The National Security Agency, along with CISA, the FBI, and the National Cyber Security Centre has released the joint advisory: Russian GRU conducting global brute force campaigns to compromise enterprise and cloud environments. In response, experts offer perspective.
<p>Russian GRU agents and other state actors like those involved in SolarWinds – and a range of financially motivated attackers (e.g., ransomware) – all use the same “password spraying” brute force techniques. Why? Because they are so effective. Unfortunately, a misunderstanding of this technique is leading to shockingly flawed advice like the that given in the NSA advisory which, in part, recommends “mandating the use of stronger passwords”. The credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying “strong passwords.” The government went on to recommended a “Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses”. This sage advice requires a move to strong, continuous authentication. It also requires organizations to eliminate passwords because they are so completely compromised that you simply cannot achieve Zero Trust with them.</p>
<p>A growing number of ransomware attacks against infrastructure and critical industries, especially those suspected of state sponsorship and involvement, are prompting calls for an international agreement limiting the use of such “cyber warfare” tactics.</p>
<p>While such an agreement would be difficult to achieve, it is worthwhile for everyone to try to work toward this goal. Ransomware and other types of cyber warfare can cause irreparable harm to critical infrastructures, and lead to an escalating level of counterattacks, even if the actual perpetrators are not clearly apparent.</p>
<p>A key aspect of any such cyber agreement is enforcement. Attacks aren’t easily detected early enough to prevent, and once perpetrated, leave the victim at the mercy of the attacker. By monitoring the thousands of potential security events to identify anomalies, governments and infrastructure providers can take action to stop an attack before it causes real damage.</p>
<p>It\’s heartening to know that the officials at the top of the western nations are finally taking this seriously. But one has to think that the cat is out of the bag. The malicious actors have learned that there is a high return on a low investment in international hacking. Most feel these organizations have profited so much from their ransomware attacks they have been able to buy political protection – at least up till now. </p>
<p>Nothing has changed. The onus of cyber security is still on the enterprise – especially since most of the government proposals come in the form of fining businesses for not conducting proper cyber security practices. Enterprises should start with the basics, especially around access and the question of \"who has what\" – and be alerted on identity privilege changes and change attempts, which are often an unheard first alert to an attack.</p>