On 10 February 2017, US-CERT released “Enhanced Analysis of GRIZZLY STEPPE Activity” (AR-17-20045).
This report differs from the first (GRIZZLY STEPPE – Russian Malicious Cyber Activity) and is not as much an update but, rather a companion. This report does not suffer from the same problems in the first release. The first release tried to satisfy a poorly executed joint statement and satisfy a range of audiences (e.g., mixing geopolitical topics with technical details). This report does not suffer from the same flaw. Instead, it focuses on network defenders using a layout and language common to that community. The lack of any press release around this report is likely because of its lack of applicability to a broader audience – and no earlier joint statement.
The quality of this report is much higher, potentially illustrating more care and learning the lessons from the first reports. Second, it does not suffer from the same overbearing editing and joint agency review process which was clear in the earlier releases.
Network Defense Value
Technically, the most valuable addition is a well-documented kill chain narration allowing defenders to better understand the behaviors of these adversaries and develop proper detection and mitigation tailored to their own environments. As always, deploying the detection rules of others is a danger and each org will have to assess those included.
The mitigation recommendations are general but match up well with the described adversary behavior – and an organization including these adversaries in their threat model should take them seriously. Other organizations should probably continue following Australia’s “Strategies to Mitigate Cybersecurity Incidents” especially the “top 4” and “essential eight.”