Tim Wade, Technical Director, CTO Team at Vectra, a California-based AI cybersecurity company, says, "I can’t recall a time in my life when Russia wasn’t aggressively probing western resolve, ranging from tactical incursions into air space to pulling strategic economic levers. This activity is just a continuation of that long standing tradition, and I read this advisory as another periodic reminder of the background radiation of global politics — if you’re operating critical infrastructure and are under the impression that you aren’t squarely in an operator’s crosshairs, you’re wrong."
Advisories like this do little to help defenders actually protect themselves, says John Bambenek, Principal Threat Hunter at Netenrich, a California-based digital IT and security operations company. "I read this and don’t have any more insight into detecting and preventing these attacks than before. Its 2022, these agencies hopefully can reach directly out to organizations with more specific guidance because public announcements aren’t helpful and there are reasons not to be too specific in them as well."
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "The main takeaway from the CISA Russian cyber threat alert is "logs, or it didn't happen." When defending against sophisticated Russian adversaries (or any group), you must have a security monitoring infrastructure that provides situational awareness to detect and respond to intrusions. You must have sensors in place to capture malicious activity. You must also retain those logs for retroactive threat hunting as you develop and acquire new intelligence. Defenders should conduct an annual gap analysis of their monitoring capabilities and quickly plan to mitigate any collection gaps. You don't want to be in a position where you have to say.
Holland adds, "The second takeaway is that these actors use "Common but effective tactics." Although these groups have sophisticated capabilities (e.g., Solarwinds intrusion), they also rely on low-hanging fruit tactics and techniques. While it isn't sexy, effective security hygiene like patching known vulnerabilities on external services raises the adversary costs and makes their job harder. Don't be a soft target. The advisory doesn't mention the current Russian Ukraine tensions, but if the conflict escalates, you can expect Russian cyber threats to increase their operations. Cyberspace has become a key component of geopolitics. Russian APT groups aren't at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage."