SolarWinds through a first principle lens: around the Hash Table.
Rick Howard: Last episode, I went into some detail about the SolarStorm campaign run by the advisory group UNC2452. We talked about attribution and how the U.S. government is pointing to Russia but has yet to release any evidence that would confirm that assertion. Since we published last week, Kaspersky has announced that they are seeing some similarities between the code used in SolarStorm and other code used by the adversary group Turla, otherwise known as the Venomous Bear Group or the Snake Group.
Rick Howard: In the past, the industry press has associated Turla with the Russian FSB, or Federal Security Service, the successor agency to the KGB. Kaspersky says that similar code segments are not enough to pin the operation on Turla, more like individual developers who worked on the Turla campaigns or at least studied them might have also worked on the SolarStorm campaign. So there is more work to do there.
Rick Howard: But the real point of last week's podcast was to determine if the first principle strategies we had developed over the last three seasons would have prevented material impact to our organization. Those strategies are intrusion kill chain prevention, zero trust, resilience and risk assessment. We said that since the SolarStorm campaign was essentially a zero-day campaign, UNC2452 nullified the intrusion kill chain prevention strategy. But with the other three, we had a chance of reducing the material impact to the company.
Rick Howard: Anyway, that's what I was thinking. To keep me in check, I invited two of the CyberWire's subject matter experts to grab a cup of coffee and sit down at the Hash Table to see if they agreed with me.
Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. On the Hash Table today are two of my old military buddies - Gary McAlum, the USAA chief security officer, and Don Welch, the Penn State University CIO. And we have a special guest appearance by Helen Patton, The Ohio State University CISO.
Rick Howard: The idea of cyber supply chain vulnerabilities has been around since the late 2000s, at least. The financial sector spent years trying to craft a standard set of audit questions for their third-party suppliers. They all used the same ones for the most part. But back then, each financial company was sending its own audit questions to their third-party suppliers. Sometimes mom-and-pop shops, they were getting overwhelmed with the amount of paperwork they had to generate, often answering the same questions over and over again.
Rick Howard: Today, third-party cyber audits are part of the compliance requirement industry in the form of Service and Organization Controls, or SOC 2, and ISO 2000 certifications. The question is, would that audit mechanism have prevented a material loss from the SolarStorm campaign? I asked Don Welch that question. He thinks that as part of due diligence, compliance checklists were the right thing to do, but he wasn't sure about how much protection they provide.
Don Welch: At best, you can determine whether they've thought about it. In the aftermath, you can go back to them and say, you said you were going to do this. But in terms of really protecting you, it's just got to be this high level of trust. Is the company going to do what they said they did? And as we all know, a lot of times, you can do things the first time, but then you get distracted, you don't keep up with it, et cetera. So, you know, we're completely dependent on the - on that supply chain. And it's something that we just don't have much control over, especially as we move more and more to the cloud.
Rick Howard: Gary agrees, but he acknowledges that those compliance checklists are also a bit of covering your backside in case you get breached. You can tell the board and the world that you follow the industry compliance rules and did everything you could.
Gary McAlum: Well, all of these are - they're a point in time, right? So even the self-assessments that we would review, they're only as good as the answers provided. When all the armchair quarterbacks are looking at you, you could say, well, we - here's what we did do, right? We did our best, right? So some of this is you have to do it because you have to do it. But does it operationally help you get a little bit more comfortable? I would say incrementally, yes. Are they worth it? I think for a lot of the critical high-risk companies that we deal with, for example, these are established companies that have a significant amount of compliance and audit work that happens from a lot of other of their customers as well. And so we come in there, and we get a data point. And, you know, I think it's part of a due diligence. But is it enough to be 100% sure? And the answer is no, you're never going to be 100% sure.
Rick Howard: Both Don and Gary talked about the two tiers of suppliers that organizations use. Any company, government, organization or academic institution brings raw materials inside in order to be consumed or transformed - anything from toilet paper to commercial HVAC systems to laptops and servers and in recent years, downloadable software upgrades. Clearly, some of those are more important than others when it comes to cyber defense. Here's Don.
Don Welch: Obviously, if our student information system gets compromised, that's not good. But from there, it will be harder to necessarily move laterally. If our Enterprise Active Directory gets compromised, they can have anything they want and do anything they want. And there - it's going to be very hard for us to defend against it. So, you know, we rely on certain classes of software much more than others from a security perspective. And that - you know, that is a concern. So obviously, backdoors in the operating system, backdoors in our security suite, backdoors in our management - those kinds of things that we don't normally think of as having high-risk information, they still can do a tremendous amount of damage if they compromise those systems.
Rick Howard: Gary's process is more granular, but it's the same idea.
Gary McAlum: We segregate out by risk category. Our vendors - right? - critical, high-risk vendors, you know, medium, low - and for the critical and high vendors, you know, we reserve the right to do an on-site assessment in addition to, you know, the paperwork, you know, SOC 2 type of assessments and so forth. And we also, like a lot of companies, use external parties like a BitSight or SecurityScorecard to supplement that information.
Gary McAlum: It's not just software. There are - you know, you talked about widgets. It's hardware as well, right? Servers, desktop, laptops coming into the environment, you know, network routing equipment, you know, and so forth.
Rick Howard: Both Gary and Don agree that the intrusion kill chain prevention strategy wouldn't have helped them here. But they both thought that zero trust applied in the right way could give the defender an advantage. Here's Don.
Don Welch: If you're in the defense industrial base, yeah, you probably should be doing that. If you are a university, you are probably not going to be doing it on the vast majority of your network. But hopefully you're going to be doing it on those key pieces of infrastructure, those really high-risk systems.
Don Welch: So implementing zero trust - because it's expensive, I think you have to be judicious about where you put it and hopes that you are going to put your resources where they'll do the most good. And part of that is understanding what the threat is, what's the most valuable information that - what adversaries are going to be going after, what would cost the most harm for the institution, and then when you do it, doing it well. There's nothing worse than investing resources but not actually getting the value from that that you are supposed to get from it because of a halfway implementation or not paying attention to it.
Don Welch: Could you have stopped this? I'm not sure whether you would. But certainly, if it's not this attack, it's another attack. If I'm an adversary, if I can get access to multiple accounts and certainly get through an active directory, one then - wow, my job is easy. You know, we talk about layers, zero trust, you know, but the idea is that adversaries are going to be able to get into your network, but it should be a lot harder for them to get to the things that are going to hurt the most than it is to get to others.
Rick Howard: Gary was quick to point out that it depends on how you define zero trust. But if you can reduce the attack space, then yes, it is a viable strategy.
Gary McAlum: It's - and I always answer maybe because zero trust means different things to different people.
Rick Howard: Sure.
Gary McAlum: If you look at, you know, sort of the Forrester definition of zero trust - right? - it's more about network connections, right? It's not so much about supply chain, but the concept of not trusting anything inside your network could be extended to the supply chain. If you had that model where you said, listen; nothing goes in my environment unless, you know, I'm highly confident that it's secure, code doesn't have backdoors in it, there's no malicious code anywhere in the environment, firmware is good on network routing equipment. Sure, but how practical is that? I do think that would work.
Gary McAlum: I - here's what I'd do. I think it would shrink the space, the operating space for the attacker, right? And you have a greater chance of picking up on it at that point.
Rick Howard: In last week's episode, I suggested that maybe some sort of two-person control might help with a zero trust tactic for probably the Solarwinds Orion platform, but especially for the identity management system. You would use this zero trust control before you committed any changes to either platform. I asked both Don and Gary if they thought two-person control was viable. Here's Don again.
Don Welch: You've got people that have to get work done. You want them to get work done. And I think you look at something like a two-person change control, and you go what is the cost to my organization versus the value in added security? And are there other ways that maybe aren't quite as effective but are a lot less expensive? Once again, if you're the NSA, that's probably a really good technique. If you are a medium-sized retail business, you probably can't afford it.
Rick Howard: Gary says that he has used two-person control in the past.
Gary McAlum: We've done that in some pockets on, like, some of our mainframe systems, where we're about to make a certain level of change - right? - a system level change that, you know, if you mistype in something, you know, it could create problems hypothetically. I'll just leave it at that.
Rick Howard: Another zero trust tactic that might be handy against the SolarStorm campaign is privileged access management. We talked about this in Episode 8, Season 2. Here's a clip from that show of Helen Patton, the Ohio State CISO, explaining the concept.
Helen Patton: Privileged account management is simply the management of accounts that provides someone with elevated access within a system. So typically, for example, a network administrator has privileged levels of access to the network. It's not just that they can log on to the network with their device like any old end user. They can make changes to the configuration of the network with that kind of thing, right? So the accounts that a network administrator would use to do those privileged activities are often different than the accounts they would use as a general Joe Schmo user to access the network.
Helen Patton: And you need to make sure that the management of those privileged accounts receives a higher level of oversight to ensure, one, that - certainly, that they don't get hacked but, two, things like that they don't make changes that bring down the whole network system, that their use of those - they're not using those accounts for daily use when they don't really need to, that they're only using those accounts based on an approved change, for example.
Helen Patton: So there are systems out there that are designed like a password vault - well, they are a password vault - specifically for these privileged accounts. And the thing that's unique about privilege accounts is, often, they're shared by multiple people. So the privileged account systems will also allow for users to use a privileged account without having to know the password and having the password automatically change after every instance of use - super helpful.
Rick Howard: As an aside, I love finding excuses to bring Helen onto the show, not only because she is brilliant and articulate but also because it gives me the chance to mention that she is the chairman of the Cybersecurity Canon Project, a kind of Rock & Roll Hall of Fame project for cybersecurity books. If you are looking for your next cybersecurity book to read, turn on the magic Google box and look for Ohio State University and the Cybersecurity Canon Project. But I digress.
Rick Howard: Gary, the USAA's chief security officer, thinks that privileged access management is the aspirational goal but might be difficult to deploy.
Gary McAlum: Idealistically, it's exactly what you want to do. But then practically speaking, every IT environment's a little bit different, so there's a journey on how you migrate to that model without breaking things.
Rick Howard: Don prefers privileged access management over two-person control because it's cheaper in terms of resource spent.
Don Welch: Things like privileged access management with monitoring of everything that is done in - you know, in those system administrations so that you can go back and find out that something has gone wrong and hopefully catch it, you know, before too much damage is done. Not as good, but once again, it's a lot less expensive to implement a solution like that than it is that two-person control.
Rick Howard: With the help of Gary, Don and Helen, we have two tactics that might have been useful within our zero trust strategy. What about another strategy? Would risk assessment have helped? Gary and Don are not so sure, but they think the entire SolarStorm campaign is a great case study for all infosec practitioners to ponder and a perfect way to identify critical sections of the enterprise to allocate resources to.
Gary McAlum: This is a great risk management exercise. It's a great case study for many, many people. This is a - I don't know if it's a worst-case scenario, but it's certainly a really bad case scenario, right? Like, this one - this is a perfect textbook example of what - when we talk about advanced persistent threat, that gets overused a lot. This is a great example of that.
Don Welch: Yeah. In general, it's good to have a strategy to understand what your high-risk information is. What is the information that is going to do damage to the institution, whether it's loss, whether it's changed or whether it's exposed?
Rick Howard: During these conversations with Don and Gary, we were all cognizant and wary of becoming Monday morning quarterbacks - you know, pointing out obvious flaws and remedies after the fact without any relation to the real world. Guilty, I'm afraid. But it's the reason we have the Hash Table so that real-world practitioner executives can ground our thinking.
Rick Howard: Here's the bottom line to the last two episodes, though. Without our first principle strategies in place, when UNC2452 came knocking, you were probably owned. With them in place, though, you would have significantly reduced the probability of material impact due to the SolarStorm campaign. And that's a good thing.
Rick Howard: And that's a wrap. If you agreed or disagreed with anything I've said about the SolarStorm campaign and UNC2452, hit me up on LinkedIn, and we can continue the conversation there. Next week, we will continue our theme of looking through the cybersecurity first principle lens. And this time, we will be focusing on Microsoft Azure. Can you deploy the four strategies in that cloud environment? You don't want to miss that.
Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, and the mix of the episode and the remix of the theme song was done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.