What does the Russian cyber activity mean to Managed Service Providers?

Over the holidays, the information security and foreign policy communities have been digesting information about malicious Russian cyber activity—designated as GRIZZLY STEPPE. This has come in the shape of a US-CERT alert with a link to a 13-page “Intelligence Report” called the Joint Analysis Report (JAR). (There is a more helpful CSV listing of the indicators of compromise from the same link.)

A result of the marrying of data from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), the Intelligence Report claims to provide details of the methodologies, “used by the Russian civilian and military intelligence services (RIS) to compromise and exploit networks and endpoints associated with the US election, as well as a range of US government, political, and private sector entities.”

Despite its good intentions, the JAR recommendations to combat this advanced persistent threat (APT) actor seem to be little more than a restatement of recommendations made in the wake of the Office of Personnel Management (OPM) breach. In fact many of those recommendations have been widely discussed since the 2011 Cyber Security Legislative Proposal. There is nothing “new” here and what the JAR recommends have been established best practices since the SANs Critical Controls and NIST 800 series.

The question for SMBs, IT providers, and managed services providers (MSPs) is “are there any new takeaways here?” The answer is, unfortunately, nothing that good security practitioners haven’t already implemented when adhering to the recommended best practices—and beyond. This intelligence report echoes what the InfoSec community has been preaching for some time now, especially when it comes to thwarting ransomware attacks:

“DHS encourages network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyber-attacks. These strategies are common sense to many, but DHS continues to see intrusions because organizations fail to use these basic measures.”

In other words, while the reports may not recommend new practices, they serve as important reminders that we can’t take our eyes off the ball when it comes to security. So what are the basic measures? 

1. Patch applications and operating systems
This is a universal best practice accomplished with the use of patch management software.

2. Application whitelisting
This technology is frequently deployed in the struggle against ransomware, and in the newer Microsoft operating systems, this technology is included for free.

3. Restrict administrative privileges
This is a universal best practice. Please see this report, which makes a bold case for the security value of this recommendation. 

4. Network segmentation and segregation into security zones
This is an emerging best practice that helps mitigate the spread of ransomware infections and control access to devices such as Internet of Things (IoT) and wireless access.

5. “Input validation”
This is a somewhat confusing way of recommending vulnerability scanning of web applications to ensure a website cannot be compromised by a cyber attack. 

6. “File Reputation”
This is another somewhat confusing way of recommending the use of anti-malware technology that looks for heuristic activity that could indicate malware.

7. “Understanding firewalls”
This is essentially recommending the use and configuration of a firewall to control egress and ingress of data at the network boundary. 

Despite some confusion in the recommendations, these are all good suggestions. However, they miss one key point:

From the JAR: “The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016…APT29 has been observed crafting targeted spear phishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spear phishing email campaigns.” 

The number one thing that IT providers or MSPs can do is “prevent user trickery.”

The most valuable defence against APT attacks or ransomware spear phishing emails is not technological; it comes down to the security awareness of end users. With lots of free (customizable) and paid-for resources out there, working with your customers and users to make this training available to them is a huge win for their security—despite the cyber boogeyman of APT. Here are just some of the great resources you can turn to:

• The US Government’s “Stop.Think.Connect” campaign is a national public awareness program aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. 
• Failing that, an occasional email to your users and customers on IT security that tells them what to look out for and who to call if they suspect there is a problem can pay huge security dividends. 

It’s always great to augment all of the above technological recommendations, and user awareness training is an effective and inexpensive technique MSPs and IT providers can use to keep the bad guys, APT, or cyber-criminal from landing into their customers’ business. 

In the meantime, keep defending; consistency is victory!

Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.

You can follow Ian on Twitter® at @phat_hobbit.