Moscow Rules for Cybersecurity

I believe I grew up on a different planet. "The world has changed" can only be an understatement. The world I grew up in was simpler and somewhat more elegant. For one thing the enemy was clear, the Russians. We were the good guys and they were the bad guys. We were blue, they were red. We were Rocky Balboa, they were Ivan Drago.


The world today is very different, the enemy is within, anyone we shared the bus or the subway with on our way to work yesterday can be the enemy.
Anyone can purchase a gun and kill innocents. Anyone can attack us. We have seen that even being a cartoonist in the most romantic city of the world doesn’t keep you safe from arm. The enemy is within and we should start thinking and acting accordingly.

This is not something new for us as this paranoid way of looking at things was already, and quite understandably, spreading amongst IT security professionals.
We, the guys trying to keep the IT infrastructure safe, know that the moment you connect something to the internet it is in hostile territory. We know that attacks start pouring in by dozens if not hundreds from all across the globe.

The “Moscow Rules” were never officially published but they seem like a reasonable set of behaviors that would help an operative stay alive in hostile territory. Looking at the way things have turned online I believe it’s a good time to remember these and adapt them to our approach to cyber security.

There are several “versions” of the Moscow Rules circulating on the internet and, unless Snowden has them in one of his files, I doubt we will ever have a confirmation on if these rules even ever existed. The International Spy Museum in Washington D.C. has published the following list as “Moscow Rules”. If you ever find the opportunity to visit this museum you can also see the Alienware laptop used by Th3j35t3r he used between 2010 and 2013 (http://www.jesterscourt.cc/2013/07/04/tinker-tailor-soldier-hacker/)

The “Moscow Rules” according to the International Spy Museum:
1. Assume nothing.
2. Never go against your gut.
3. Everyone is potentially under opposition control.
4. Don't look back; you are never completely alone.
5. Go with the flow, blend in.
6. Vary your pattern and stay within your cover.
7. Lull them into a sense of complacency.
8. Don't harass the opposition.
9. Pick the time and place for action.
10. Keep your options open.

Imminent Threat Solutions has also compiled a more comprehensive list of “Moscow Rules”, please visit http://www.itstactical.com/intellicom/tradecraft/the-moscow-rules-cold-war-directives-for-tradecraft-and-espionage/ and remember to stop by their shop for great gear.

The Cybersecurity Moscow Rules
Some of the rules on these lists would not only be applicable in the field of information security but would also form a good set of “rule of thumbs”. Here’s my "cybersecurity" take on the Moscow Rules.

1. Assume nothing.
Never assume your firewall is properly configured, never assume you have changed the default credentials on the new IPS/DS, never assume the users will notice that phishing mail, never assume everyone keep their passwords to themselves, never assume you didn’t leave a password hash on a server on the DMZ network. Assume nothing and check everything. Penetration tests or even simple checks you can conduct yourself will help you see all the false assumptions you have made.

2. Never go against your gut.
If something doesn’t feel right, there’s a chance it isn’t. I believe we don’t have the luxury to base our information security stance on “gut feelings” so I’ll suggest that you base your “gut” on trends and baselines. Know how much bandwidth you’re normally using so that you can notice when something is wrong. Know how, when and from where your network and systems can be accessed by legitimate users so that you can notice when something’s wrong. Gut feeling in information security should be data, collect it and use it.

3. Everyone is potentially under opposition control.
Think that any system on your network can be compromised, just like any user account. Plan your network topology and configure your security devices accordingly. By doing so you’ll be able to contain any malware epidemic and, if you are into that sort of thing, break the cyber kill chain because this will limit the movements of the attackers within your network.

4. Don't look back; you are never completely alone.
If you think no one attacked you, scanned your IP addresses or tried a SQL injection on your website you are wrong. It simply means you didn’t notice and worst you don’t have the necessary systems in place to notice such attacks. You should be able to identify these attempts so that you can identify a successful attack. You are never alone, if you think you are, it’s time to do something.

5. Go with the flow, blend in.
Blend in, to do so you must know what to blend to. Set up the basic requirements for all systems connected to your network and blend in. Make sure all computers have antivirus software and are updated regularly, make sure that not default user accounts are left on network and security equipment, make sure users use strong passwords and make sure everyone and everything “blends in”.

6. Vary your pattern and stay within your cover.
First have a pattern. Put in place several routine controls such as comparing the list of published vulnerabilities to your systems inventory. Regularly check shared files on your network, control bandwidth usage and create a routine for all security controls. Once you have put in place your “cover” vary the frequency and intensity of these controls.

7. Lull them into a sense of complacency.
Complacency is dangerous enough for everyone but can be deadly for people working in the field of information security. Not only you but every computer user and every personnel should be alert and careful. Hackers rarely attack your firewall directly, instead they attack users trying to convince them into clicking a link or downloading a file. Complacency amongst employees in any Department of the company or even just a single person can result in a company wide security breach. Make sure all employees are alert and cautious.

8. Don't harass the opposition.
Probably the most difficult part of our jobs. We need to make sure everyone can benefit from technology thus increasing the productivity of the company. We should take all precautions yet enable employees to work effectively.

9. Pick the time and place for action.
Collect logs so that you can pick (up) the time and place of all critical actions (events). Know when the failed login attempts happened, know that the back up process was finished successfully at 02:00 hours, know that the credentials of a terminated employee have been used to access a database. Prepare a list of critical SANS Institute have published a list of 6 critical log areas (http://www.sans.edu/research/security-laboratory/article/6toplogs) , you can use it as a guideline for actions to pick up.

10. Keep your options open.
Contingency plans are your friend. Be sure to backup and update regularly.

Remember; the Internet is hostile territory and act accordingly. The enemy is everywhere and, yes, they are after you.

Comments