Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
0. Reconnaissance
4. Privilege Escalation
9. Collection
10. Exfiltration
MITRE ATT&CK and the Mueller GRU Indictment
MITRE...
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

2

Share

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

Download to read offline

A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. We have used the MITRE ATT&CK framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations

  1. 1. 0. Reconnaissance 4. Privilege Escalation 9. Collection 10. Exfiltration MITRE ATT&CK and the Mueller GRU Indictment MITRE ATT&CK Stage GRU Tactics, Techniques and Procedures Mitigation Advice • Inform employees that their social media profiles may be of interest to adversaries. Provide advice on how to lock down profiles if requested. • Ensure that network services are patched and running supported versions of software. • Credentials, especially for admin accounts, should use strong passwords and two factor authentication (2FA) should be enabled wherever possible. • Use of an email filtering system or service can help to identify some spearphishing threats, particularly around malicious attachments. • Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. • 2FA is essential for email accounts, especially with a security key where possible. • Employees should be made aware that personal accounts are regularly targeted by certain adversaries and to not enter credentials online unless they are expecting to do so. • 3rd parties, such as suppliers and partner organizations, typically have privileged access via a trusted relationship into certain environments. • These relationships can be abused by attackers to subvert security controls and gain unauthorized access into target environments. • Managing trusted relationships, like supply chains, is an incredibly complex topic. The NCSC (National Cyber Security Center) has an excellent overview of this challenging topic. • Maintaining presence in a target environment typically requires the use of administrator privileges. Following the advice in Stage #4, as well as monitoring for the creation of new scheduled tasks, as an example, can limit the adversary’s options. • The NCSC Windows 10 End User Device (EUD) guidance provides advice on how to securely configure Windows devices. The website adsecurity.org has excellent advice on how to securely administer a Windows network. • Patching operating systems and applications to prevent privilege escalation is important, as well as limiting who has access to admin accounts. It is worth keeping in mind that adversaries may not always need administrative access in order to achieve their goals. • Privileged Identity Management (PIM) and Privileged Access Management solutions can provide added over- sight to prevent accounts being misused and abused. • Large amounts of storage being used up unexpectedly is another signal that something potentially suspicious is occurring. • Monitoring of key servers to ensure that only specific scripts, such as PowerShell scripts, are able to run and that the appropriate logging is in place to monitor PowerShell and other scripting activity is important. • Audit logs for cloud services (e.g., Amazon Cloudtrail for AWS) need to be periodically reviewed to ensure that sensitive data is not subject to unauthorized access. • Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. • Web proxies can provide granular controls for restricting egress traffic types and destinations. • Change management and file integrity monitoring (FIM) for websites and other external assets is an important part of ensuring that no unauthorized changes are made. • For users, ensuring that browsers are patched to the latest version, vulnerable plugins are disabled and an adblocker is used, are important steps to staying safe while browsing. • Up-to-date antivirus and other Endpoint Detection & Response (EDR) systems can provide protection against some malware variants. • Protective monitoring can help detect unauthorized be- havior both on the endpoint and on the network. • Ensure that security teams have knowledge and under- standing of all environments assists with rooting out adversaries which are capable of operating on different platforms. • Access to RDP servers and other servers that provide remote access should be limited. • IP whitelisting where appropriate is an effective control. • Ensure that RDP is only accessible via a VPN that supports strong authentication. Spearphishing attachment; Spearphishing link Fully comprehensive and detailed reconnaissance operation Valid Accounts Drive-by Compromise Trusted Relationship 1. Initial Access 2. Execution 3. Persistence ! Exploitation for Client Execution For the GRU’s mission, data theft, privilege escalation was not necessary in order to achieve their goals Bootkit, Login Item, Modify Existing Service, Valid Accounts, Launch Agent Data from Local System/Network Shared Drive, Email Collection, Input Capture, Screen Capture, Data Staged, Data from Information Repositories Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium
  • anash28

    Dec. 7, 2020
  • spacemonkey3e1

    Jan. 5, 2020

A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. We have used the MITRE ATT&CK framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.

Views

Total views

7,519

On Slideshare

0

From embeds

0

Number of embeds

7,064

Actions

Downloads

12

Shares

0

Comments

0

Likes

2

×