Federal Joint Analysis Reports (JAR) should include stronger language on indicators of compromise (IOC), according to Cris Thomas, a network security strategist at Tenable.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a JAR on Dec. 29 that discusses the tools Russian intelligence officers used to compromise the networks and infrastructure associated with the recent U.S. presidential election. Federal agencies have dubbed Russian Intelligence Services’ (RIS) malicious cyber activity “Grizzly Steppe.”
Thomas, who doubles as Space Rogue, a white hat hacker, said that Federal reports on malicious hacking are a good way to keep members of the public and Federal employees informed.
“I think releasing reports like this is a good thing,” Thomas said. “Awareness is usually lacking.”
While he stated that JARs are beneficial, he also said the report should have included more on IOCs related to Grizzly Steppe. The JAR mentions that malicious actors can often be spotted by their Internet Protocol (IP) addresses and Domain Name System (DNS) names. However, many of these IP addresses carry legitimate traffic from other sites, creating the potential for false positives in the search for malicious actors.
The 13-page JAR devotes half a page to malicious IP addresses and how to monitor them alongside their legitimate counterparts. Thomas stated there should be more—and more specific—language on the subject in such reports.
“What they’re introducing is unfortunately not really specific. The information is not specific enough in that only bad guys use this,” Thomas said. “You can’t weed out false positives. These IP addresses need to be investigated.”
Thomas said he was surprised at how much of the report focuses on basic cybersecurity practices. Pages 6-12 of the report provide recommendations for best cybersecurity practices under headlines like “Top Seven Mitigation Strategies,” “Phishing and Spearphishing,” and “Logging Practices.” He suggested that nearly half the report is dedicated to these basic steps because Federal agencies need to master these practices.
“It’s interesting that the last six pages of the report talk about recommended mitigation strategies. These are all basic 101 things,” Thomas said. “Maybe it indicates that many agencies aren’t taking basic steps. These are things everyone should be doing anyway.”
Since the JAR’s release, the American intelligence community declassified a report revealing that Russian President Vladimir Putin “ordered” an effort to influence the U.S. election, calling into question the extent of Russia’s cyber interference. Thomas said, in light of that declassified report, he hopes that agencies like DHS and the FBI will issue more JARs soon.
“I have long been a proponent of transparency in attribution,” Thomas said. “When there is no transparency, it can cause confusion.”