Cyber Threat Report: 'SVR cyber actors adapt tactics for initial cloud access'

This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors associated with the SVR (Russian intelligence services). Specifically, the NCSC link the activity to the intrusion set aliases Midnight Blizzard, the Dukes and Cozy Bear. The advisory details the modernisation of the actor's TTPs including their ability to target victims' cloud environments.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Password Policies

Set and enforce secure password policies for accounts.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.