Making the GRIZZLY STEPPE Joint Action Report useful

I was surprised when I saw the cynicism to the Joint Action Report (JAR) put out by the Department of Homeland Security and FBI. It seems like it is cool to criticize the report, and that can be a disservice to the whole industry. Compounding the criticism was the recent report of malware found on a laptop of Burlington Electric, and the misplaced attribution.

Before I go on, I want to clearly state that there is value in the report, but you have to look at it from a Threat Hunting perspective, and not as a definitive “how to stop an attack.” There is a very critical difference.

In reading the criticism, it looks like several issues are involved. First, it seems like there is an expectation that the report intends to prove Russia was responsible for the political hacks in question. To be clear, the JAR intended to provide details of the attack infrastructure and methodology. This is not attribution. The details are also lacking. There are flow charts, which do not provide anything useful, except to provide some reference for people not familiar with attack methodology. The details might look impressive to a layperson or general IT professional, but security professionals will snub the details. Again though, the report never stated it provides proof of Russia as the perpetrator, just methodology.

Next, the supposed Indicators of Compromise (IOC) are mostly not actually IOCs, but better described as things to look for, or at, and analyze. As discussed in Advanced Persistent Security, threat hunting means you actively look for compromises that you do not actually know exist. The list of IOCs includes malware samples, file lists, and IP addresses tied to various systems on the internet.

It needs to be made clear that the malware, file lists, and IP addresses are not going to be specific to Russia. While it is likely that Russia has advanced tools and infrastructure available, they will not make use of those tools unless necessary, as it might disclose the presence of the tools and allow sophisticated targets to prevent the attack.

For example, consider the Stuxnet malware. Stuxnet was exceptionally advanced, utilizing multiple zero-day attacks. While Stuxnet targeted Iranian nuclear research infrastructures, it spread beyond the intended target and was discovered and allowed for the mitigation of future uses. This goes to demonstrate that the use of any current “unstoppable” attack can hamper future use of the attack. For reasons such as this, even highly advanced attackers prefer to use attacks that are as simple and common as possible.

The critics of the report use the presence of the Yara signature, which is essentially known malware. To say the report is useless is surprising, as the fact the report highlighted the malware actually caused it to be discovered by Burlington Electric. There is no legitimate reason for the malware to be found on a laptop. While some security professionals say, “But it doesn’t mean it is Russian,” I reply, “It’s still malware!” Even though it was “only” found on one system, it doesn’t mean that the malware wouldn’t have spread when it was plugged into the network. Also important to consider is that laptops are frequently used as diagnostic tools for the power grid, and the laptop might have inevitably plugged into grid connected systems. This is clearly an example of a success story, but the attribution contorted the issue, and caused cynics to discount what is a valuable finding.

Cynics have also discounted the IP addresses listed in the IOCs as being commonly used and will give too many false positives. There are several troubling aspects to the cynicism. The cynics say that the IP addresses are associated with commonly used sites, such as being Tor exit nodes.

Wordfence, which creates security tools for WordPress sites, did an analysis of the IP addresses provided as IOCs. In summary, they found these relatively small number of IP addresses accounted for a majority of attacks they defended against. The exact quote is, “As you can see, a small number of the IP addresses that DHS provided as IOCs are responsible for most of the attacks on WordPress websites that we monitor.”

Consider the implication that given the millions of IP addresses on the internet, the 876 IP addresses identified in the report are responsible for more than half of the attacks a site experiences. For the average organization, it is very likely that there may very well be no legitimate traffic from these sites. And let me be clear, it doesn’t matter whether malicious activity is due to Russia or not; it is malicious activity.

Another common complaint against the listing of these systems is that many of them are Tor exit nodes. While I never did a formal study, I have consulted to hundreds of organizations over my career. In none of those organizations have I seen Tor in common use. In many cases, the use of Tor would be against company policy as it is not formally allowed software given that it reduces the ability for organizations to monitor for the exfiltration of data. The amount of legitimate Tor users within an organization would be in the dozens at most.

So how do you use this information? You can simply block the traffic to and from these IP addresses and likely not suffer any impact. While there might be some impact to legitimate operations, it can be quickly addressed. Another action to consider is to study where incoming traffic from these sites intends to go, and examine those systems for signs of potential compromise. If you see traffic originating on your network intended for the listed IP addresses, you should likewise consider the system that originated the traffic as potentially compromised and examine it.

The cynics say that you will get a lot of false positives. That is possible. Again though, the Wordfence study indicates that many, if not most, indicators will lead to actual attacks. Doing an initial sampling might determine how much additional effort to put into the threat hunt.

There was also a list of files provided as an IOC. While some of the file names were names of potentially legitimate files, it is common for skilled attackers to replace legitimate files with malicious versions of the same files. Yes, it might be time consuming to check to see if all of the files are legitimate, but if there are other reasons to believe the system is compromised, such as traffic to or from the IP addresses identified, the effort is warranted.

I have been previously assigned with vague incident responses, such as an electronic bank theft, where the only thing they knew is that the money ended up in Russia. I had to sort through gigabytes of traffic a day. If I had a list of 876 IP addresses to begin the search with, I would think I was blessed.

The JAR is by no means a perfect document. It did not in any way attempt to prove Russia as the perpetrator of the hacks in question. The IOCs provided are not definitive indicators that you have been compromised. The instructions of how to use the JAR effectively were not very clear. To actually effectively use the IOCs provided is time consuming. Clearly, even experienced security professionals aren’t aware of the intended use.

However, there is the potential to identify and stop attacks in progress. The Burlington Electric incident demonstrates it can be used to identify malware. The Wordfence study demonstrates that the systems identified clearly present an imminent threat to organizations. Every security manager should read the JAR and determine if and how they should use it for their organization’s threat hunting efforts.

The security profession is plagued by being contrarian by default. While skepticism is good, it must not be at the expense of extracting value.