GRIZZLY STEPPE: Brought to You by a Lack of Cyber Hygiene
January 10th, 2017
The malicious cyber activity against a major US political party, as well as government agencies, think tanks and universities, by the Russian civilian and military intelligence Services (RIS) has deservedly attracted much attention. While the actions of the RIS and their sophisticated advanced persistent threat actors is outrageous, perhaps it is also time to take a close look at the role the organizations that were hacked had in leaving the door open to this kind of mischief. After all, the threat was no secret. In his testimony to congress in the summer of 2015, US Federal CIO Tony Scott said, “Both state and non-state actors are attempting to breach both government and non-government systems. And this problem is not going to go away. It’s going to accelerate.”
No Shortage of Tools
While there is no single agency regulating the cyber security of our political parties and election systems, there is certainly no shortage of tools to help them secure themselves. Even more so for the breached agency noted in the GRIZZLY STEPPE JAR. Frameworks and action plans for private and public sector organizations – from FISMA in 2002, to the White House Cyber Security National Action Plan (CNAP) released in February of 2016 – are well publicized and readily available. Marry these with NIST frameworks and a roadmap to successfully securing systems becomes apparent.
A Layered Security Approach Helps Overcome Bad Hygiene
Even the most intelligent amongst us can fall prey to highly sophisticated adversaries, like APT28 and APT29. Agency IT professionals make tough decisions to balance risk and productivity. Users must have privilege, technology will have vulnerabilities and people are compelled to click on links. Good cyber hygiene and a layered security strategy is recognized best practice found in NIST 800-53, the Cybersecurity Framework and nearly every other government cybersecurity strategy document. But the reality of bad cyber hygiene across government is a known challenge. Donald Davidson, chief of outreach, science and standards in Defense Department CIO’s Office recently said, “We just haven’t learned basic cyber hygiene.” With breaches exposing citizen data, national security information and possibly influencing the electoral process, organizations must take meaningful action.
Recommendations to Mitigate the Next Bear Attack
While respected best practices, what may be lacking in the DHS recommendations is the acknowledgement that locking everything down to the most stringent levels can hinder mission achievement and organizational productivity. Not all risks are equal, so how do you set informed priorities? The DHS recommendations published in light of GRIZZLY STEPPE are thorough, and known best practices that we can sum up like this:
Patch applications and operating systems –The reality is not all vulnerabilities can be fixed. This makes context aware vulnerability management critically important to informing an agency cyber-risk posture, and prioritizing known threats.
BeyondTrust Retina CS works with users to proactively identify security exposures, analyze business impact and plan and conduct remediation across network, web, mobile, cloud and virtual infrastructure. This enables prioritization of known vulnerabilities, shorter remediation times and increased emerging threat visibility. BeyondTrust solutions integrate with other solutions including asset management, workflow management and ticketing, patch management, windows least privilege, and vulnerability management. This allows organizations to group a variety of threat and vulnerability intelligence resources into a pro-active defense. Learn how to Change the Game in Vulnerability Management for your organization in this comprehensive white paper.
Restrict administrative privileges –The most recent Verizon Data Breach Digest states that 91% of successful phishing attacks steal credentials. The potential for damage with control of legitimate credentials is extraordinary. Enforcing least privilege is a crucial best practice for reducing security risk and limiting business disruption from errors or malicious actions.
Least privilege restricts the access rights for users, accounts and computing processes to only those resources required to perform an authorized activity or duty. Benefits include a reduced attack surface, decreased malware infection and propagation, improved operational performance and an achievable path to compliance. BeyondTrust Powerbroker solutions enable effective least privilege implementation with privilege audit capabilities, agentless privilege session management, application password management, dynamic rules and asset groupings, and much more. In the white paper, What Is Least Privilege and Why Do You Need It learn best practices in least privilege implementation to develop a strategy for your organization.
Above all, train, train, train – Ensuring that systems are effectively patched against vulnerabilities, that you have a more complete picture of risks throughout your agency, and have closed privileged access loopholes are all effecting mitigation strategies, but they can’t keep a user from falling victim to phishing or ransomware schemes. This is where education comes in. A relentless approach to use behavior modification and training – perhaps through mock exercises or Red Team actions – can be effective in driving home the point here.