Tuesday, November 18, 2014

Expect An Increase in Russian Attacks

Some are probably seeing it already. Others will shortly. This is an easy prediction to make, as attacks arriving over the wire are more deniable, avoid much of the potential for the ugliness of arrests, expulsions of diplomats, and the general mayhem of old-school espionage. They also seem likely to be more generally useful, in terms of cost-effectiveness.

Yet old-school Russian espionage is on the rise, seemingly triggered by geopolitics, particularly the Ukraine debacle in this case, as has happened for centuries. Consider these recent news reports.

Poland expels diplomats for “activities incompatible with their status”, and Russia follows suit. All very old-school. There is also some information from the Czech counter-intelligence agency here.

Goes into some depth about trade relations, and Germany abandoning their former stance of economic pragmatism, the extent of Russia's isolation, and whether that will actually matter.

Reports that German Chancellor Angela Merkel has developed a fundamental distrust of Putin, and is concerned about the Balkans. So Serbia and Bosnia-Herzegovina. Even Bulgaria, just to the east of the Balkans, is a matter of concern.

Russia Has Significant Capabilities

This dates back for many years. I don't want to go all cyber-war here. That concept was at least partially hype from the start. Even the issues of Russian involvement in Estonia (widely held up as the first example of cyber-war) and Georgia are not nearly so clear-cut as they are made out to be by some parties.

That said, a criminal organization know as the Russian Business Network operated with a degree of impunity that would have been impossible without some sort of governmental relationship from 2006-2007 or so. The RBN was highly effective, offering services and software, and spawned many offshoots. It figured prominently in various security vendor reports for a number years dating from that time. It is probably safe to say that knowledge of the effectiveness of over-the-wire techniques has been known very well within the Russian government from at least that long ago.

Who Should be Concerned?

Pretty much anyone. Given the value of economic espionage, potential victims are not limited to, say, defense contractors. Even agricultural forecasts have figured prominently in relations between the US and Russia in the past. Obviously there are good reasons to believe that EU members should be even more concerned, particularly governmental organizations that touch on foreign policy, and business enterprises in the energy sector, or that do a significant export business (whether that currently involves Russia, or not).

The RBN had significant capabilities in the fundamental building blocks that are used to modern attacks, such as malware obfuscation and phishing. These techniques are important because they are proven.
Individuals should be concerned about the broad spectrum of social engineering attacks such as phishing emails, or simple requests for access from someone purporting to be working from home.

Security groups within organizations can mostly only do what they have always done, though hopefully with a bit more effectiveness, given the likelihood of trouble. Monitor for data exfiltration, audit systems and networks for compliance with the security posture you think you have. Patch.

One thing that seems to be little stressed is to speak with the people on the business side of things. You may discover that there is something about current negotiations, competitors, or simply the essential function of your organization (advocacy, etc.) which now makes you a more valuable target.

Raising awareness has historically failed, but it must still be attempted. Which is how this post came to be.

I Wish Spam Nation Had Been Published a Few Months Ago

My pre-ordered copy doesn't arrive until 11/24. It's on sale now, though, and you can get it next-day if you want. Amazon currently shows it to be in first place amongst network security books.

Truthfully, I don't expect it to contain any revelation which might have made all the difference had the book arrived today instead of on the the 24th. I am already well enough acquainted with the situation that it won't probably won't affect me from an operations perspective. Still, you can never have too much much knowledge, and the day will come when what Krebs knows will help me build a business case for better tooling, an idea which should appear in a better training programming, or who knows what.

I'm looking forward it.


No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.