Report on Russian hacking leaves many questions unanswered

Experts have been pouring over the JAR released two weeks ago, but there isn't enough detail in the document to help organizations defend themselves

Russian Presidential Executive Office

Security experts have been pouring over the Joint Analysis Report released two weeks ago by the Department of Homeland Security and the Federal Bureau of Investigation, but there isn't enough detail in the public document to help organizations defend themselves against other Russian attacks.

The report contains lists of indicators of compromise - technical signs that the Russians are hacking into a system. But most of these were already familiar, and more interesting information was left out, according to security experts.

"There would be some indicators that are held back, because revealing everything would compromise sources or methods," said Eddie Schwartz, president and COO at White Ops, and board director of ISACA, a global organization for IT and cybersecurity professionals.

If the attackers know that they are leaving certain kinds of digital fingerprints, they'll be more careful to hide them next time. In addition, the intelligence agencies also use other means of collecting information, such as intercepted communications or even moles in the enemy organizations.

"They are classified in nature," said Schwartz. "But some could be provided to certain partners in the community, like the Financial Services Information Sharing and Analysis Center."

[ RELATED: Making the GRIZZLY STEPPE Joint Action Report useful ]

Companies that might be targeted by Russian groups should join such organizations, and not just to get access to more government data.

"It's always valuable to get together," he said. "the power of many collaborating on indicators is far better than one company trying to figure it out."

Looking beyond the IOCs

The indicators in the report are of very limited practical use, agreed Rebekah Brown, threat intelligence lead at Rapid7.

"Some of the IOCs were clearly bad, and should not be used for alerting or blocking," she added. "It is important to vet the lists before utilizing the intelligence."

That might improve in future reports, she added.

"I do think that the government learned from the feedback about the IOCs, and the next report they release will likely have more indicators that defenders can easily utilize," she said.

Where the report could be most useful to security professionals is in the information about the goals, motivations and targets of the Russian attackers.

"CISOs can use this information to identify if their organization would fit into the model that the report describes," she said.

Time to get proactive

The report also demonstrated that the U.S. is playing defense when it comes to cyberattacks, and needs to get more organized.

The interesting thing about the hacking of the U.S. Democratic National Committee is the delay in detecting and responding to the breach, said Rick Orloff, CSO and Chief Privacy Officer at Minneapolis-based Code 42 Software Inc.

"This wasn't sufficiently prioritized and resourced," he said. "We have a very talented set of organizations capable of excellent intelligence gathering, but they have been partially tied down and restricted from using all of their skills. We have an enormous amount of resources that we don’t permit our intelligence organizations to leverage to the best of their abilities."

The U.S. needs to not only improve its defensive tactics and tools but also focus on offensive capabilities, signals intelligence, and cooperation from other governments, he said.

Copyright © 2017 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.