Short Musings on JAR-16–20296 or how to avoid the Grizzly-Steppe
I poured a lovely single malt and downloaded some bed time reading with the latest Joint Analysis Report from The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) regarding the “Grizzly Steppe — Russian Malicious Cyber Activity”. If you are looking for a detailed break down of the JAR report I highly recommend Robert M. Lee’s “Critiques of the DHS/FBI’s GRIZZLY STEPPE Report”.
The summary denotes that the document: “provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election”.
Initially, I was hoping for some form of sophisticated advanced persistent threat and/or malware. Instead, what I read was a common cautionary tale that plays out on a daily basis within InfoSec and numerous, if not all, digital entities across government, NGO or commercial domains.
There was nothing super sophisticated here: XSS, SQL Injection, Spearphishing & Phishing, and unpatched server vulnerabilities. It is disappointing and sad to see that after 10+ years the same basic attack vectors still work quite efficiently. The majority, if not all of this, could be prevented; however, this is the same government that lost over 21 million federal employees’ records (current, former, prospective) in the OPM breach.
On pages 6-7 the DHS provides some best practices and mitigation strategies that would impede such attacks. Hell, just read the OWASP top 10 and introduce secure software development practices and you are halfway there.
It is nearly 2017 and security continues to be an afterthought. Software and system security need to be baked into your development lifecycle from the beginning while evolving hand-in-hand with QA, Ops, and product management until decommissioned (cradle to grave). Make sure you account for your secure SDLC ahead of time. Work on implementing and/or improving basic threat modeling, static and dynamic source code analysis, code reviews, application and system logging, monitoring — intrusion detection, automated patching and vulnerability scanning, and focus on educating not just developers, but employees.
Politics aside, as an industry, we can do better.
