I’ve seen many vendors talk about nation-state actors throughout my career. I’ve typically been able to tell many of my customers that the nations of the world probably do not care about them. Russia’s invasion of Ukraine changes that. All attackers enjoy the advantage of time; state actors can multiply that advantage many times over. Military personnel and military-sized contractor budgets allow states to be on target at all times. So where does someone without these resources begin to defend themselves?
Attackers are people. They look for economies of scale and leverage successful procedures repeatedly across their targets. On March 1,
2022, the Cybersecurity and Infrastructure Security Agency (CISA) sent out this alert: AA22-11a, Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. CISA outlines 13 vulnerabilities used previously by Russian state-sponsored attacks. The CVE list is a good starting point to look for attackers reusing procedures to gain access to a system. While state-sponsored actors likely possess 0-day capabilities and current events may drive them to deploy those exploits, you should expect attackers to try older capabilities first.
Patching the CVEs in CISA’s alert is a necessary first step to beating Russian state-sponsored actors, but continuing to monitor the associated products is critical to long term security resilience. We cannot guess what 0-day capabilities might be used, but it would not be surprising to see these same products targeted again. To help customers find these 13 products on their attack surface quickly, we have built a view in Randori mapping the intelligence in CISA’s alert to our customers’ attack surfaces. Threat hunting using the hostnames, IP addresses, and ports related to the targeted applications provides a way to start looking for Russian state-sponsored actors targeting or already present in a system.
If you are a Randori customer and would like us to deploy this view, please email email@example.com or contact your customer service manager.
To develop more security resilience related to these targets, consider the following ideas across defensive best practice areas. It isn’t necessary to do everything listed. Any improvements achieved now related to CISA’s intelligence will frustrate attackers, find compromised targets faster, and reduce the impact of realized risk.
Prioritize Visibility of Your Attack Surface
Review and enhance alerting related to any targets matching CISA’s alert. Look for odd patterns of network access, odd users accessing the systems, access by privileged users, and configuration changes. Configure your system to send alerts on firsts: the first time a user authenticates, the first time the server communicates with a new host, the first time an administrator logs in or a user escalates their privilege.
Implement Least Privilege Around Most Valuable Targets
Take a moment to review access privileges with the associated targets and answer these questions:
- How many people can access these applications and systems?
- Do they all require access or can some be removed?
- How many people have privileged access?
- Are all privileges necessary or can they be reduced or removed?
Be sure to block direct privileged access to these servers and require administrators to log in first with a normal user account before they authenticate again to elevate their privileges.
Use Default Deny to Manage Traffic in Sensitive Areas
Implement default deny policies at all possible security points between the target and other networks. Use any filtering options the target provides, filter at every security gateway along the target’s path to other hosts, and collect logs at all points.
- Block access to your most important targets from any geography without legitimate clients present.
- Block access to and from cloud service providers if possible.
- Prevent these public facing targets from initiating sessions to any host, internal or external, unless it supports normal operation.
Segment Your Critical Systems
Any public-facing targets should be in dedicated network segments with security gateways filtering traffic outbound to the internet, and inbound to other corporate networks. If the targets are compromised, segmenting them from other portions of the network will slow the attacker down, and give defenders more chances to evict them before significant impact is experienced.
Review Configuration Guidelines
Review configurations to see if additional hardening can be applied. Use guides from government agencies, trusted third parties or vendors to help craft a secure configuration for each target. Remove any unnecessary services from the systems hosting these targets.
It’s unclear who would be targeted by further Russian interference in private US networks, or if any more will come at all. But what is clear is that US companies have to be ready for anything. This doesn’t mean you have to panic about the state of your attack surface. Just assess where you’re at, prioritize work with the most impact and harden your program one step at a time.