At a glance.
- CISA releases defense plan for RMM software.
- Business reacts to the SEC’s new incident reporting rules.
- The White House gets prescriptive with Federal civilian executive agencies.
Remote Monitoring and Management Cyber Defense Plan released under the CISA-led Joint Cyber Defense Collaborative.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued its Remote Monitoring and Management (RMM) Cyber Defense Plan. Created by industry and government partners through the Joint Cyber Defense Collaborative (JCDC), it’s described as the first proactive plan focused on the threats posed by vulnerabilities in RMM software. The press release states, “Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.” As Nextgov.com explains, attackers who target RMM systems often employ a technique called “living off the land,” which allows them to establish long-term access to an organization’s systems. To defend against such attacks, CISA’s plan identifies two key pillars: operational collaboration and cyber defense guidance.
As the Record notes, in January CISA and the National Security Agency reported that at least two federal civilian agencies fell victim to a refund scam campaign linked to RMM software. In a statement accompanying the new defense plan, CISA executive assistant director for cybersecurity Eric Goldstein explains, “The collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and ecosystem. As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”
Roger Grimes, data-driven defense evangelist at KnowBe4, wrote to express strong approval of CISA's new plan, which he sees as representing a significant advance in cybersecurity. “This is a humongous important initiative that CISA and its partners have announced. It will likely have a sweeping impact across future generations and significantly reduce cybersecurity risk, especially in the industrial and mission-critical infrastructure space," Grimes said. "Why? Because remote management systems have been a multi-decade, continuous, never-stopping weakness in our systems. A weakly coded or configured remote interface can bypass all the other protections put around a system. It happens all the time. CISA, with its partners, is putting together a comprehensive approach to decreasing remote management risk using a combination of people, processes, and tools. I'm especially delighted to see an entire tier devoted to education because that's usually the missing mission-critical tier that is missing in most responsive defensive plans. Not this time. Only time will tell if what CISA is announcing here will return the expected dividends, but the ideas and framework for great success are put in place. I once again give big kudos for what CISA is bringing about.”
We also heard from Avishai Avivi, CISO at SafeBreach, who offered to explain a complicated announcement. "The Joint Cyber Defense Collaborative (JCDC), established by the Cybersecurity and Infrastructure Security Agency (CISA), announced their plan to help protect Remote Monitoring and Management (RMM) tools. This one sentence containing three acronyms may sound complicated - but let me unpack it for you," Avivi wrote. "This announcement further supports CISA's crucial role in the 2023 Biden-Harris Cybersecurity Strategy Implementation Plan. More specifically, CISA is tackling one of the most urgent and critical cybersecurity risks - Remote Monitoring and Management tools.
"Why is this the most urgent and critical risk? RMM tools, by their very nature, allow administrators to connect to their environments from outside. These tools are often implicitly trusted and have extensive control capabilities over the organization's networks and endpoints. While very convenient, this represents a significant exposure. Malicious actors may also have access to the same system and use this access to breach the organization. Recently, three RMM vendors - SolarWinds, Kasaea, and ManageEngine - were either breached or had a critical vulnerability that allowed malicious actors to gain unauthorized access to organizations using these products.
"It is important to note that the impact was not on the vendors. Rather, the impact was to any organization or agency using the RMM products provided by these vendors. The vulnerability exploited in this case is referred to as a supply-chain vulnerability. This type of vulnerability allows ransomware groups like Clop and threat actors like Volt Typhoon to breach any customer using the vulnerable RMM tool. In 2021, the SolarWinds RMM breach impacted nine federal agencies and about 100 companies. The Kasea breach impacted up to 1500 businesses. In 2023 Clop breached multiple organizations by leveraging supply-chain vulnerabilities in the MOVEIt and GoAnywhere tools.
"When considering the examples above, RMM tools are the most alluring target for malicious actors to breach. JCDC's focus on supporting RMM vendors and the RMM ecosystem to enhance their security makes perfect sense. At a high level, the plan depends on four different efforts:
- "Information sharing: The JCDC is collaborating with the RMM community of vendors and operators to quickly share information about new vulnerabilities to get ahead of the malicious actors using them. This threat intelligence will allow the RMM users to validate the security of their RMM environment.
- "Establishing an RMM operational Community: The JCDC seeks to promote collaboration within the RMM ecosystem by building on the first effort. While the first effort may be seen as a top-down initiative, this is more of a bottom-up effort.
- "End-User education: The breaches mentioned above could have been avoided if the end-users of these systems had appropriate guidance. With the right guidance, the impact on millions of consumers would be eliminated.
- "Amplification of CISA services: The JCDC will examine ways to enhance the delivery of their advisories and alerts to the RMM stakeholders.These efforts will allow companies and agencies to build effective Continuous Threat Exposure Management (CTEM) practices. By combining relevant threat intelligence and continuous security validation, the RMM ecosystem will be significantly more effective."
Business reacts to the SEC’s new incident reporting rules.
Many organizations are working to prepare for the US Securities and Exchange Commission’s (SEC) new incident reporting requirements, currently scheduled to go into effect on September 5, and JD Supra offers a breakdown of the new rules. The key changes include a four-day window in which breaches must be disclosed, including info on the material nature, scope, timing, and impact of the incident. As well, each organization’s annual report must cover three new categories of information: active processes for analyzing and managing material risks from cybersecurity threats, the material effects of threats and prior incidents, and a description of the board of directors' oversight and expertise in cybersecurity.
Joe Nocera, lead partner of cyber, risk, and regulatory marketing at PwC US, told Cybersecurity Dive, “Generally, businesses should be excited about changes to the rules as the SEC tried to streamline compliance in a lot of areas. However, the requirement that incidents be disclosed within four business days will be a heavy lift for companies.” In an effort to lighten this load, the US Chamber of Commerce on Monday submitted a letter to the SEC urging the commission to delay the effective date of the rules by one year. Tom Quaadman, senior vice president of the Chamber’s Center for Capital Markets, and Christopher Roberti, the group’s senior vice president of cyber, intel, and supply chain security policy wrote, “The SEC has chosen speed over accuracy, ignored the role of nation-state actors, and is forcing businesses to choose between disclosure and national security.”
As Cybersecurity Dive explains, the letter goes on to say that in creating the new rules, the SEC overlooked many organizations’ concerns, and that a twelve-month delay could allow the SEC to explore additional ways to seek industry input. The SEC has not yet responded, and Quaadman says the chamber is already considering other courses of action if the letter goes unheeded. Quaadman stated, “Our job is to get to the right outcome. Litigation is a possibility, but it is always a last resort.”
The White House wants agencies to get serious about their cybersecurity posture.
The White House is moving toward a more directive, prescriptive approach to agency cybersecurity. CNN reports that National Security Advisor Jake Sullivan has issued a memorandum to Federal civilian executive agencies. Noting that there's been a general failure to fully comply with the President's 2021 Executive Order on cybersecurity, the memo directs that the agencies achieve full compliance by the end of this year.
Fran Rosch, CEO at ForgeRock, sees this as a shift in the direction of a more prescriptive approach to cybersecurity regulation. “Until now, the U.S. government has viewed cybersecurity as voluntary. This news demonstrates that it has shifted to viewing these cybersecurity policies as mandatory because attackers continue to have the upper hand when it comes to cybercrime and fraud. The entire world has become even more digital - including our critical infrastructure. Our nation’s most relied upon resources are all connected and, if hacked, the consequences are catastrophic to our economy and way of life," Rosch said. "I believe that Federal oversight will help improve the baseline for our country as a whole. It isn’t uncommon for the government to enforce new regulations to ensure public safety and national security. Software shouldn’t be any different." And it's a development Rosch welcomes, while recognizing the inevitable difficulties of implementation. "While this news is a great start, ultimately it will require the industry and companies within the private sector to take responsibility for the consequences of cyberattacks. Implementing new solutions like passwordless authentication are going to be important to improving security and reducing fraud. We’ve already seen companies like Google, Apple and Microsoft band together under the FIDO Alliance to reduce the world’s dependence on passwords, and ForgeRock is part of that mission.”