Since the Opening Ceremony, Sports-ISAO has demonstrated a public-private partnership (PPP) model that has been engaged in supporting government and commercial efforts to help defend against cyber threats. Part of the Sports-ISAO effort has incorporated its intelligence crowdsourcing method, involving vetted university students that Sports-ISAO previously trained through its partnership with the c-Watch Program.
Sports-ISAO daily reports have been shared with its PPP stakeholders. Analysts have researched the Olympic Destroyer and Gold Dragon cyberattack malware, and shared defensive measures and geopolitical considerations about the attack landscape. Defensive measures, especially in preparation for the Closing Ceremony – but also useful to other sport communities and others seeking to learn from the sophisticated attacks occurring in Korea – have been shared with our stakeholders. These defenses have been developed after reverse-engineering the Tactics, Techniques, and Procedures (TTP) of the known attacks; and also from observing the specific functionality of Olympic Destroyer and Gold Dragon. The suggested defensive measures are listed below.
Sports-ISAO also points out, bolstered by knowledge once again gained from supporting this international sport event, the urgency of utilizing cyber threat intelligence, rapid exchange of indicators of compromise (IOC) for analysis, and rapid dissemination of defensive measures. This is the role, function, and purpose of information sharing and analysis organizations (ISAO).
Our list of recommended defensive measures follows, which are responsive to the TTP of attacks occurring in Korea. Additionally, Sports-ISAO anticipates new attacks which would most likely adopt new TTP and malware functionality. Accordingly, preparation for the Closing Ceremony should involve advance coordination with security partners, open lines of communication, and readiness for surge operations.
Suggested Defensive Measures:
- Ensure all rule sets on all network and endpoint security are checked against the TTP and Indicators Of Comprise (IOC); check with vendors’ deployments of IOC-specific defensive measures
- Deploy patches for
- Adobe Flash
- Adobe Acrobat
- Harden and remove all non-essential system executables and services:
- cscript.exe and other script engines
- Disable macros in Microsoft Office
- Use Yara rules to scan for Dynamic Data Exchange (DDE) malware in MS Office documents
- Deploy multi-factor authentication
- Acquire surge bandwidth to absorb DDoS attacks
- Enable deception-based detection on both network and endpoint systems
- Enable DNS firewall or filtering services; i.e. Akamai’s FastDNS
- For Web Application Firewalls: update with all the relevant Yara rules and device configurations pertaining to the IOC