Preparing enterprise networks for destructive Russian cyber attacks

by IronNet on February 25, 2022

Russia’s invasion of Ukraine in full force very likely will topple the Ukrainian government and give Putin the option of putting in power a government and leader that he can control. Putin sees this invasion as a great opportunity to increase divisions within the NATO alliance and other European nations.

The IronNet Threat Research Team is tracking daily updates and cyber implications in “Russian invasion: daily updates of cyber actions to track.” Russia’s aggression and boldness may evolve to include the following actions in cyberspace.

Attacking oil and gas pipeline companies in response to sanctions on the Nordstream2 pipeline;
Retaliating against financial institutions in response to financial sanctions on Russia; and
Targeting cyber attacks against U.S. government agencies to gain intelligence on U.S. response options.

Additionally we believe that Putin will stay close with Xi Jingping as Putin supports China’s issues with Taiwan. We also suspect Xi supports Putin on Ukraine and will help offset the impact of sanctions on Russia.

Since the beginning of January, the IronNet Cyber Operations Center (CyOC) has been tracking historic TTPs used by Russia. Additionally our threat hunters have been focusing on the unique visibility IronNet can provide, such as possible attack reflections from some of geographically dispersed and diverse customers. We have visibility in addition to correlation and novelty information as it relates to alert trends.

IronNet’s threat analysts are routinely monitor cybersecurity reporting to assess possible threats to enterprise networks. In particular, we are monitoring vulnerabilities known to be exploited by Russian state-sponsored threat actors to gain initial access include (as provided in the joint advisory [PDF] from CISA, the FBI, and the NSA):

CVE-2018-13379 FortiGate VPNs
CVE-2019-1653 Cisco router
CVE-2019-2725 Oracle WebLogic Server
CVE-2019-7609 Kibana
CVE-2019-9670 Zimbra software
CVE-2019-10149 Exim Simple Mail Transfer Protocol
CVE-2019-11510 Pulse Secure
CVE-2019-19781 Citrix
CVE-2020-0688 Microsoft Exchange

Additional mitigations and recommendations

We recommend the following mitigations per Mandiant’s report “Proactive Preparation and Hardening to Protect Against Destructive Attacks.”

Focus Area Sponsorships Available Sponsorships Available Sponsorships Available	Description	Hardening Recommendation
Hardening External Facing Areas	Protect against the risk of threat actors exploiting an externally facing vector or leveraging existing technology for unauthorized remote access.	1. Identify, Enumerate, and Harden Externally Facing Assets 2. Enforce Multi-factor Authentication for Externally Facing Services
Critical Asset Protections	Protect specific high-value infrastructure and prepare for recovery from a destructive attack.	1. Backup AD and other Critical Assets 2. Conduct Targeted Business Continuity Planning 3. Segment IT and OT Environments 4. Implement Egress Restrictions 5. Protect Virtualization Infrastructure
On-Premises Lateral Movement Protections	Protect against a threat actor with initial access into an environment from moving laterally to further expand their scope of access and persistence.	1. Restrict Communication To/From Endpoints 2. Harden Remote Desktop Protocol (RDP) 3. Disable Administrative/Hidden Shares 4. Harden Windows Remote Management (WinRM) 5. Restrict Common Lateral Movement Tools and Methods 6. Implement Malware Protections on Endpoints
Credential Exposure and Account Protection	Protect against the exposure of privileged credentials to facilitate privilege escalation.	1. Identify and Reduce the Scope of Privileged Accounts 2. Mitigate the Risk of Non-computer Accounts with SPNs 3. Limit the Logon Rights for Privileged Accounts 4. Limit the Logon Rights for Service Accounts 5. Use Group Managed Service Accounts (gMSAs) 6. Use Protected Users Group 7. Disable WDigest and Enforce GPO Reprocessing 8. Limit Credential Exposure Through Credential Guard 9. Use Restricted Admin Mode for RDP 10. Implement Windows Defender Remote Credential Guard 11. Harden Local Administrator Accounts

For additional mitigations and recommendations on how to protect against destructive cyberattacks, please refer to Mandiant’s report “Proactive Preparation and Hardening to Protect Against Destructive Attacks.”

Collective Defense: a cyber threat early warning system for all

IronNet is transforming cybersecurity through Collective Defense: a way to increase visibility of the threat landscape in real time, deliver actionable attack intelligence and triage insights, and break down cybersecurity silos. The IronNet Collective Defense platform builds secure communities of companies, supply chain entities, sectors, states, and/or governments to enable all to scale cyber defenses by working together with IronNet’s elite cyber analysts and industry peers.

I think Collective Defense is the transformative moment for us if we mean to do something about this [problem in cyber] … If you are a transgressor in this space, you have to beat all of us to beat one of us.” — Chris Inglis, National Cyber Director, November 2021ATIONAL CYBER DIRECTOR, NOVEMBER 2021

IronNet’s Collective Defense platform builds a real-time “cyber radar view” of the threat landscape across enterprise networks of companies and organizations that have joined a Collective Defense community. IronNet’s IronDome is the system that automates threat intelligence and enables secure, anonymous, real-time knowledge sharing and collaboration among the collective’s SOC teams. In this way, it serves as an early threat warning system for all.

To learn more about the historical context of the Russian cyber threat and APT groups, see the IronNet 2021 Annual Threat Report.