On February 10, 2017, the Department of Homeland Security issued the Enhanced Analysis of GRIZZLY STEPPE Activities.
The analysis consists of many interesting details about the attack and gave an excellent insight of the mind set of attackers and what protective measures we need to take in order to defend our information and infrastructures.
The report contains numerous defense suggestions such as YARA rules and Snort signatures that would help detecting multiple vectors of attacks and techniques used by GRIZZLY STEPPE.
One of the first items in Mitigation Guidance is directly related to Digital Edge’s Log Management Service:
"Conduct regular log review. Key sources should include the network and host firewalls,
Intrusion Prevention System, proxy, and local event logs. Events of interest should include
high usage rates to suspicious IPs, odd timestamps on web files (dates that don’t match
previous content updates), odd connections destined for internal networks, suspicious files in
internet accessible locations, references to key words such as cmd.exe or eval.4 Auditing
should involve some kind of aggregator to store and secure the logs remotely. Even the best
auditing on the web server is useless if the attacker can just manipulate or delete them once
they have obtained control. The logs should be protected and regularly rolled up to a
centralized location for integration into a security information and event management system."
Please click here to learn more about Digital Edge’s Log Management Service.
Please click here to download the report.