I've had 3 calls so far today (it's not even 10) about defending against Russian cyber ops I'm tired of having the same call... so... here's what I've told everyone. This is the playbook you need... but it's not going to be what you think it will be. Ready? Lets go! 1

Watch your egress. Firewalls work both ways. Carefully monitor outbound traffic. DMZ servers RESPOND to external requests. Look for DMZ systems initiating outbound. This is what "phoning home" (aka C2) looks like. 2

Note: you will have a handful of DMZ servers initiating outbound. File xfer systems, any mail server (you likely shouldn't be running your own). Some web services may also initiate outbound. But it's rare. Most orgs? Your exception list will fit on a single sheet of paper. 3

Don't get too hung up on IP address blocks. Geo blocking has some advantages, but the only time Russian groups come from Russian IP space is when they want to rub it in. Start treating the entire internet as hostile... because it is. 4

You 100% must know what is "normal" exes on your systems. App control (used to be call white listing) is no longer a "nice to have" it's IMO table stakes. Anyone who claims otherwise is giving dated & dangerous advice. 5

If building an app control list sounds hard, you're doing it wrongly. Use native logging functions to know the apps that are running on systems. If you don't have an EDR, etc. Windows SRUM is my go to. It has a 30 day rolling view of EVERY exe run. Use that. Please. 6

I'd suggest you use @MarkBaggett's SRUM Dump utility or ESE tools For single hosts: github.com/MarkBaggett/srum-… For multiple hosts: github.com/MarkBaggett/ese-a… 7

For knowing normal app use on linux hosts, use auditd or sysmon for linux. (again... if you don't have a fancy edr or something that can track this info) Auditd access.redhat.com/documentat… (this info will work even if you're not RH/RPM based) 8