How Russia-Led Cyberattacks Allegedly Work
Here are SVR’s go-to tactics, techniques and procedures (TTP) along with protective measures organizations can employ:TTP: Password spraying to identify a weak password in an administrative account.Recommendations:
- Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations.
- Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.
- Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes.
- Enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.
- Regularly review the organization’s password management program.
- Ensure the organization’s IT support team has well-documented standard operating procedures for password resets of user account lockouts.
- Maintain a regular cadence of security awareness training for all company employees.
Recommendations:
- Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP.
- Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
- Require use of multi-factor authentication to access internal systems.
- Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
Recommendations:
- Audit log files to identify attempts to access privileged certificates and creation of fake identify providers.
- Deploy software to identify suspicious behavior on systems, including the execution of encoded PowerShell.
- Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
- Use available public resources to identify credential abuse within cloud environments.
- Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.