The Joint Activity Report (JAR) on GRIZZLY STEPPE did far more harm than good. I've had numerous clients of Rendition Infosec question me on what the indicators mean and whether they should be concerned.
Concerned about Russian hackers in your network? Not based on those indicators (most of them).
Concerned about the competence of government cyber analysts (or lack thereof)? Yeah, definitely.
There are 876 IP addresses in the GRIZZLY STEPPE IOCs. There are several from Amazon EC2, and absent a date of when those IPs were actively used by Russian hackers, they are useless. Less than useless.
My favorite IP address in the report though has to be 65.55.252.43. This resolves to watson.telemetry.microsoft.com. This makes it clear that nobody competent vetted the report. Either that or someone at NCCIC has it out for Dr. Watson.
What's an indicator anyway?
These indicators aren't indicators. To be more than data, an indicator has to indicate something. These fall well short of that. The report thankfully doesn't recommend blocking the IPs in the report, but also fails to say how hopelessly under-vetted they are.
My recommended action for these indicators is to ignore them until they have been better vetted. NCCIC honestly owes a large number of network operators and incident response teams a formal apology for the time they wasted responding to this farce of a report. The IOCs have triggered countless false positives in my customers' networks. Even Rob Graham noted that he had two of the IPs in his browser DNS cache. But more than that, the report communicates to corporate leadership to ignore future reports from NCCIC. One day they'll have something useful to share, and based on this clown show, nobody will be left paying attention.
Concerned about Russian hackers in your network? Not based on those indicators (most of them).
Concerned about the competence of government cyber analysts (or lack thereof)? Yeah, definitely.
There are 876 IP addresses in the GRIZZLY STEPPE IOCs. There are several from Amazon EC2, and absent a date of when those IPs were actively used by Russian hackers, they are useless. Less than useless.
My favorite IP address in the report though has to be 65.55.252.43. This resolves to watson.telemetry.microsoft.com. This makes it clear that nobody competent vetted the report. Either that or someone at NCCIC has it out for Dr. Watson.
What's an indicator anyway?
These indicators aren't indicators. To be more than data, an indicator has to indicate something. These fall well short of that. The report thankfully doesn't recommend blocking the IPs in the report, but also fails to say how hopelessly under-vetted they are.
My recommended action for these indicators is to ignore them until they have been better vetted. NCCIC honestly owes a large number of network operators and incident response teams a formal apology for the time they wasted responding to this farce of a report. The IOCs have triggered countless false positives in my customers' networks. Even Rob Graham noted that he had two of the IPs in his browser DNS cache. But more than that, the report communicates to corporate leadership to ignore future reports from NCCIC. One day they'll have something useful to share, and based on this clown show, nobody will be left paying attention.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.