The best listening experience is Chrome, Firefox, or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or Podcast One.
Federal agencies (at least some) affected by SolarWinds’ cybersecurity blunder are entering a new deadline. A few days ago, the Cybersecurity and Infrastructure Security Agency policy gave us to complete forensic analysis and enhance the system at the end of the month.Michael Hamilton asks if this is possible, as he said Federal drive with Tom Temin.. He is a former Vice Chairman of the DHS Coordinating Council and is currently Chief Information Security Officer of CI Security.
Tom Taemin: Michael, I’m glad I came back.
Michael Hamilton: Tom, I’m glad to talk again.
Tom Taemin: Therefore, reading the guidance, it seems that government agencies are already forensicing the system. What does that mean? And do you think they have the ability to conduct forensics, as the CISA suggests?
Michael Hamilton: I don’t think it can be expanded wide enough to actually perform forensics on the number of assets we are talking about. As you know, if there are a small number, perhaps half a dozen federal agencies involved, it can be a system of tens of thousands. In addition, the actual forensic examination takes time and requires a very shortage of human resources. So hesitate to believe that they have already done a complete forensic analysis of that many assets. That is impossible.
Tom Taemin: This is because the guidance states that the agency that performed the affected version (version 3 guidance released last week) needs to perform forensic analysis. Start with the institution that ran the affected version to perform the forensic analysis. How about the support of the contractor? But can it be used to help them get over it?
Michael Hamilton: It’s a little difficult right now, isn’t it? As you know, CI security does this kind of work. And the phone is ringing more than ever to respond to an incident. And our resources are expanding. We had to seek help from another company. So I know that this feature, which was always lacking, is now quite a burden. Therefore, the federal government will inevitably need to contact the contractor. Perhaps the NSA or federal law enforcement agencies have the resources to do this kind of thing, but they didn’t require it to be created on a large scale through all computers. This is primarily for law enforcement and very specific crime investigations. What they could do is do a full forensic workup on the server that housed SolarWinds and Orion. This is different from going out and forensicing all your assets. This is basically stated in the guidance. So I think I’m a little confused about what they’re talking about.
Tom Taemin: And if they can do that, what are they looking for in this analysis?
Michael Hamilton: I’ve acknowledged. Well, there are indicators they have released. Therefore, if there is a compromised binary, they know what the cryptographic hash of that binary is. That is, you have a file on disk and run it with a hash algorithm. And the hash is the same as what they distributed, you know you have the bad ones. There is also forensics, where you can see any registry changes that occur, user-added communications to specific command and control sites, etc., depending on the degree of monitoring. All of these are very time consuming. Again, the Orion server has the potential to do that, probably not so much. But when they say, as you know, you need to strengthen all your systems and do forensic medicine for them all. Language, I think our lexicon is a bit confused here. What they mean is that I think these indicators are here. And I want you to go looking for these indicators. And some of these have nothing to do with SolarWinds and Orion servers. These relate to how to use the security assertion markup language to obtain credentials such as bypassing multi-factor authentication. So it’s not just SolarWinds and Orion. It is other systems that may have been compromised in order to use other techniques. And they want to create a forensic image of all digital media and look at all the indicators of whether it is being compromised, unlike running it in the actual forensic process. To see everything that happened. It’s very, very time consuming. Again, I don’t think it can be expanded due to lack of resources.
Tom Taemin: I’m talking to Michael Hamilton, Chief Information Security Officer at CI Security, a former CISO in Seattle. And is it practical or possible, or very long ago, to simply roll back the system before breaching and use those versions to do some type of recovery point-in-time exercise and start over from there? Did it happen to you? How to do it at this point?
Michael Hamilton: Well, for some systems, definitely software, they’ve already done that. You’ve rolled back to a version that you know isn’t compromised, so you can wait for SolarWinds to be released in a new, non-compromised version. So I think that’s what they rolled back. It doesn’t make much sense in terms of rolling back the operating system, Windows 10, or whatever they are using. This is because rolling back introduces a patched vulnerability. .. So I think of in-scope applications. Yeah, that’s true. Not so many for operating systems.
Tom Taemin: And what about other advice coming from CISA here? There are many decision trees from the CISA on issues such as the necessary enhancements, rebuilding or upgrading. How do you feel about whether the agency is still working on this task?
Michael Hamilton: I think this is easy as some of the curing they can do can be automated. Therefore, you can deploy the configuration from a single point to all systems. And it’s much easier than disassembling all the discs with a toothpick and Q-Tip. So from a strengthening perspective, and the guidelines they have published, I think it’s pretty simple. Therefore, the IT organizations of these federal agencies are probably already trying to do that.
Tom Taemin: And does this kind of thing the CDM should have caught, or does the Einstein 3 program and all of these seem to overlook SolarWinds updates?
Michael Hamilton: In short, it’s like getting a network-based discovery was very difficult because it’s an approved update from the actual vendor. And it looked exactly like all the other updates that came in. As you know, they were jeopardizing the cryptographic authentication of the software itself. So it all checked out. And it is not clear that Einstein would have been able to see it. Well, then, as you know, when the malware lands, a beacon will come out. And you have to say, “I’m here, what do you want me to do?” Einstein should have seen them. But, in my understanding, they use the US domestic system for command and control. If you’re using AWS for command and control, you can’t block it. Because everything uses AWS. In short, AWS, Azure, and Google Cloud all make it very difficult to detect command-and-control communications for espionage and organized crime. Whereas I’m using Salesforce. In other words, they look almost the same. In short, Einstein is a good network-based detection system. I think some of the tactics used here are specially designed to avoid it.
Tom Taemin: Indeed, it came from the supply chain. Do you think the little-developed CMMC program is the ultimate answer to this type of threat?
Michael Hamilton: Wow, I have a bucket of fish! Ultimately, I do. In today’s incarnation, I don’t think they’re still serious enough about going out and actually auditing the organization to make sure it’s in compliance. It’s still a lot of self-esteem. So we’re just going to have to look.
Tom Taemin: I’ve acknowledged. But let’s hear this. So what’s the bigger lesson of all these when overcoming an emergency?
Michael Hamilton: Now, the bigger lesson is this-everyone needs to-everyone, every company, every government organization needs to show everyone a security paper before you do business. There is. And I’m not just worried about you, I’m also worried about my business partner, your other business partners. .. You raised CMMC, this will evolve as they become more and more serious about this. And they will start to get much, much more noisy about what kind of inspection you do to your business partner.
Tom Taemin: And with clothes like SolarWinds already deeply involved and trusted for some time, do you think you can continue to be a trusted partner for the government?
Michael Hamilton: Well, frankly, I think the fate of SolarWinds is now in the air. I’ve heard that the SEC is against SolarWinds. Because they didn’t report what they should have as a known risk. Executives are part of a class proceeding filed by shareholders. And we’re going to consider management’s negligence allegations, which would be pretty ugly. And I think it’s all about making decisions about whether SolarWinds will continue to be a federal partner. That said, their software is great. So their network management is the best. So you need to consider both of these.
Tom Taemin: I think every cybersecurity vendor is considering its own supply chain. Currently, our practices are not very self-righteous.
Michael Hamilton: Yeah, that’s right. Everyone is scared. It’s a fair statement.
Tom Taemin: Michael Hamilton is CI Security’s Chief Information Security Officer and former Seattle Chief Information Security Officer. As always, thank you for joining me.
Michael Hamilton: Tom, I’m sure. Really enjoy talking to you.
Can the institution comply with CISA requirements?
Source link Can the institution comply with CISA requirements?