IMCAFS

Home

the us department of homeland security uses the network kill chain to analyze the hacker incident in the presidential election

Posted by tzul at 2020-03-26
all

The US Department of homeland security uses the network kill chain to analyze the hacker incident in the presidential election

Wednesday, March 1, 2017

In early February, the National Center for cybersecurity and communications integration (nccic) of the U.S. Department of Homeland Security (DHS) released a new report, providing additional attack indicators (IOC) and analysis of the use of network kill chains to detect and mitigate Russian "grizzly prairie" hacking.

On December 29, 2016, DHS and the FBI released a preliminary joint analysis report (jar), describing the tools and infrastructure used by these Russian hackers, known as "grizzly prairie" by DHS, in attacks against the US general election. However, security experts point out that the previous report did not live up to its promise.

Although the original report contained a series of IOC's, some claimed that they were of poor quality and of little use to defenders, and were issued as a political tool to try to blame Russia for the attack.

The new report (https://www.us-cert.gov/sites/default/files/publications/ar-17-20045 ﹐ enhanced ﹐ analysis ﹐ of ﹐ grizly ﹐ step ﹐ activity. PDF) is described by DHS as an analysis report (AR) that thoroughly analyzes the methods used by relevant members of the grizzly grassland hacker group to leak the system. The report provides more details of IOC, as well as the corresponding analysis of each stage of the network kill chain, and proposes specific mitigation technologies against "grizzly prairie" attackers.

Analysis of "grizzly prairie" by using network killing chain

The cyber kill chain is a framework created by Lockheed Martin to describe the stages of an attack. DHS analysts use this framework to summarize the activities of grizzly bear prairie at all stages of the network kill chain, including reconnaissance, weaponization, delivery, vulnerability utilization, installation, command and control, and actions on the target.

Network threat kill chain

The report also provides detailed host and network features to help defenders detect and mitigate grizzly prairie related activities, including additional Yara rules and attack related IOC.

DHS previously said that there were two different attackers involved in the political attack, one was apt29, which was launched in the summer of 2015, and the other was apt28, which was launched in the spring of 2016. The former is also nicknamed "easy bear" or "easy Duke", while the latter is named "magic bear", "soldier storm", "strontium", sofacy, sednit and "czar team".

DHS recommends that the safety team look up multiple research reports produced by different institutions that focus on grizzly grassland.

"While DHS does not endorse any company or their findings, we believe that the breadth of materials from multiple sources can enhance a comprehensive understanding of the threat. DHS encourages analysts to take a closer look at these resources to determine how exposed their local network environment is to the threat. " The agency said.

Related reading

The U.S. government publicly accused Russia of invading the U.S. election system, and the joint analysis report of the FBI and DHS failed to identify Russia as the real attacker of the U.S. election