By Mark Lanterman

In July the National Security Agency (NSA), in partnership with the CISA, FBI, and NCSC, issued a cybersecurity advisory regarding global brute force campaigns titled, “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” Though it’s difficult to assign a specific timeline (or start date) to the activities of the GRU, Russia’s military intelligence agency, the report explains that these activities likely have been going on at least since the middle of 2019 and up until the start of 2021. 

A variety of organizations, companies, and businesses in both the private and public sectors have been targeted; these incursions are largely successful in part because they use a number of different methods of attack in tandem. The nature of the cyberattacks is described in the July 1 release:

This brute force capability allows the [] actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion. The actors have used identified account credentials in conjunction with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers.… After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks.1

The United States is among a number of countries that have been working recently to curb the damage brought about by nation-state threats, including this Russian campaign. Following several large-scale breaches, and the issuing of an executive order on improving the nation’s cybersecurity, President Biden will be meeting with several private sector cybersecurity experts to discuss the future of combatting cyber risk in an increasingly aggressive cyber landscape.2 

With vigilance in mind, the NSA report concludes by providing recommendations and mitigation strategies for organizations to employ. Given the scope and nature of the attacks, both the private and public sectors need to combine their efforts to address global cyber threats and alleviate the potential for catastrophic damage.

The NSA recommendations 

In a recent interview on the Compliance & Ethics podcast, I discussed the importance of organizations carefully reviewing and assessing their compliance with the list of recommendations put forth by the NSA in its report.3 In addition to addressing how the nation-state threat actors are conducting their attacks, the report provides straightforward guidelines for improving cybersecurity posture and counteracting the preferred methodologies of attackers. Multifactor authentication, time-out and lock-out features, network segmentation, and careful access control monitoring are all effective strategies in staying as secure as possible. 

Toward the end of the interview, I was asked a very important question that’s often brushed aside. “I often see people working in public places—at the coffee shop, on airplanes. How should these low-tech issues be addressed?” It’s a great question, not only for the logistical and security issues that often come about as a result of careless remote work policies, but also because it gets to the heart of a very easy to ignore security issue—the human element. We all know that cybercriminals are always going to seek the easiest route. In many cases, hacking the human element of security is much easier than looking for technological vulnerabilities. To put it another way, strong technological controls alone are never enough, as they can always be defeated by one sticky note with a username and password stuck to a laptop in a public place. In our current age of remote work, known vulnerabilities, and rampant spear-phishing campaigns, we must strive to balance investment in security technologies with strong training and threat awareness programs. 

Finally, let’s also remember that verification is just as important as documentation. Time and again, organizations point to documentation as evidence of their current cybersecurity posture. Unfortunately, there is often a substantial gap between written documentation (which is ultimately a record of how things are supposed to be) and the reality. When your organization is reviewing the NSA’s report and assessing its recommendations, the temptation might be to check off items based on written procedures and protocols. But it’s vital to make sure that the right questions are being asked. How are these procedures actually being implemented, and are they being applied across the organization? Where is our data stored, and how does our organization monitor its cloud usage and third-party vendor relationships? Are employees using multi-factor authentication, and how is compliance assessed? Documentation is essential, but frequent verification is also necessary to manage cybersecurity posture and efficiently counteract risk. 


MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.  

Notes

1https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF 

2https://abcnews.go.com/Politics/wireStory/biden-meet-month-private-sector-cyber-issues-78966697 

3https://complianceandethics.org/mark-lanterman-on-brute-force-attacks-and-corporate-cyber-defenses-podcast/