At a glance.
- CISA's grant intended to develop cyber talent.
- State governments as security models for US Federal agencies.
- A call for better cybersecurity metrics.
- An international effort takes down REvil.
CISA puts $2 million toward honing cybersecurity talent in nontraditional communities.
The Cybersecurity and Infrastructure Security Agency has announced it is awarding $2 million to two organizations, NPower and CyberWarrior, to support their cybersecurity training programs for diverse populations. The award is part of CISA’s initiative to find new talent in underserved communities. CISA Director Jen Easterly explained “Addressing the cyber workforce shortage requires us to proactively seek out, find, and foster prospective talent from nontraditional places...We’re best positioned to solve the cyber challenges facing our nation when we have a diverse range of thought bringing every perspective to the problem.” For a three-year pilot program, CyberWarrior and NPower will establish a 28-week cybersecurity bootcamp aimed at creating a cybersecurity pathways retention strategy, offering entry-level cybersecurity preparation, providing apprenticeships that allow firsthand experience, and alleviating the cybersecurity workforce shortage. The announcement is concurrent with the third week of CISA’s Cybersecurity Summit, themed “Team Awesome: The Cyber Workforce.”
US CISO looks for positive models in state and local government.
At this week’s Michigan Cyber Summit, US federal chief information security officer Chris DeRusha stated that the federal government should look to state governments for guidance. As StateScoop reports, prior to his current role, DeRusha served as chief security officer for the state of Michigan from 2018 to 2020, and in his remarks he referenced several of the programs he worked on during his term, saying they should serve as examples of what the federal government can accomplish, and he referred to the Michigan State Police’s cyber crime unit as “one of the most sophisticated” units of its kind. As the Federal CISO, DeRusha will be tasked with implementing US President Biden’s executive order, issued in May, which establishes breach reporting mandates and cybersecurity standards for federal contractors, and expands cybersecurity logging protocols for federal agencies.
US CSC recommends metrics for assessing cybersecurity progress.
As Just Security explains, the US Cyberspace Solarium Commission (CSC) has proposed the establishment of a Bureau of Cybersecurity Statistics (BCS), a statistical agency with the role of collecting and analyzing data related to US cybersecurity efforts. In August, the CSC published its 2021 Annual Report on Implementation, which detailed how the recommendations of the initial March 2020 report had been implemented thus far. However, without clear metrics, it’s difficult to measure how fruitful these endeavors have been. The goal of the BCS would be to establish such metrics in order to better assess the success of security policies. The bipartisan Defense of United States Infrastructure Act also recommends the creation of a BCS as part of its efforts.
Law enforcement takes a piece out of REvil.
Reuters reported late yesterday that REvil's difficulties in reestablishing itself, including its loss of keys and loss of control over its servers, were due to a concerted effort by law enforcement, intelligence, and military agencies, with the cooperation of private security companies, to knock the gang offline.
One feature of the operation appears to have been the compromise of REvil's backups, an aspect of the operation some who commented found ironic, given the attention ransomware gangs try to pay to backups. A representative of the US National Security Council said only, Computing says, "a whole of government ransomware effort, including disruption of ransomware infrastructure and actors."
So, “whole of government,” which implies both civilian and military agencies and organizations, but also an allied action. The operation was also international, with participation by other unspecified but "like-minded countries." Thus an international consensus against ransomware gangs may be showing practical results.
Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct, hopes the operation against REvil sets a precedent, and that it will have a deterrent effect against other gangs:
"Up until today, there were a lot of unknowns and speculations around what likely happened to take REvil offline earlier this week. Since REvil’s reappearance in September, it had been reported they’ve had difficulties gaining new affiliates. Because of this, they’ve raised their commissions (upwards to 90%) in hopes to entice new affiliates and new recruits to their RaaS offerings. This story started earlier this week when it had been reported that messages were left by REvil member '0_neday' explaining that somebody hijacked their domains and credentials for their payment and data leak blog sites, had set a trap for him, and he was done and leaving. A malware researcher reported later that the REvil domain was accessed again later in the day using the key belonging to the REvil member 'Unknown,' who has been missing since July and some thought was possibly deceased. That was until today--the speculation is over. It was revealed that US officials reportedly worked with the private sector and other unnamed countries to disrupt and take over REvil's operations to shut them down for good.
"We have seen this type of involvement from the U.S. government before. The Colonial pipeline response and disclosure that the bitcoin ransom was paid in the attack had been partially recovered due to the U.S. government involvement. The next example would be the media coverage around the arrest of two ransomware suspects apprehended in Ukraine with the assistance of the U.S. government during a multicounty and law enforcement joint effort to take down these ransomware gang members and to seize financial, physical, and virtual assets.
"The hope is that the actions the U.S. government has taken against these ransomware criminal gangs will set a precedent for other countries and the gangs themselves that governments will no longer stand by idly and allow these 21st century cyber mafia gangs to operate without impunity. Hopefully a clear message is being sent that running a ransomware business is not worth the risks any longer. With REvil being taken off-line, this can definitely be counted as a benefit for those in the cybersecurity defense area. The one thing to note here is there are plenty of other ransomware criminal gangs ready to step in and take back over the areas vacated by REvil. We can only hope that this government assisted shutdown will have a negative impact on the operations of the other gangs due to fear of it happening to them as well."
The operations does seem to have spooked at least one prominent criminal competitor of REvil, namely DarkSide. Security firm Profero told the Record that DarkSide early this morning began shifting assets around 107 Bitcoin (that's approximately $6.8 million) into other, smaller, alt-coin wallets. Omri Segev Moyal, CEO and co-founder of Profero. told the Record, “Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks. At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet.”
It's worth emphasizing, that, whatever industry's involvement was, and apparently at least three firms contributed, the effort was duly organized and led by Government organizations. We heard from Doug Lubahn, Vice President of Threat Intelligence at BlackFog, who cautions the private sector against getting too frisky too soon against ransomware gangs:
"Under the Computer Fraud and Abuse Act of 1986, the private sector is 'prohibited from unauthorized access of computer systems.' This puts all offensive cyber activities in the hands of the government. Sometimes this is worked around by civilians acting as hackers and buyers of dark web offerings, using that information to lead to identifying the cybercriminal, then directly confronting the hackers. This practice is very risky and can lead to very bad final outcomes. In today’s high profile high dollar ransomware attacks, there is often a connotation of state-sponsored involvement, and any proactive private sector 'hack back' can lead to further attacks by the nation-states. There is also the risk of a private sector cyber action causing significant damage to an ongoing cyber investigation. At this point in time in our cyber realm, it is still best to work with your local FBI or State Police cyber team or your area Infragard Team and report your cyber attacks as soon as you can. The most important thing is for the private sector to establish a relationship with area cyber investigators and then report any incidents or suspicious attacks ASAP. I am not aware of any 'formal' U.S. sponsored hack back attacks. However, just as an FYI there was a bill introduced in June this year to authorize the study of amending the 1986 Computer Fraud & Abuse law and allow DHS to study the feasibility of allowing US government agencies 'to take proportional actions against hackers/attackers.' The bill has not made it to committee yet.”
Steve Moore, chief security strategist at Exabeam, wrote to point out what he considered some interesting points about the operation against REvil:
“There are a couple of interesting themes in this event. The first is time. Second, this incident illustrates the complexity and difficulty of coordinating a criminal group takedown. Offensive talents ranging from cybersecurity intelligence to traditional police work, specifically, those with arrest powers were used. Finally, the timing must be perfect; remember, many criticized the FBI for not releasing the decryption keys sooner; I attribute this back to timing - not tip their hand to the adversary.
"As described by those close to the situation, the most recent actions are that two people had the keys to enable Tor hidden services. Did REvil have an OpSec failure that allowed one of these two leaders to be arrested? Was something accidentally shared that connected the investigative team to the real identities of the criminals? Did this accident enable the infrastructure takedown we’ve witnessed? Hopefully, this will all be shared one day soon.”