backups
• Incident plan
• Check your internet footprint
• Phishing response
• Third party access
• NCSC services
• Brief your wider organisation

Advanced actions

The NCSC further explains that large organisations should carry out all the actions outlined above, to ensure that the most fundamental security measures are in place.

Organisations and sector regulators using the Cyber Assessment Framework to help them understand cyber risk should note that the CAF contains guidance on all the areas included in the actions above. If an organisation has deprioritised these areas of the CAF, the NCSC advises to revisit those decisions immediately when the threat is heightened.

In addition, those organisations with more resources available should also consider the following steps:

• If an organisation has plans in place to make cyber security improvements over time, they should review whether to accelerate the implementation of key mitigating measures, accepting that this will likely require reprioritisation of resources or investment.
• No technology service or system is entirely risk free and mature organisations take balanced and informed risk-based decisions. When the threat is heightened, organisations should revisit key risk-based decisions and validate whether the organisation is willing to continue to tolerate those risks or whether it is better to invest in remediation or accept a capability reduction.
• Some system functions, such as rich data exchange from untrusted networks, may inherently bring a greater level of cyber risk. Large organisations should assess whether it is appropriate to accept a temporary reduction in functionality to reduce the threat exposure.
• Larger organisations will have mechanisms for assessing, testing and applying software patches at scale. When the threat is heightened, your organisations may wish to take a more aggressive approach to patching security vulnerabilities, accepting that this may have a service impact itself.
• During this time, large organisations should consider delaying any significant system changes that are not security related.
• If an organisation an operational security team or SOC, it may be helpful to consider arrangements for extended operational hours or to put in place contingency plans to scale up operations quickly if a cyber incident occurs.
• If there are systems in place that can take automated action or notifications based on threat intelligence, one might also consider procuring threat feeds that may give information relevant to the period of heightened threat.

[Related: ACCC data shows scam-related losses up by 50%]