Yesterday, President Biden released a statement warning of a possible escalation of cyberattacks from Russia. The statement does not offer a lot of specifics. But it does link to two valuable documents: Fact Sheet: Act now to protect against potential cyberattacks. So what does this mean for you? What should you do (or not do), and what kind of attack should you expect? The answers depend in part on your organization. If you are part of a government network (or contractor) or part of critical infrastructure: Reach out to your specific ISACs or other information-sharing organizations if any details are available. For everybody else: Keep reading. Let me first mention a few things that will not help:
Things you should do:
--- |
Johannes 4505 Posts ISC Handler Mar 22nd 2022 |
Thread locked Subscribe |
Mar 22nd 2022 3 months ago |
Indeed, sharing information on attacks seems like a good idea. For the past few weeks, I have been working on my own IDS/honeypot software, which tracks SSH and web intrusion attempts and shares the data with ISC's own 404 Web Honeypot project (SSH still to come, possibly, if I can figure out the format. I just noticed ISC does that too), as well as with some other services like AbuseIPDB (SSH too, there).
|
Vincent T 16 Posts |
Quote |
Mar 23rd 2022 3 months ago |
While I agree that block-by-country firewall rules won't prevent you from being attacked, using some of the public lists of IPs/CIDRs of known bad-actors can do something useful. When I upgraded the home firewall (opnsense) and enabled rules for the CINS Bad Guys and some of the ET (emerging threats) lists, most of the attack traffic I saw on a day to day basis dried up. This lowers the volume of background noise your IDS/NIDS systems have to go through and log. I actually wound up using this as an excuse to spin up some honeypots because I was in the middle of testing some log analysis modules for a syslog daemon I wrote and needed some more interesting attack traffic. Yeah, I'm a geek and probably need to seek help.
![]() And speaking of honeypots, spinning them up in an externally facing network segment can be interesting if you want to look at who's scanning for what today, but is probably not terribly useful. But spinning up honeypots in your interior networks and sprinkling around some breadcrumbs leading an attacker to the honeypots (cached credentials, exciting DNS hostnames like fbi-vpn-gw.mydomain, or scada-gw.mydomain, etc) CAN be useful, especially if you log everything. Which brings me to the final thing this diary post reminded me of... Logging! At a previous job I had very little budget for cybersecurity and was having to build a security infrastructure from the ground up. So instead of spending boatloads of cash I didn't have on a proper SIEM, I spent it on endpoint protection/detection, intrusion detection, and better logging, analysis, and visualization tools. If your logs are complete and you have decent visualization tools you can do a lot of what SIEMs do, albeit manually - we humans are good at spotting anomalies visually, but not so great at reading gigabytes of logs. So now might be a good time to setup new visualizations of your log data. I found that my visualizations of log data (ie, hits on DNS RPZ filters, or egress firewall filters) and looking at those charts at least daily led me to making better log analysis rules, which uncovered more interesting data in the logs, which led to making new ways to graph/diagram the logs to visually detect some new sort of event, which led back to find new things in the logs and making more/better visualizations, etc. Anyway, just a thought or three... |
Brent 133 Posts |
Quote |
Mar 23rd 2022 3 months ago |
> Indeed, sharing information on attacks seems like a good idea.
Honeypots can be interesting! I was disappointed to find that the FTP/ssh/CIFS honeypots I spun up only netted about four or five different strains of malware to pick apart though. (though I would see a gazillion different copies of that handful of malware) I wrote a syslog daemon with some rudimentary log analysis features so I tweaked it to watch for certain types of attack activity (or people poking at the honeypots) and had it update the firewall to block the offending IP for X days, just out of curiosity. It meant that 3rd party relay or brute force auth attacks on a mailserver (for instance) are quickly squelched, but I didn't see a lot of repeat attacks from IPs seen in previous days. |
Brent 133 Posts |
Quote |
Mar 23rd 2022 3 months ago |
Sign Up for Free or Log In to start participating in the conversation!