Q. Do you anticipate other threat actors not related to Russia using this situation as a smokescreen?
Potentially. We believe the most likely ongoing high threat for most organizations remains post-intrusion ransomware attacks. Some organizations will also continue to be a target for government-backed threat groups. We may see some of those threat actors incorporate this situation into phishing lures or other social engineering techniques. For most organizations, those threats will continue to be the priority focus areas, and it’s important that vigilance is maintained across the board and the situation in Ukraine doesn’t become too much of a distraction.
Q. To which controls do your countermeasures apply?
The Secureworks Counter Threat Unit™ (CTU) has developed more than 40 countermeasures as a direct result of this effort, in addition to our extensive library of pre-existing countermeasures designed to detect and defend against threats of many kinds. These countermeasures leverage the full breadth of Secureworks® detection capabilities in both our CTP and Taegis™ platforms. This includes RedCloak™ endpoint specific countermeasures, Taegis and CTP platform countermeasures, and network-based countermeasures such as iSensor signatures.
Q. How quickly are signatures being deployed?
As we monitor the situation, the Secureworks CTU™ is actively working on countermeasure coverage for threats as soon as we identify them. In close connection with our customers and partners, we take any information which can be used for network defense and translate these insights into CTP and Taegis countermeasures. Due to the dynamic nature of this event, the timeframes for countermeasure development depends on many factors, including how complete the information is that we have about a specific threat, the time it takes to research and validate this information, and the time it takes to actually create the detections in our various platforms. These activities take time, but our Secureworks CTU is working hard to deploy accurate detections in a timely manner.
Q. Are you applying your controls to all customers or just a subset of them?
Our goal is to spread our protection as wide as we can, so we apply countermeasures to the widest set of customers and partners possible. This means all countermeasures made in response to this event have been applied to all customers where possible.
Q. Would it be a good idea to geo-block all Russian and Ukrainian IP addresses on our firewalls?
If there is no reason for your organization to receive traffic originating from a particular country or region, then blocking all IPs that geo-locate to that country or region is not going to do any harm and may reduce some “noise.” However, that step alone should not be considered an effective preventive control. Even where it may be initially successful, it is relatively trivial to bypass.
Typically, attackers will use infrastructure located all over the world, whether that is to make their activities harder to attribute, easier to blend in with what might be considered legitimate traffic, or to take advantage of faster and more reliable internet infrastructure. In fact, for targeted attacks we almost never see the network traffic originating from the country responsible for conducting the attack. As a more robust preventive control, organizations may consider allow-listing – i.e., only permitting traffic to known and approved internet resources – rather than blocking.
Q. Where can I find indicators relating to this threat?
Secureworks is compiling a list of verified indicators associated with this threat, derived from our own research and from third party reporting. The current list of indicators is available here: https://github.com/secureworks/ukraine-crisis/blob/master/ukraine-crisis-iocs.tsv
It is important to stress, however, that we would expect subsequent cyber activity to use previously unobserved tools and infrastructure. It is important that organizations have controls such as endpoint monitoring and intrusion detection system sensors that can identify behaviors, not just atomic indicators. Doing so will provide more effective and enduring protection than relying on indicator lists.
Q. Is Secureworks conducting threat hunts based on what you’ve seen so far?
Secureworks has performed retroactive searches against customer-provided data for known threat indicators, based on the available intelligence. This includes the wiper activity observed on February 23. These searches continue until corresponding countermeasures can be created, at which point the countermeasures will detect any occurrences of known threats. As new intelligence is gathered, we will continue to perform these indicator searches and transform them into new countermeasures.
Q. What’s the risk to organizations outside of Ukraine from reprisal attacks?
It is possible that the impact of Western sanctions or of cyberattacks conducted against Russian entities by pro-Ukraine threat actors will lead to retaliatory attacks against Western organizations. For example, ransomware groups such as GOLD ULRICK (who operate the Conti ransomware-as-a-service scheme) have threatened to bring their capabilities to bear “in defense of Russia.” The reality, of course, is that these financially motivated groups are already doing everything they can to extort money from organizations outside of Russia, so the threat from these groups has not changed. It remains important that organizations are vigilant, review their business continuity plans, and ensure that they have implemented fundamental controls around patching, multi-factor authentication and endpoint detection and response.
originally published onhttps://www.secureworks.com/blog/ukraine-crisis-faqs-part-2
