The Threat Horizon
The December 29th joint analysis report (JAR) GRIZZLY STEPPE – Russian Malicious Cyber Activity, contains specific indicators of cyberattacks and steps organizations can take to mitigate the “the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.” (( GRIZZLY STEPPE – Russian Malicious Cyber Activity. US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and the US Federal Bureau of Investigation (FBI) Reference Number: JAR-16-20296, December 29, 2016, Page 1.)) The Grizzly Steppe report was motivated by the hacking attacks outlined in the subsequent Background to: Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution unclassified report released January 6th. ((Background to: Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution. US Office of the Director of National Intelligence and the National Intelligence Council. Reference Number: ICA 2017-01D. January 6, 2017.))
These attacks have highlighted the extent of our cyber vulnerability globally and should result in step function increases in our motivation to close seemingly wide gaps in overall online security. Damaging and/or disruptive attacks have been made on critical infrastructure networks globally. Cases where third party identities have been used to mask hacking have been documented. Once access is gained, the hackers analyze information garnered for its intelligence value.
Technical Indicators and Recommended Mitigations
Shared Assessments Program Tools address the breadth of the attack indicators that the Grizzly Steppe report identified as critical known factors surrounding a pattern of ongoing cyber-enabled hacking operations. This includes notable and ongoing Advanced Persistent Threats (APT), that have been used since at least 2015 to target “government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.” ((GRIZZLY STEPPE – Russian Malicious Cyber Activity. US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and the US Federal Bureau of Investigation (FBI) Reference Number: JAR-16-20296, December 29, 2016, Page 1.)) A variety of methods are used to interfere with systems, such as injection flaws, cross-site scripting (XSS) vulnerabilities and server vulnerabilities. Spear phishing was specifically identified as a common technical means of system compromise in the joint NCCIC/FBI report.
Each of the security needs identified by the report are addressed by the Shared Assessments Program’s member-driven resources. The Program Tools provide a holistic picture across verticals for risk assessments and evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls, including:
- Risk analysis
- Staff training,
- Application whitelisting,
- Vulnerability scanning and patching, and
- Other business resiliency indicators.
Shared Assessments Program Tools are specifically designed using objective, rigorous best practice standards and regulatory guidelines to ensure that the very indicators identified by the reports are accounted for in risk management programs. Using these “trust, but verify” structured, evidence-based resources can inform enterprise-wide progress toward closing dangerous gaps in overall online security, so that robust incident planning and response programs are implemented before an incident occurs, as well as to minimize the impact of security events when they do occur. The Tools are mapped to both US and international standards and regulations, including National Institute of Standards and Technology (NIST) Cybersecurity Framework, FFIEC Cybersecurity Assessment Tool (CAT), International Standards Organization (ISO) 27001/27002 guidelines, Payment Card Industry (PCI) DSS v.3.2, as well as anticipated EU General Data Protection Regulation (GDPR) rules and Cloud Security Alliance Controls.
To aggressively improve your third party risk management program by building a better understanding of what it takes to create a more risk sensitive environment in your organization you can access best practices white papers and other relevant resources, at: https://sharedassessments.org/.
Shane Deay is a Senior Project Manager with The Santa Fe Group, Shared Assessments Program. Shane works alongside staff and members to manage the Shared Assessments Program Tools alignment to national and international standards, regulations and guidelines. Connect with Shane on LinkedIn.