February 24, 2023 marked the one year anniversary of Russia’s invasion of Ukraine. When the Ukraine-Russia War began, it commenced the largest military conflict in the age of cyber, leading many to prepare for the cyber domain to become as much of a theater of war as the traditional battleground itself. As the conflict has played out, however, a much different scenario has emerged. Instead of being the architect of a debilitating cyber campaign, Russia’s wartime cyber operations have yielded little military benefit as Ukraine’s defenses continually repelled attacks and Russian cyber weaknesses began to show.
Russia's Offensive Cyber Struggle
In the early weeks of the invasion, Russia used distributed denial-of-service (DDoS) attacks and wiper malware to intimidate and disrupt Ukrainian targets, and many thought these wiper and disruption attacks were just the beginning of Russia’s capabilities. However, it became clear in the initial months of the war that Russia could not sustain the tempo of its custom wiper operations and instead turned to cyber espionage operations to maintain a strategic edge.
As we discuss in our 2022 Annual Threat Report released this week, there's a very good reason that Russia’s use of cyber as a weapon has not had the expected impact. From an offensive side, Russia's inability to launch successful operations and maintain the tempo of its campaigns demonstrates weaknesses the Kremlin's cyber capacity and poor operational planning by its non-cyber institutions. Additionally, Russia has appeared to struggle with insufficient cyber resources in terms of personnel, custom tooling, and infrastructure.
Ukraine's Cyber Defense Success
The weaknesses in Russia's offensive cyber capacity have been further exacerbated by Ukraine's exceptionally strong defenses. Since Russia invaded Crimea in 2014 — and launched cyber attacks on Ukraine's power grid in 2015 and 2016 — the Ukrainian government has made concerted efforts to shore up its cyber defense capabilities and increase the resilience of its digital infrastructure. Despite their improvements, cyber defense in wartime posed a whole new set of challenges that required a more comprehensive and rapid approach. As Russia launched its invasion of Ukraine, it instigated one of the largest displays of collective cybersecurity in history, as not only governments jumped in to assist Ukraine in its cyber defenses, but also technology companies from around the world.
There were many collective defense actions that changed the course of Ukraine's cyber war, including hunt forward operations. Shortly after Russia's invasion, the United States deployed its largest “hunt forward” team in history to hunt for malicious cyber activity on Ukrainian networks – enabling Ukrainian and Western cyber experts to sit side-by-side as they meticulously hunted for any threats or vulnerabilities that may compromise Ukrainian organizations.
In addition to governments providing assistance, the private sector aided Ukraine in migrating its data and services to distributed cloud servers and in enabling automated defense of Ukrainian networks. Various U.S. agencies and cybersecurity groups began establishing mechanisms and processes for bidirectionally sharing intelligence with Ukrainian partners, including indicators of compromise, adversary TTPs, strategic assessments, and more.
Lessons from Ukraine: A Stronger Approach to Collective Defense
Unfortunately, the current state of geopolitics suggests the conflict in Ukraine will not be the last time entities need to work together to provide cyber assistance to a nation under attack. For this reason, it's important to learn from the effort in Ukraine as Russia’s invasion has given impetus for governments to institutionalize and scale new approaches mitigate future cyber conflicts.
In the U.S., for example, the White House just released a National Cybersecurity Strategy report with a call for more widespread collaboration between public and private sectors to defend in cyber. Specifically, the report points out that the National Cybersecurity Strategy “recognizes that robust collaboration, particularly between the public and private sectors, is essential to security cyberspace. It also takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”
We agree with the Biden Administration’s vision of the way forward: “By working in partnership with industry; civil society; and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and more equitable.”
When it comes to public-private partnerships, it's essential that collaboration is based on a shared, real-time picture of cyber threats so all stakeholders can level up their defense through early-warning, anonymous detections with situational context. Though the collective cyber defense assistance to Ukraine has been remarkably effective, this lack of shared visibility has created complications among entities assisting Ukraine. In short, they don’t have a complete picture of cyber attacks targeting Ukraine.
This visibility gap exemplifies the need for countries and companies to set up the foundations for collective defense by investing in platforms and tools that can coordinate activity and intelligence between organizations to reinforce better collaboration based on widespread, real-time visibility of the threat landscape.
How IronNet is building a better approach to Collective Defense
Recognizing these issues in public-private collaboration, IronNet has aimed to fill in these visibility gaps with its Collective Defense platform IronDome. IronDome bypasses the latency and bureaucracy faced by typical intel-sharing groups by anonymously sharing real-time attack intelligence to participant organizations. Rather than sharing specific IOCs and intelligence on an ad hoc basis, IronDome automatically and anonymously shares all malicious and suspicious activity in organizations’ networks and generates alerts when similar activity is detected in another environment. In this way, IronDome enables analysts at different organizations to instantaneously collaborate on shared threats and equips them with the proactive intelligence they need to stop intrusions in their tracks.
Beyond IronDome, IronNet contributes to the broader community by sharing its metrics and analysis to assist organizations in their cyber defense efforts, contribute proactive intelligence to the cybersecurity community, and improve our collective security. It's in this spirit that our team just released its 2022 Annual Threat Report, an annual overview of events and trends impacting the cybersecurity landscape in the past year as seen and analyzed by IronNet analysts and threat hunters. The report includes key insight into nation-state activity, ransomware, adversary infrastructure trends, evolving cyber threats, & more.