By John Nowotny, Customer Success Engineer, Exabeam
Russian cyberattacks have seemingly become the new normal with the recent spate of high-profile events at SolarWinds, Colonial Pipeline and Kaseya putting U.S. government officials and private sector businesses on high alert.
In July, the National Security Agency (NSA), together with partner agencies from the U.S. and the U.K., sounded yet another alarm about a global and likely ongoing “brute-force” cyber campaign by the Russian military intelligence agency, the GRU. The NSA advisory details the malicious group’s tactics for targeting hundreds of U.S. and foreign entities and the steps that organizations should take to mitigate their risk.
Underscoring the gravity of what the White House perceives as an escalating threat to national security, President Joe Biden put Russian President Vladimir Putin on notice, suggesting that the U.S. will retaliate if Moscow fails to crack down on Russia-based cybercrime groups that target American institutions.
Containerization: New spin on a classic tactic
Brute-force attacks are hardly new to the cybercrime scene, and password spraying remains a widely-used tactic for breaking into private networks, which can then be exfiltrated, degraded or destroyed.
According to the NSA advisory, the GRU has upped the game, leveraging software containers – specifically a Kubernetes cluster – to easily scale brute-force attempts. Containerization allows the attackers to use many different dynamic IPs and routes by which to harvest credentials. As a way to evade defenses, they route the authentication attempts through TOR and commercial VPN services.
Coupling prevention with better detection
The advisory further cautions that the distributed, highly scalable and anonymized nature of the password spray capability makes indicators of compromise (IOC) much more difficult for target networks to detect. And while preventing a network intrusion is always the primary goal, being able to detect a breach ahead of any long-term impact is equally essential.
For organizations to protect their networks from password spray attacks, the NSA recommends the following mitigations:
- Adopt multi-factor authentication (MFA) and single sign-on (SSO) and MFA for cloud services
- Establish lock out and time out policies
- Check for poor passwords
- Remove weak authentication methods, change default passwords and remove local accounts
- Establish policies for where accounts can authenticate from (e.g. global admins, power users)
Adding analytics to the cybersecurity arsenal
The NSA advisory also advises organizations to use analytics to detect anomalous activities and accesses. By pairing analytics with known tactics, techniques and procedures (TTPs), security teams can watch for unusual changes in patterns instead of just monitoring for specific risks. This is especially important for organizations that are managing “SaaS sprawl” – which can amount to hundreds of different software applications in their tech stack.
Because there is no signature, by the time adversaries penetrate a network environment, they already have credentials. Behavioral analytics enables security teams to detect deviations from normal baseline behavior for a compromised credential. They may see failed logins, a new country of logon or an abnormal number of accesses to the host across the organization.
Multi-factor authentication is one of the strongest tactics an organization can implement to protect themselves from a variety of password/authentication attacks, particularly password spray attacks. Unfortunately though, multi-factor authentication isn’t bulletproof. Session hijacking, an attack featuring the exploitation of web session control mechanisms, and SIM swapping attacks, a form of account takeover fraud, continue to target employees in order to bypass MFA protections. Similar to other avenues adversaries use to gain access to a system, MFA and authentication logs should be evaluated to look for anomalies. Indicators that something is wrong include methods used, source locations, and number of attempts.
Keeping up with the MITRE ATT&CK® framework and using analytics to map network activities to the growing knowledge base of TTPs will continue to be a critical piece of the security process in guarding against brute-force attacks. This summer, MITRE released D3FEND as a complement to its existing ATT&CK framework, providing a catalog of cybersecurity countermeasures for the most common offensive techniques. Funded by the NSA, D3FEND aims to standardize the vocabulary used by cybersecurity teams across all industries and sheds more light on the relationships between defensive and offensive tactics.
The recent ransomware attack at Kaseya – which affected as many as 1,500 small and medium-sized companies worldwide – was a rude awakening, proving that no organization is safe from an insidious cyberattack. With the next brute-force attack likely underway, cybersecurity teams need to ensure they are equipped with the latest information and advanced analytics to detect and neutralize an impending attack before the damage is done.
About the Author
John Nowotny is a Customer Success Engineer at Exabeam.
He is the Customer Success Engineer at Exabeam. He ensures that the products that Exabeam customers are benefiting from are top quality and exceeding expectations.