At a glance.
- Joint Cyber Defense Collaborative fosters trust between private and public sectors.
- CISA’s Cyber Innovation Fellows Initiative brings industry experts into the fold.
- CISA updates KEV catalog.
- US Senate hearing focuses on standardization of incident reporting.
- Joint CISA/FBI Alert: Chinese cyberespionage.
Joint Cyber Defense Collaborative fosters trust between private and public sectors.
During a panel at this week’s RSA Conference, US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly spoke about the Joint Cyber Defense Collaborative (JCDC), recently launched to reexamine how federal agencies work with the private sector to mitigate cyber threats. According to Easterly, the initiative has established a higher level of trust between the public sector and industry partners, the Record by Recorded Future reports. “Trust is built through transparency, responsiveness, humility, gratitude, and everything that says, ‘We want to add value from a government perspective and you from a private sector want to add value, let’s come together and do it collectively for the defense of the nation,’” Easterly stated. Established by CISA in August 2021, the JCDC was one of several recommendations handed down by the Cyberspace Solarium Commission and was signed into law in the fiscal 2021 defense policy bill. The Collaborative already helped guide CISA’s response to the Log4j vulnerability and to Russia’s invasion of Ukraine by relying on an ‘operational collaboration model’ to share real-time information. In April, CISA announced plans to scale up the JCDC to include over a dozen organizations that manufacture, support, and deliver industrial control systems and operational technology (an expansion that will cost about $14.7 million, according to CISA’s 2023 budget request).
CISA’s Cyber Innovation Fellows Initiative brings industry experts into the fold.
CISA yesterday released an overview of its Cyber Innovation Fellows Initiative, a program focused on finding ways to incorporate essential non-federal expertise into agency objectives.
“Every day, CISA works with industry partners across the country to understand risks, exchange information, and mitigate threats. We are launching the Cyber Innovation Fellows to take this partnership to a new level by bringing private sector experts into the agency on a short term, part-time basis to lend their expertise to some of our most critical teams,” the announcement reads. The initiative is designed to create opportunities for industry leaders to work with CISA on a short-term basis, filling gaps in expertise within different agency teams while also gaining firsthand knowledge about the agency’s mission. CISA aims to hire up to eight Fellows as part of the first cohort for 2022, and assignments will be one to two days per week for a period up to four months.
CISA updates KEV catalog.
CISA also announced yesterday an update to its Known Exploited Vulnerabilities (KEV) catalog webpage, as well as the FAQs for the Binding Operational Directive (BOD) that established the KEV catalog. The update details the criteria and process used to add known exploited vulnerabilities to the catalog, the first step being to obtain CVE ID (aka CVE identifier, CVE record, CVE name, CVE number, and CVE), a unique, common identifier assigned by the CVE Numbering Authority. The second criteria is verification that the vulnerability is under active exploitation, and the third is the identification of a clear remediation strategy for impacted organizations. This is typically a “mitigation,” a temporary fix to prevent exploitation, or a “workaround,” which involves “implementing manual changes to an affected product to protect a vulnerable system from exploitation until the vendor releases a formal security patch.” Organizations are advised to use the KEV catalog to maintain their vulnerability management prioritization frameworks.
US Senate hearing focuses on standardization of incident reporting.
The US Senate Committee on Homeland Security and Government Operations is currently hearing testimony on the rulemaking process for recently signed legislation on incident reporting. Meritalk reports that witnesses emphasized the need to standardize reporting avenues as well as the data itself. Megan Strifel, chief strategy officer for the Institute for Security and Technology, highlighted the importance of creating a unified strategy for combating ransomware. “Ransomware is 21st-century extortion but extortion is not a 21st-century invention. Today, however, there are only partial views spread across many stakeholders without a common process or pathway to stitch the pieces together,” she stated. She added that more consistency across reporting pathways would streamline the data collection process and lessen confusion among stakeholders, especially given the scope of organizations reporting incidents. Jacqueline Koven, head of cyber threat intelligence at Chainalysis, echoed Strifel’s sentiments. “The standardization is incredibly, extremely important to be able to operationalize that information swiftly so that they can be used to subpoena cryptocurrency businesses and used for attribution and accountability of these threat actors,” Koven stated.
Joint CISA/FBI Alert: Chinese cyberespionage.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI yesterday provided an overview of ongoing Chinese cyberespionage activity against US targets, Alert AA22-158A. Beijing's threat actors, the alert says, "continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure." Their typical approach is to compromise unpatched network devices, especially Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. Compromised SOHO routers and NAS devices can then serve as "additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities." The threat actors' initial targets are commonly telecommunications or network service providers, where they use the RouterSploit and RouterScan open-source frameworks to identify points of vulnerability. From there they look for "critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting," obtain appropriate credentials, and proceed to act like authorized users. The Alert recommends fourteen practices organizations should follow to render themselves harder targets, and the first of those is patching. “This work is building the foundation that they can do all of their objectives,” NSA's Rob Joyce told the Record, as he characterized the Chinese activity. “This is their plumbing.”
Terry Olaes, Director of Sales Engineering, Skybox, wrote to comment on the Alert, and how organizations should understand and apply that.
“Threat actors are targeting known common vulnerabilities and exposures (CVEs) of major telecommunications companies to harvest data and steal credentials. The NSA, CISA, and the FBI noted that upon gaining initial access to a telecommunications organization or network service provider, People’s Republic of China (PRC) state-sponsored cyber actors have successfully identified critical users and infrastructure, including systems critical to maintaining the security of authentication, authorization, and accounting.
"It is the latest urgent reminder that cybercriminals are increasingly targeting known vulnerabilities hiding in plain sight and turning them into backdoors to deploy complex attacks that are increasing at record rates. If organizations only rely on conventional approaches to vulnerability management, they may only move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS). Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.
"To stay ahead of cybercriminals, companies need to address vulnerability exposure risks before hackers attack them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. Organizations should ensure they have solutions in place capable of quantifying the business impact of cyber risks into economic impact. This will help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. It's essential for organizations to increase the maturity of their vulnerability management programs to ensure they can quickly discover if they are impacted by vulnerabilities and how urgent it is to remediate.”