The number of government agencies affected by the supply chain attack on SolarWinds network monitoring software grows daily, ratcheting up alarm among private and public sector security pros. Former NSA Chief Security Officer Chris Kubic, now CSO at Fidelis, spoke with SC Media about what’s happening behind the scenes in the CIO and CISO offices of the Pentagon, military services and government agencies, as they scramble to respond to the attack believed to be the work of Russia’s APT29, or Cozy Bear.
Where do CIOs and CISOs at government agencies and the Pentagon even start to peel back the layers of this hack?
The initial flurry of activity will involve tracking down all the systems that are potentially impacted – specifically any systems that currently have or have ever had SolarWinds software installed on them. This could be a very difficult task for departments and agencies that do not have automated capabilities in place to catalog and track the software that resides within their systems. The end goal here is to build an accurate and complete inventory of all systems that have ever had a compromised version of SolarWinds software installed.
In parallel with this, there will be a scramble to get updated detection signatures in place within department and agency cybersecurity systems. These updated detection signatures will enable the departments and agencies to detect any new attempts to compromise systems using either the SolarWinds exploit or any of the other attack techniques made public by FireEye and CISA. Fidelis and really all the leading commercial cybersecurity vendors have been pushing hard all week to make these new detection signatures available to the departments and agencies and to our commercial customers.
Protecting themselves from future attacks is critical, of course, but how do agencies get a fix on the damage done?
Following these initial steps comes the difficult task of determining specifically which systems have been compromised and what sensitive data may have been stollen through this attack – a damage assessment so to speak. SolarWinds provided the vehicle for the attacker to gain initial access to department and agency systems, but the attackers would not have stopped at those initial systems, they would have used that initial access to drill deep into department and agency networks to find and exfiltrate sensitive data, covering their tracks as they moved throughout these systems. To the extent that a department or agency network is connected to other networks, the attackers would have attempted to use that connectivity to jump into other networks as well. So a single exploit can result in multiple systems and networks being compromised and that is what makes this damage assessment very difficult. Performing these types of damage assessments takes skilled cybersecurity analysts to perform the forensic analysis of these systems. I would expect that there is tremendous cooperation going on across government agencies to assist those departments and agencies that have been attacked with assessing and recovering from the attack, to gather and share information on the attack techniques used by the attackers in order to hunt for similar attack techniques being used within other networks, to monitor networks looking for attempts by the attackers to expand their access or regain entry into compromised systems, and ultimately to determine who is responsible for the attacks.
Do you think there’s a mad scramble to respond or were they well-prepared for just such a moment even though they were caught off-guard?
From my past experience, and this may have changed since I left government service, there is a wide variation in cybersecurity capabilities and readiness across the government. So, I would expect that many were prepared with incident response plans and teams in place but some were not. The key here is to not only have incident response plans in place, but to have rehearsed those plans ahead of time to ensure your plans are solid. Some organizations have also outsourced their IT and cybersecurity services, and the companies they outsource to tend to have pretty mature processes in place in order to be able to win these contracts.
What kind of resources can they tap to respond?
I would say that the resources vary across departments and agencies but I expect that both public and private resources are being made available to the organizations that have been attacked to assist them with the damage assessment, response, and reconstitution of their networks and systems. Responding to this type of attack requires cybersecurity personnel skilled in the advanced techniques used by the attacker and if the response is not done properly, you leave the door open for the attacker to regain control of the system – and while this level of expertise is in short supply, I would imagine it is being made available to those that need it most.
It seems that both public and private sector organizations have been galvanized into action without hesitation.
I think we have already seen tremendous public-private collaboration and information sharing going on in both directions and expect there is lots more public-private collaboration going on behind the scenes. There has also been tremendous collaboration and information sharing going on within industry and that is great.
How far and long do you expect fallout to spin?
That is hard to say because we don’t yet know the full extent of the attack and the damage that has been done. It’s quite possible that analysis of this attack will uncover additional attacks so this has the potential to expand as we go forward. The key here will be continued transparency and information sharing.
Where will the impact be the greatest?
I think it is too early to tell until we get a little further into the investigation into the totality of networks and systems that have been compromised and the types of data that were exposed through those systems.
Any time frame for when agencies can have confidence that they’re in the clear (if ever)?
It’s a little too soon to know when departments and agencies will be “in the clear” as the damage assessment is still being done and we don’t yet know the full extent of the attack.
Will the fact that we’re in the middle of both a transition between presidential administrations and a pandemic have any impact on how agencies will respond or their likelihood of success?
I don’t see the administration change having a big impact. The leadership of many departments and agencies will certainly change as new political appointees are brought in but the underlying staff of these organizations will not change - and these are the folks that will be performing the bulk of the work. Government organizations and workers are accustomed to this change and will continue to do what is needed to keep government operations moving forward during the transition – to include working through the recovery process for this attack. The pandemic on the other hand may have a greater impact on this as many departments and agencies are still working remotely. I expect that some of the damage assessment and recovery from the attack can be performed remotely but much of that work will require onsite personnel.