Preparing for Russian State-Sponsored Cyberthreats

Transcript

Jonathan Reiber:

Welcome everyone to today’s edition of Think Bad. Do Good. Appreciate you tuning in/ I’m Jonathan Reiber. I’m your host and Senior Director for Cybersecurity Strategy and Policy here at AttackIQ. And we have Adam Moore and Ken town on our research team. Adam, why don’t you say your title? Start with you,

Adam Moore:

Head of R&D for content

Jonathan Reiber:

And Ken

Ken Towne:

I’m one of the Adversary Research Engineers on Adam’s team focused on threat actors.

Jonathan Reiber:

Great, thank you both for joining today.. We’re gathering in the middle of the unfolding conflict in Ukraine, where Russia has invaded, as everyone knows by now. History is happening in front of us and we at AttackIQ, the purpose of our company is to build assessments and adversary emulations to help security programs prepare for known threats. That’s why we are here. That’s what we’ve been doing since the founding of our company.

So we are here to help organizations prepare for this contingency by testing their defenses, to see how well they perform. We have launched a new attack graph, which emulates Russian hostile actors based in Russia and emulates their tactics and techniques against your security program. So that’s one of the things we’re gonna talk about today and really go into depth and what that means for your response and why and how that can help you get ahead of the potential threats that we face.

So Ken and Adam are two of the smartest people in our company on these issues. So they’re gonna be the subject matter experts. And we’re just gonna guide you through the conversation a little bit. So Adam, I thought we’d start by looking at what we’re seeing in terms of known threats and threat behaviors that are unfolding right now.

Adam Moore:

Yeah, sure. So, uh, you know, as, as Russia has been ramping up for this invasion, the, you know, and, combining kind of a full spectrum approach of hybrid warfare there’s of course been, you know, just scoping to the last six weeks or so, beginning in mid-January it was reported and publicly called Whisper Gate. A Russian APT and destructive malware masquerading as ransomware. So that was happening about January 13 and then fast forward to February and, you know, continuing psychological operations, uh, information operations from, proxy actors such as Russian APT ONCA 1151, has also perpetrated some website defacements and other things like that. And then in on February 23rd, a day before the invasion, hours before actually, Russian APT threat actors deployed a hermetic wiper, destructive malware to hundreds of machines in Ukraine. And so that’s, you know, targeting is ongoing as well. And, that’s the summary there.

Jonathan Reiber:

That’s right. So Russia has advanced cyberspace operational capabilities that we even we’re anticipating them using against both Ukraine and us now at interest globally. And so you’ve just outlined some of the tactics and techniques and capabilities that they’ve been deploying, but keep going.

Adam Moore:

Yeah. So even during and after the, the physical invasion UNC1151 [a cyberspace intruder believed to be based in Belarus) began a campaign… and basically using a compromised Ukrainian service member’s email to target European officials involved in transportation, financial, and budget allocation administration and population moving within Europe, seemingly with the goal of potentially disrupting Ukrainian refugees and population movements and supply transport movements, things like that. So the cyber dimension is definitely also still in full swing and continuing.

Jonathan Reiber:

Ken, I thought for folks tuning in for the first time that maybe haven’t been thinking about adversary ambulation and the importance of continuous automated security control validation, it might help to start with some readiness tips for what an organization that given that we know the threats are going to be that are, that are occurring right now are gonna be expanding against, against global interests. What are some tips that you would recommend folks take to get ready today?

Ken Towne:

Yeah. So in my eyes, it’s really all about understanding what defense-in-depth really means and understanding that when an attacker sets their sight on you, you know, you have multiple opportunities to catch their behavior before they reach their final goal. And yes, it’s not always great if they make it to the installation phase and get some command and control in, but if you can stop them from getting what they really want, that’s a success. And so testing your controls across the entire kill chain is what’s most valuable.

Jonathan Reiber:

That’s very helpful. Great. Now we’ve, we’ve recently launched, an attack graph. And so there’s been some recent, recent content completed. Adam, can you explain to us a little bit about what’s what we’ve done and, and what we’re doing on already, and how that helps from a readiness testing standpoint?

Adam Moore:

Yeah, sure. So in January and in February, US-CERT put out a couple of alerts about advisories that outlined some, I think it was about 16 to 18, 18 total, top TTPs of Russian threat actors. And so we created an attack graph to emulate a realistic attack, a realistic adversary behavior and kind of a subset of those TTPs and what’s been released. So, and, and it, we release a blog with it as well. And it mentions a couple of additional scenarios and, and steps you could add to the attack if you want to in your environment. And that’ll give you things like, you know, dumping domain controller, you know, things like that. So those are a little bit more high friction. So you can add those on your own, but we’ve basically if you run a quick attack graph like this in your environment and continuously tune for additional preventions and detections, you can get in a better and better place. And another, you know, another bit of content that we released was basically some malware download and save scenario. So you can test and validate your antivirus or NextGen antivirus against nine different pieces of hermetic, wiper, malware, or related samples. So we’ve also got a lot more in progress, but that’s what we’ve got released so far.

Jonathan Reiber:

Yeah, that’s great. I mean so the goal here, we know what is happening. We know the kinds of tactics and techniques that hostile actors are going to deploy against organizations around the world. And we want you to prepare and test your defenses. CISA has said “shields up.” This is the name of their campaign, “shields up.” What we’re trying to say is you want to test that your shields are going to work. You need to validate that your security controls are going to perform as intended. So Ken, I’d like to pivot over to you to showcase the new attack graph that you and Adam and the team and Glo Lopez have developed to actually do just that against this advanced adversary.

Ken Towne:

That sounds good. Uh, let me go ahead and share my screen. So, you know, the us cert released two reports, one in January, one in February, focusing on generalized Russian behaviors, seen against us defense contractors in the critical infrastructure. So our attack graph is picking up in the middle of the reporting. We’re moving beyond the initial access phase, where they’re gonna go ahead and, you know, find a way to get into your network. They have multiple vulnerabilities that they can use to get in. And so we focus on what are they gonna do once they do get in? And the way that attack graph works is it’s set up in different stages that can be emulated. And you using logic to decide if a security control has prevented or not prevented, I can take alternative actions. So in the case with our graph, if I’m able to dump a password successfully, then I can attempt to try to move laterally and gain access to additional symptoms.

Ken Towne:

If I can’t, then I have to pivot and try something else. And that’s where they’re gonna do something with learning more about your Active Directory. Um, and so in the case of the attack graph, when you do emulate it and kick it off, it’s gonna tell you each step, have you prevented, or was it successful? And then provide those details.

Not every step, should you be expected to have a prevention or a detection, but we want to emulate those behaviors so that when you do go back, you can try to find those initial signs that said an actor was here. You know, most of the time when you do find an alert, it’s not gonna be, you know, at that first attempt, it’s gonna be when they’ve done something big and noisy, but you want that log and data there to go backwards and find it.

So we do provide indicators of the behavior that we emulated. So you can find it on your system. And then for things that we do prevent such in this case, using bloodhound to find, a secret domain, trust relationships and active directory, it’ll tell you what was going on and maybe why it didn’t find it. So in this case, the binary tried to be written and had gotten eaten by one of the EDR.

Jonathan Reiber:

Great. That’s immensely helpful. Ken, I just wanna flag a point that you made the other day when we were talking, which is about an advanced adversary, as we saw, particularly in the solar winds intrusion in the Russian government used Trojan, or I’m sorry, a supply chain-enabled attack to inject code using what was presumed to be a normal behavior, the Russian government, if they want to get into your system can do it. And you made a point the other day that I’d like you to just say again about why and how this is still such an important capability if you’re trying to validate your defense effectiveness.

Ken Towne:

Sure. So as you mentioned, Russian actors are well-financed. They’re very smart. They’re tricky, you know, doing the whole SolarWinds and supply chain compromises going after your suppliers, they have millions of avenues to find a way in. And what’s important for us is to remember that the old adage of, you know, you have to be successful 100% of the time to be secure. They only have to be successful once to get in. That works in reverse, and we only need to pick up one hint of their behavior, whether it’s at the beginning of the kill chain, in the middle of the kill chain, and hopefully not at the very end of the kill chain, but at some point along that phase, if you can find them, that’s faster to you being able to get out and get them, and being able to run a graph like this and run it repeatedly will help you ensure that the security controls that you thought you had in place are actually in place, uh, signatures change, your tooling, changes that stuff has impact on what your security posture really is running.

Ken Towne:

This we’ll show you what it actually is.

Jonathan Reiber:

That’s great, Ken, thank you very much for showing us the attack graph.

And again, Adam and Ken, thank you for producing it as quick as you did and accelerating it for the contingency that we find ourselves in.

Adam, one of the things about a moment like this with the Russians having invaded Ukraine, and obviously the world’s attention is on how this conflict is going to unfold and hopefully resolve itself. One of the things that you’ve pointed out and that others have pointed out is adversaries are watching.

China and Iran and others, they’re watching what’s going on and they’re gonna try and seek an advantage. So one of the things we wanna do in this podcast over the next few weeks, as we, as we address what’s going on in, in Eastern Europe is think about the broader implications. And I wonder if you might just give us a preview of the other things that you’re building in the Security Optimization Platform and other things you’re thinking about as the conflict unfolds.

Adam Moore:

Yeah, sure. You know, definitely in the last couple of months, CYBERCOM and US-CERT have both been ringing the alarm bells about, uh, Iranian threat actors as well, and, uh, Muddy Waters in particular. And so we’ve also, we also just released an attack graph emulating their Operation Quicksand campaign from about 18 months ago. So that’s brand-new material as well. It’s unknown if just coincidental in time or if they are sort of taking advantage opportunistically of this situation here. China is also I believe ramping up offensive cyber operations and disinformation in against Taiwan right now. So, you know, we just wanna make sure our customer base is protected. Yep.

Jonathan Reiber:

Well, so we are gonna keep watching what’s going on. And Adam and his team are, are continuing to build and release content to help organizations get ahead of potential cyber risk, given the unfolding contingency, which again, we all want to resolve as quickly as possible for the Ukrainian people to be safe and secure and free of, of this invasion.

So again, Adam, thank you. And Ken, thank you. Thank you for joining, look forward to hearing more. We’ll be creating more content, not just through this podcast, but also on blogs to keep our customers and everyone else apprised of what’s going on as we see it. Thank you so much for tuning in and look forward to talking more.