Reaction to GRIZZLY STEPPE - how many of the mitigation strategies are you already doing?

GRIZZLY STEPPE is what the Joint Task force (NCCIC & FBI) code-named two specific Russian cyber security attacks on the US in their joint analysis report. To realize in both instances that it was a single user reaction to a spear fishing attack that enabled the hacking, really makes me wonder about how to truly harden an environment -- it's always the people!

I also found it interesting that all of the suggested mitigation strategies are things we should be doing as data center best practices! I was so happy to see backups at the top (same feeling I got when I saw Rogue One -- backups are so critical!!), but seriously start on page 6 for the mitigations. I will say, since people were the vulnerability, why is staff training #3?

I did think it was cool to read this report and realize: this is my career. So, how are well are y'all doing the stuff on that list?

Find more posts tagged with

Best Practices

grizzlysteppe

hacking

Accepted answers

All comments

designerfx

Wait, what? Isn't this just about people being the weakest points in security yet again? I kid, I kid.

These mitigation suggestions should ideally already be standard practice in a number of environments, no? EG:

review who traffic is going to, identify things through known signatures, use something like SIEM, watch out for vulnerabilities, etc?

gminks

YES! This was my thought exactly when I read through the report.

The people thing -- have you ever watched any of the social engineering capture the flag game at DefCon? It's terrifying and beautiful at the same time. When I wrote training for EMC about SANs, the chapter about security always talked about the people. That's why the backups are so important, no one can protect you from your users. Good users make mistakes that lead to data loss, angry users do it on purpose.

designerfx

I always watch a lot of the defcom stuff, but I did not read the CTF at Defcon that I recall? Reading now, seems like what I'd expect it to be I love learning and keeping up with that stuff, as well as keeping Schneier's blog and techdirt at the top of my RSS feed. Applebaum's defcom speech is probably a very useful baseline for every IT person to ever watch at this point.

gminks

Here's the link to the final report: http://www.social-engineer.org/wp-content/uploads/2016/11/Social-Engineer-Capture-The-Flag-DEFCON24-SECTF-2016.pdf

They had a really hard time keeping people quiet during them....these guys are really good at getting people to give up info!

Also, this talk on overthrowing the government was pretty good too. At the time, I kept thinking -- who has the time and money for all this stuff? But....I've been thinking about this talk a lot recently.

DEF CON 24 - Chris Rock - How to Overthrow a Government - YouTube

tinmann0715

As a junior security expert my thoughts are that they prepared the content of the JAR in anticipation of it reaching an audience that extends past the cyber-security realm. They knew it was going to reach c-level, executives, and business leaders. So they wanted to reinforce the basics of what every sound security discipline should follow.

gminks

Good point! It does follow the NIST cybersecurity guidelines. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

rschroeder

Unplug. Isolate.

Behave ethically.

Work towards a world where reasons for negative behavior continually decrease. Meaning treat all people--no matter their color, creed, orientation, nationality, height, ability, eye color--equally.

Elect people who will do this. Who will ensure safety for children growing up, and their good nutrition. Who will provide equal education for all. Who won't play favorites.

If we want a world where firewalls and ant-virus are unnecessary, where a young woman can walk anywhere at anytime in complete safety, where the strong don't prey upon the weak, work towards it.

Reacting to attacks by increasing security only means more sophisticated attacks tomorrow, and greater need for even more security--a never-ending cycle.

Instead, focus on the root cause of the negative behaviors and change the conditions that cause them.

tallyrich

Very interesting - who'd of thunk having a cafeteria would help to "hack" a network.

Thanks for posting - and the little bit of scare that you added to all of our days.