Grizzly Steppe, the FBI, and Practical Strategies for Defending your Network

After months of speculation relating to Russian interference in the U.S. election, DHS and the FBI issued a rather detailed Joint Analysis, detailing the methodologies and techniques used by the Russian intelligence services and their associated threat groups.

The U.S. government is not saying that Russia “tampered with vote tallies in order to get Donald Trump elected President,” but believe that Russia is behind cyberattacks that targeted the Democratic National Committee and a host of other U.S. entities. So what does this mean for you as a business owner, employee, or consumer? If Russian hackers are capable of infiltrating a highly ranking organization like the DNC, then they are most likely capable of hacking your company server or private email account.

The 13-page report, titled ‘GRIZZLY STEPPE – Russian Malicious Cyber Activity’ does not contain all of the information collected by U.S Intelligence agencies, as it is classified by DHS and FBI as being Traffic Light Protocol (TLP) White. The published JAR (Java ARchive) does provide a summarized analysis on IOC (Indicators of Compromise) relating to IP addresses, signature files, common signatures patterns, and more. All of this information is very useful to regional operators, ISPs, security administrators, etc.

Looking beyond the summarized IOC’s, what was noticeably lacking is any reference to unique malware patterns.  No zero-day attack methodologies were in use. In short, the breach occurred using a common attack pattern. All GRIZZLY STEPPE incidents (DNC Hack, Wiki Leaks, etc.) began with relatively simple email phishing campaigns utilizing fraudulent emails and look-alike domains, tricking their receipts into revealing sensitive password information. Once system access was obtained, threat actors did their damage. While falling for this type of common attack can leave a victim(s) feeling embarrassed, the upside is that following established cyber security best practices can reduce, or eliminate, this risk.

From a security posture standpoint, there are practical and immediately actionable defensive strategies that could have prevented these breaches.  It is estimated that 85 percent of targeted cyber-attacks could be prevented by implementing these top seven mitigation strategies.

1. Patch applications and operating systems – Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.
2. Application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.
3. Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
4. Network Segmentation and Segregation into Security Zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services and limits damage from network perimeter breaches.
5. Input validation – Input validation is a method of sanitizing untrusted user input provided by users of a web application, and may prevent many types of web application security flaws, such as SQLi, XSS, and command injection.
6. File Reputation – Tune Anti-Virus file reputation systems to the most aggressive setting possible; some products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
7. Understanding firewalls – When anyone or anything can access your network at any time, your network is more susceptible to being attacked. Firewalls can be configured to block data from certain locations (IP whitelisting) or applications while allowing relevant and necessary data through.

As an employee of an organization, it is likely the mitigation techniques listed above are out of your control.  However, you are the initial target of most targeted cyber-attacks. Knowing the role you play and how to deter threats by leveraging what you can control will substantially improve the security posture of your organization.

1. If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
2. Do not reveal personal or financial information in social media or email, and do not respond to solicitations for this information. This includes following links sent in email.
3. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL often includes a variation in spelling or a different domain than the valid website (e.g., .com vs. .net).
4. If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.

Breadcrumb is a cyber security and executive advisory firm that assists organizations throughout the U.S. Contact us today for a no-obligation consultation.

Author: Brian Horton, CEO