This blog was written by Wayne Anderson, previous Enterprise Security Architect at McAfee.
All politics aside, the United States Department of Justice on Friday unsealed a judicial indictment against a number of individuals alleged to be from Russia’s intelligence services engaged in activities in 2016.
Stepping outside of the context of this party or that party, and politics as a whole – McAfee’s CTO, Steve Grobman noted, “Attribution is amongst the most complex aspects of cyberwar and the US government is in a unique position to make this attribution assessment. Technical forensics combined with information from trusted intelligence or law enforcement agencies are needed to provide confidence behind identifying actors in an attack or campaign. These indictments clearly show the US has reason to believe Russia interfered with the election process. “
The level of technical detail also offers practical insight for aspects of organizations’ readiness to react to the threat environment.
1) Nation State Activity is Real
At McAfee, we operate our own Advanced Threat Research. We employ many professionals whose entire job it is to find ways to break things, to learn how others have already broken things, and to make decisions on the level of risk it represents to our customers and future customers. Our hope is that our activity is both non-disruptive, ethically conducted, and consistent with our corporate values and our commitments to our customers. In today’s threat environment, countries throughout the globe are investing in the cyber capabilities to practice intelligence, deception, counter intelligence, and in the past few years, we have documented the crossover from the cyber capability into kinetic effects.
While matters of one service’s actions versus another’s being perceived as “good” or “bad”, a matter of “criminal conspiracy” or “policy” involves many factors and points of view, as a profession it is critical that we recognize this rapidly growing reality for the fact that it is.
This judicial action is another breadcrumb reminding us as enterprise leaders that sophisticated adversaries need resources to act, especially those enterprises involved in services to organizations of public importance. Organizations should evaluate their customer base, and the services that they provide for relative risks. Risk has upside opportunity (“Revenue”) but should also prompt questions internally as to whether an organization or subset requires advanced security controls, or more proactive threat detection and resistance measures.
2) Geo-Location is Practically Irrelevant
For many professionals engaged in the early days of information security, we could leverage aspects of connection metadata to make snap judgements about the trustworthiness of requests. The days of first-jump relays to command and control servers going to a given country’s public IP space or a two- letter country-associated domain are mostly over.
Instead, the organization needs to transition, looking more directly at the behavior of not just users, but of systems, and the access of resources. At McAfee, we have evolved our own offerings in this space to establish McAfee Behavioral Analytics to discern elevated risks that break established patterns and to put advanced tools like McAfee Investigator in the hands of threat hunters.
Whether using our products or not, today’s enterprise needs to rely on security behaviors that do not look for traditional geographic or demographic identifiers as a means of making a strong determination of trust for access and/or threat identification.
When it comes to identify mis-use, where multi-factor authentication is possible, it should be implemented, with a decreased emphasis on means which are easily open to interception by opponents (like SMS based message codes). Yubikey, TOTP based generators, and interactive application confirmation by providers like Duo Security are all effective measures to make it more difficult to apply credentials intercepted or cajoled from end users by other means.
3) URL Shorteners can be a Risk Indicator
While for many organizations – especially in the realm of social media analytics – the use of URL shorteners has enabled short-format messaging with business intelligence potential, they are often a means to obscure potentially malicious targets. The indictment released by the United States Department of Justice highlights the continuing threat that the combination of URL Shortening and the user-focused technique of Spear Phishing continue to present as a means to attack the enterprise.
Aside from education campaigns to help users distinguish legitimate links and to help them become more sensitive to the risk, the organization can also consider web access methods for greater control and recognition of potential threats.
Systems like User Entity Behavioral Analytics (UEBA) can identify outlier websites not otherwise accessed at the organization and the presence or use of unknown URL shorteners can itself be a risk indicator. The security operations team may want to look at the identification/risk management of certain URL shorteners over time to aid in determining which become commonly seen in the wild in the organization’s recent incidents, and thus could or should be managed in email and web access hygiene.
4) Vulnerability Management is a Key Risk Mitigation
I’ve never known a security professional who skips into the office with their coffee and announces, “I love patching servers.” Never. As experienced security leaders, we know how hard it can be to manage the impact to production systems, to identify system owners, to work together to maintain a cadence of patching. Sometimes, even just the heterogeneous nature of the modern operating environment can be its own challenge!
The alleged activity of the identified conspirators reminds us how critical the public attack surface remains in protecting the enterprise as a whole. Try as we might, each of our public infrastructure will maintain a footprint. We “leak” details of our enterprise systems as a necessary byproduct of creating the ability for those systems to technically operate. DNS Records. Public IP block ownership. Routing advertisements. Job listings. Employee CVs. Employee social media profiles.
Vulnerability management requires an organization to think about more than patching. Your organization’s threat surface has to be considered in a broader sense to manage holistic threat consideration and remediation. The organization can also use public models as a means to check the organization’s readiness to defend against new vulnerabilities ahead of patching or other long-term remediation.
5) Response Threat Hunting is Hard – Trust Nothing
Despite the best efforts of technical security teams, sometimes intelligence and cues are missed. The reality is that sophisticated adversaries have sophisticated skills and multiple means to stay engaged. They also have reason and/or desire to hide from security teams. As security professionals, we have to put personal ego and hubris aside. Threat hunting in an incident is a time for humble approaches that recognize the adversaries are at or above our own skill level (and hope that is not the case).
In such a case, we go back to a few core fundamentals: we trust nothing. We require validation for everything. Each piece of intelligence goes into the picture, and through our tools to identify additional leads to pursue, and is evaluated for potential remediate actions made possible. While we have talked at length prior about the cyber kill chain, a fundamental truth illustrated in today’s Department of Justice action is that where advanced activity occurs, the entire environment needs to be suspected and become zero trust.
Can you force each network flow to be validated for a time? Can someone form the organization vouch for a piece of software or a specific node on the network? Do your pre-work ahead of time to create the space so that when company brand is on the line, you can use maintenance windows, incident response policies, and similar corporate buffers to buy the “right” to shut down a segment, temporarily block a network flow and see what happens, etc.
6) Your organizational data is in the cloud. Your Incident Response needs to be, too.
The cloud was a key opportunity for the organizations compromised in these activities to continue to lose information. Indications are that when the identity and initial incident was addressed “on premise”, the cloud systems were not connected to those changes.
Your organization has leveraged the advanced capability and time to market of the cloud. Our recent survey of organizations worldwide indicates that the typical enterprise class organization has dozens of distinct providers hosting corporate data. Just as your sensitive information may be stored in those providers, yet is part of your brand value and your delivery strategy, your response plans need to integrate intelligence from those providers – and to those providers – for investigation and mitigation.
Building unified visibility across cloud providers requires a deliberate approach and investment from the organizations. Incident response procedures should include looking at cloud sources for activity from potential Indicators of Compromise, as well as an incident step of considering what actions are needed to manage the risk in cloud providers.
Your cloud is part of your holistic data and threat stance, it also needs to be part of your remediation and resilience plan.
Nation State Actors Remind us of the Fundamentals
The indictment released by the United States Department of Justice describes a multi-faceted effort that involved target research, user-focused phishing, exploiting vulnerable software, malware, and making use of the disconnect between on-premise and cloud management.
For literally years, McAfee has focused on a platform approach to security in our products. We offer software with advancements like OpenDXL and an actively managed ecosystem of Security Innovation Alliance offerings. We make these investments for the simple reason that in order to protect and adapt to continuing threats, your organization needs rapidly available, actionable intelligence. Your organization’s approach to information security should return periodically to verify fundamental information sharing and basic controls, even as advanced capabilities are implemented.