Share this page!

Jake Williams Profile picture
Twitter logo
19 Dec, 13 tweets, 3 min read
For laypeople demanding evidence that Russia is responsible for the #SolarWinds breach (and subsequent operations), be patient, it will come.

As an analogue, prosecutors typically don’t discuss specifics of ongoing investigations. This is because the target may interfere. 1/
This analogy unfortunately breaks down precipitously. First, this is less like a robbery than a set of ongoing hostage situations. The problem is that we don’t know how many hostage situations we have yet. Every piece of evidence we discuss publicly can hurt us. 2/
With the release of every indicator of compromise, we always must balance the value of helping victims with the risk that the attacker will change their tradecraft to prevent future detection.

This adversary has shown that they practice counterintelligence and WILL change. 3/
Now some might say “that’s circular logic, we don’t yet KNOW who the adversary is.” Sure, I hear you. But I’ve been in the malware. The adversary took obvious steps to prevent detection. We can easily conclude that an adversary taking such steps must also be watching the news. 4/
Back to our hostage situation analogue, we still don’t yet know how many hostage situations we have. SolarWinds says at least 18,000, but not all those are created equally. The attacker lacks resources to operate in all of those networks. Resources aside, each increases risk. 5/
Some of these “hostage situations” have casualties (follow on operations). We do now assess that in most situations where there are no follow on operations, the attacker has been neutered (defenders have control of the initial callback domain). 6/
So we (mostly) believe we’ve limited the attacker’s ability to create new hostage situations (at least through this vector). But we do still need to understand how many hostage situations (networks with follow on operations) are yet to be discovered. 7/
Any evidence released to help determine this number is not likely to be easy to attribute to any specific country.

Second, in any hostage situation, you always have to go room by room clearing the entire building once you think it’s over. 8/
The cat is out of the bag on the initial compromise vector, but we have to hold back some amount of evidence to enable continued investigations. Unfortunately THIS is the evidence that is most easily attributed to a particular country. I know this sucks if you want it now. 9/
Any evidence released now will be subject to an intel gain/loss(IGL) analysis. For those not familiar, watch The Imitation Game. There, they struggle with allowing people to die in order to protect the fact we’d broken the enigma cipher. There are huge parallels here. 10/
As much as I want to see all the evidence, I’m 100% convinced based on what I’ve seen firsthand this was a Russian government group. I’m not sure it matters which specific Russian group it is. In the coming weeks, pundits will argue about GRU vs SVR vs FSB, etc 11/
The highlight here isn’t “wow, there are lots of questions about attribution! We shouldn’t trust that it’s Russia.” Don’t fall prey to this.

By analogue, think about the Soleimani killing. Do you really care whether NSA or CIA provided the targeting? Does Iran? 12/
Hopefully the analogies here help contextualize what we’re seeing now (and what is sure to come). Note that no analogy is perfect, certainly not these. Attribution is hard.

Be patient, better public evidence will come in due time. /FIN

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

Jake Williams Profile picture
21 Dec
I’ve had multiple people (mostly executive leadership) ask me whether they should be concerned about destructive cyberattacks in the #SolarWinds incident. Two have cited elevated concerns because of attribution to Russia and the history of NotPetya. 1/
Obviously predictions in cyber age REALLY poorly, so evaluate this as lower quality as time marches on.

That said, I define a threat as the intersection of intent, opportunity, and capability. Let’s discuss each of these in the context of what we know about this threat actor. 2/
Capability: there’s no question that this very capable threat actor has the capability to perform destructive cyberattacks. Ignoring the fact that almost everyone does, Russia has demonstrated the ability with NotPetya and even against critical infrastructure with LightsOut. 3/
Read 11 tweets
Jake Williams Profile picture
18 Dec
The next few weeks are going to suck if you work in IT or security. Buckle up folks.

I predict that we’re going to see two patterns emerge:
First, we’ll see a large percentage of teams built on huge budgets and flashy tools crashing and burning in their response. 1/
Second, we’ll later learn that while tool heavy teams are imploding like dying stars, apparent-underdogs will be crushing it, rebuilding where necessary, and securing their networks.

The difference between the two? The former only really learned how the tools work. 2/
But because the tools abstract away details, many don’t know how to do what the tool actually does (or don’t know it well). And this doesn’t really matter until you can’t use the tool for some reason.

The latter teams are strong on fundamentals (they have to be). 3/
Read 4 tweets
Jake Williams Profile picture
14 Dec
Moving beyond the technical aspects of the #SolarWinds breach, I think it’s clear that @FireEye dealt Russia a major blow by detecting this.

It’s hard to overstate the value of intelligence on government agencies, especially during an administration change. 1/
But this administration change is particularly important for Russia. There’s no question that the Biden administration will be more stern in its approach to Russia and knowing what’s being discussed/what’s coming was paramount for them. This intel loss cannot be overstated. 2/
So as you’re slogging through this week putting out the myriad dumpster fires surrounding this event, know that Komrade Boris is having to explain to Daddy Putin that they’ve lost a critical source at the time they needed it most.

Then smile and say “fsck those guys!” /FIN
Read 4 tweets
Jake Williams Profile picture
14 Dec
Okay folks, let’s talk about SolarWinds.

For those not familiar with it, SolarWinds is a network management system (NMS). It’s probably the most ubiquitous NMS out there, so we shouldn’t jump to conclusions that FireEye and Treasury were both breached by an SolarWinds vuln. 1/
That would be an illusory correlation. If you’re jumping to that conclusion (or that FireEye and Treasury use a common MSP), at least be clear that you’re guessing.

It’s a lot like the DC Sniper case where we focused on white vans. SolarWinds (like white vans) is everywhere 2/
NMS are excellent targets. They have access to most (often all) systems on the network, so outbound IP ACLs are not a useful control. Netflow usually doesn’t help either since the NMS not only has access to everything, but it’s also talking A LOT. 3/
Read 22 tweets
Jake Williams Profile picture
27 Nov
Buckle up folks, if you're looking for a fantastic example of the need for sound vulnerability management programs, read on (this is about more than Drupal):
The day before Thanksgiving, Drupal released a patch for a critical vulnerability for which exploit code is available. 1/n
Oh, BTW this is a serialization vulnerability. This is bad. It allows for a local file overwrite. In most cases, this means it will result in an RCE.

Did your team notice the vulnerability notification on Wednesday? The day before Thanksgiving? 2/n
I hear the choirs of "we don't use Drupal because CMS are all vulnerable" but that's dumb. Your corp website probably uses a CMS of some variety. "Custom developed" means that nobody else is looking at the code. In most cases, this is security through obscurity. 3/n
Read 8 tweets
Jake Williams Profile picture
14 Oct
After further reflection I think Twitter has made a mistake censoring the NY Post article. It's garbage journalism, but that's not why they censored it.

Twitter is claiming that it contains hacked content and linking to it violates its policies. 1/n
First, let's note that Twitter has consistently penalized accounts for linking to hacked content. Their actions are at least consistent when viewed at face value.

The question for me then is this: does this constitute "hacked content?" I really don't think it does. 2/
If you take the story at face value, this is data recovered from abandoned property. Imagine you see a computer in a public trash can. You take it and extract data from the drive. Is that hacked data? More importantly, would Twitter censor a story with that data? 3/
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MalwareJake has new unrolls!

Check out other threads from @MalwareJake!

Read all threads by @MalwareJake