Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Making the GRIZZLY STEPPE Joint Action Report useful

Ira Winkler | Jan. 10, 2017
While some criticisms of the DHS/FBI report are valid, many are not.

Cynics have also discounted the IP addresses listed in the IOCs as being commonly used and will give too many false positives. There are several troubling aspects to the cynicism. The cynics say that the IP addresses are associated with commonly used sites, such as being Tor exit nodes.

Wordfence, which creates security tools for WordPress sites, did an analysis of the IP addresses provided as IOCs. In summary, they found these relatively small number of IP addresses accounted for a majority of attacks they defended against. The exact quote is, “As you can see, a small number of the IP addresses that DHS provided as IOCs are responsible for most of the attacks on WordPress websites that we monitor.”

Consider the implication that given the millions of IP addresses on the internet, the 876 IP addresses identified in the report are responsible for more than half of the attacks a site experiences. For the average organization, it is very likely that there may very well be no legitimate traffic from these sites. And let me be clear, it doesn’t matter whether malicious activity is due to Russia or not; it is malicious activity.

Another common complaint against the listing of these systems is that many of them are Tor exit nodes. While I never did a formal study, I have consulted to hundreds of organizations over my career. In none of those organizations have I seen Tor in common use. In many cases, the use of Tor would be against company policy as it is not formally allowed software given that it reduces the ability for organizations to monitor for the exfiltration of data. The amount of legitimate Tor users within an organization would be in the dozens at most.

So how do you use this information? You can simply block the traffic to and from these IP addresses and likely not suffer any impact. While there might be some impact to legitimate operations, it can be quickly addressed. Another action to consider is to study where incoming traffic from these sites intends to go, and examine those systems for signs of potential compromise. If you see traffic originating on your network intended for the listed IP addresses, you should likewise consider the system that originated the traffic as potentially compromised and examine it.

The cynics say that you will get a lot of false positives. That is possible. Again though, the Wordfence study indicates that many, if not most, indicators will lead to actual attacks. Doing an initial sampling might determine how much additional effort to put into the threat hunt.

There was also a list of files provided as an IOC. While some of the file names were names of potentially legitimate files, it is common for skilled attackers to replace legitimate files with malicious versions of the same files. Yes, it might be time consuming to check to see if all of the files are legitimate, but if there are other reasons to believe the system is compromised, such as traffic to or from the IP addresses identified, the effort is warranted.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.