US-CERT have released a Joint Analysis Report (JAR) attributing recent US political party compromise to Russian malicious cyber activity, designated as GRIZZLY STEPPE.
The report includes freshly declassified “Indicators of Compromise” associated with malicious GRIZZLY STEPPE operations. This is a gold mine for threat hunters with large historical data sets in ArcSight Logger, Splunk, or Elastic. Bet you are glad your ISO, PCI, or SOX auditor forced you to increase retention periods for log data to maintain compliance as you now have a use for it!
Adding these IOC’s to your existing threat lists for real-time correlation will product a high number of false positives as the techniques, tactics, and procedures have now changed due to this infrastructure being exposed. True value is gained from searching past data to find evidence of historical compromise.
As we have a freshly launched ArcSight Logger 6.2 instance in Amazon AWS we will walk you through the process of extracting the IOC’s from the intelligence report and making it actionable, we are going on a cyber bear hunt!
Importing the data
First, download the CSV file containing the IP and Domain name IOC and import the CSV into ArcSight Logger.
Logger Search Queries
Begin the hunt with the following useful search queries. Output will show any firewall categorized traffic to or from the known GRIZZEL STEPPE IP’s or Domain’s
categoryDeviceGroup = /Firewall AND categoryBehavior = /Access | lookup JAR_16_20296A INDICATOR_VALUE as sourceAddress output * | where TYPE = IPV4ADDR | top sourceAddress
categoryDeviceGroup = /Firewall AND categoryBehavior = /Access | lookup JAR_16_20296A INDICATOR_VALUE as destinationAddress output * | where TYPE = IPV4ADDR | top destinationAddress
categoryDeviceGroup = /Firewall AND categoryBehavior = /Access | lookup JAR_16_20296A INDICATOR_VALUE as sourceHostname output * | where TYPE = FQDN | top sourceHostname
categoryDeviceGroup = /Firewall AND categoryBehavior = /Access | lookup JAR_16_20296A INDICATOR_VALUE as destinationHostname output * | where TYPE = FQDN | top destinationHostname
Do you get any results? If so they should look like this.
Happy Hunting! Get in contact if you find evidence of compromise in your environment and want to take the hunt to the next level.
Tiberium are at the forefront of intelligence driven security operations and are the cyber security services integrator of choice for some of the world’s largest companies. We deliver advanced threat intelligence services, OSINT, SOC enhancements, and enable improved operational risk management by identifying threats faster from over one million data sources.