An Acronym Soup But A Nutritious One From “CISA”

The Cybersecurity Infrastructure Security Agency (CISA),  part of the Department of Homeland Security (DHS), “is charged with enhancing the security, resiliency, and reliability of the nation’s cyber, communications, and physical infrastructure, as well as with supporting DHS’s mission to manage risk.” Earlier this month, CISA, in a project co-authored with the FBI and the NSA, posted a Cybersecurity Advisory (CSA), titled “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.”

The barrage of acronyms notwithstanding, this post seemingly pulls off a neat trick: laying out a clear list of familiar but often ignored cybersecurity defense strategies, while also providing a more detailed look at the technical side of what’s thought to be known about Russian state-sponsored cyber operations, including “commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations.” Included is a list of some of the currently known Common Vulnerabilities and Exposures (CVEs),  i.e., publicly disclosed security flaws, which are said to have been exploited by Russian state-sponsored advanced persistent threat (APT) actors.

A “Detection” section of this post includes specific technical recommendations, like being on the lookout for suspicious “impossible logins,” (logins with “changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location,” and for “impossible travel,” where a user logs in from multiple IP addresses that are “a significant geographic distance apart.”

The post concludes with information about the State Department’s Rewards for Justice Program, which offers up to $10 million for information leading to the identification or location of someone acting under the direction of a foreign government and participating in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.