On April 11, 2022, three leading InfoSec experts joined Hack, No! host Cricket Liu, Executive Vice President and Chief Evangelist at Infoblox, for a timely discussion titled Using Your Security Ecosystem to Protect the Anywhere Worker in a World of Geopolitical Turmoil. The hour-long event profiled the security measures organizations can take to combat the rapidly increasing Internet risks spawned by the war in Ukraine. Participating panelists included cyber security veterans Tom Kellermann Head of Cybersecurity Strategy for VMware, Chris Usserman, Director of Security Architecture at Infoblox and Krupa Srivatsan, Head of Product Marketing for our security products.
Cricket set the stage by asking panelists to describe the main types of cyber security risks that have changed since the onset of the war. Krupa Srivatsan noted the activity around new Ukraine-related lookalike domain names and their use in malware attacks. Prominent malware spread through these attacks were Agent Tesla, a key logging program used to capture credentials as victims type, and Remcos, a powerful random access Trojan (RAT), designed to capture victims’ computer screens.
Chris Usserman observed that the use of malicious domains by bad actors tends to spike in times of global upheaval such as that involving the war in Ukraine. Tom Kellerman added that the cyber attacks started several months before the Russian invasion with successive attacks involving data-deleting wiper software and the reprovisioning of botnets, such as the banking industry Trojan TrickBot.
Panelists also noted that the rise in island hopping tactics, in which threat actors target vulnerable partner networks to find ways to get into a primary target network, means that those partner organizations are now more likely to become attack victims. They mentioned that the sectors most at risk include energy, telecommunications, finance and public health.
The discussion also addressed how the cyber security community was responding to these new threats. Krupa said that Infoblox Cyber Intelligence Unit regularly shares emerging threat intelligence across the cyber security ecosystem and has taken to posting newly detected indicators of compromise (IoCs) and has accelerated threat sharing by posting IoCs on GitHub. Tom noted that the destructive fallout of cyber attacks from the war in Ukraine has been minimal in the U.S. as the result of unprecedented threat data sharing, notably between the Joint Cyber Defense Collaborative (JCDC) and the larger tech community.
The discussion pivoted to describing specific defensive tactics that organizations can readily deploy. The first of these was to simply make use of security resources open to all organizations. Panelists pointed out that some of the best resources can be found on websites for CISA, the FBI and the National Cybersecurity Center. They made specific mention of the Shields Up Campaign, available through the CISA web site, as well as the importance of building relationships with regional FBI and local law enforcement personnel.
Another tactic the panelists encouraged was the use of Response Policy Zones (RPZs), which when continuously updated with emerging IoCs and properly implemented, can be used to automatically block devices from connecting with newly discovered malicious domains. Krupa noted that RPZs can be used to both proactively block a device from connecting to bad destinations and isolate an already-compromised device to prevent further spread.
The next defensive tactic up for discussion was the use of SaaS-based DNS security, which panelists mentioned is well-suited to helping protect roaming users in the new age of remote work. They described how SaaS-based DNS security enables all users everywhere to have lightweight security available on a laptop that is hosted and managed from the cloud, ensuring that all devices comply with policies and are not able to connect with known malicious destinations.
Cricket then shifted the discussion to the all-important tactic of ecosystem integration. Panelists observed that in addition to having security solutions that integrate with existing SIEM and SOAR deployments, it is also essential that organizations work with security vendors who believe in open APIs and open ecosystems. Panelists also discussed how proper integration and network context can minimize the number of duplicate alerts different security tools produce.
The panel wrapped up the session by describing security trends such as SASE and new tools coming on the market. Panelists described the upcoming extended network detection response (XDR) coming soon from VMware and new attack surface detection capabilities in the works from Infoblox.