I’ve had multiple people (mostly executive leadership) ask me whether they should be concerned about destructive cyberattacks in the #SolarWinds incident. Two have cited elevated concerns because of attribution to Russia and the history of NotPetya. 1/
Obviously predictions in cyber age REALLY poorly, so evaluate this as lower quality as time marches on.
That said, I define a threat as the intersection of intent, opportunity, and capability. Let’s discuss each of these in the context of what we know about this threat actor. 2/
Capability: there’s no question that this very capable threat actor has the capability to perform destructive cyberattacks. Ignoring the fact that almost everyone does, Russia has demonstrated the ability with NotPetya and even against critical infrastructure with LightsOut. 3/
Opportunity: there’s no question they had the opportunity, though since the initial callback domain has been seized, the wider scale opportunity is gone.
There’s no doubt they can still wreak havoc in many networks, but the widest scale destructive attacks are now out. 4/
Intent: this is where we have to rely on history a bit. We know that these operations are likely for intelligence value vs for use as a destructive cyberattack. Why? 1) the victims picked for follow on actions that we know of are all obvious intelligence targets. 5/
2) Even if the SolarWinds breach was intended to be used to position for a destructive cyberattack, they knew that window would close the second FireEye announced their breach. If the intent was to be destructive, that’s changed now. 6/
3) When considering a cyber access, you can use it to collect intelligence or deliver an effect, but generally not both. There’s little doubt that Russia needed the intelligence access substantially more after November 3rd. This isn’t meant to be political. 7/
The reality is that with ANY administration change, you would have increased intelligence requirements to understand policy changes, intent, etc.
Whatever the intent WAS, it almost certainly changed after November 3rd. 8/
4) The administration change makes a destructive cyberattack against US targets risky. Biden is a wild card when it comes to his response. I just don’t see this being a good risk decision for the Russians. 9/
So there are my thoughts on intent, opportunity, and capability in this case. I assess with moderate-high confidence that regardless of the original intent, this access will not be used for destructive cyberattacks. /10
As per usual for long tweet threads, this one was also brought to you by Cypher, who was best boi and didn’t pull while I was typing. /FIN
• • •
Missing some Tweet in this thread? You can try to
force a refresh
On today’s #dogWalkingThread, let’s talk about the recently disclosed abuse of SAML by attackers to “bypass” MFA.
For those not familiar with the concept, SAML allows the separation of identity providers (IDP) and service providers (SP). Why the separation? 1/
Suppose you want to access a service, and the service needs to authenticate you, but you really don’t want the service ever having your credentials (EVER). As long as the SP trusts the IDP, this is no problem. You authenticate with the IDP and the IDP tells the SP “trust them” 2/
Let’s consider passports as an analogue. I’ve traveled to many countries I wouldn’t want to have all my identity data, but the State Department serves as my identity provider. Because the country I’m entering trusts the US State Department, the passport is enough. 3/
For laypeople demanding evidence that Russia is responsible for the #SolarWinds breach (and subsequent operations), be patient, it will come.
As an analogue, prosecutors typically don’t discuss specifics of ongoing investigations. This is because the target may interfere. 1/
This analogy unfortunately breaks down precipitously. First, this is less like a robbery than a set of ongoing hostage situations. The problem is that we don’t know how many hostage situations we have yet. Every piece of evidence we discuss publicly can hurt us. 2/
With the release of every indicator of compromise, we always must balance the value of helping victims with the risk that the attacker will change their tradecraft to prevent future detection.
This adversary has shown that they practice counterintelligence and WILL change. 3/
The next few weeks are going to suck if you work in IT or security. Buckle up folks.
I predict that we’re going to see two patterns emerge:
First, we’ll see a large percentage of teams built on huge budgets and flashy tools crashing and burning in their response. 1/
Second, we’ll later learn that while tool heavy teams are imploding like dying stars, apparent-underdogs will be crushing it, rebuilding where necessary, and securing their networks.
The difference between the two? The former only really learned how the tools work. 2/
But because the tools abstract away details, many don’t know how to do what the tool actually does (or don’t know it well). And this doesn’t really matter until you can’t use the tool for some reason.
The latter teams are strong on fundamentals (they have to be). 3/
Moving beyond the technical aspects of the #SolarWinds breach, I think it’s clear that @FireEye dealt Russia a major blow by detecting this.
It’s hard to overstate the value of intelligence on government agencies, especially during an administration change. 1/
But this administration change is particularly important for Russia. There’s no question that the Biden administration will be more stern in its approach to Russia and knowing what’s being discussed/what’s coming was paramount for them. This intel loss cannot be overstated. 2/
So as you’re slogging through this week putting out the myriad dumpster fires surrounding this event, know that Komrade Boris is having to explain to Daddy Putin that they’ve lost a critical source at the time they needed it most.
For those not familiar with it, SolarWinds is a network management system (NMS). It’s probably the most ubiquitous NMS out there, so we shouldn’t jump to conclusions that FireEye and Treasury were both breached by an SolarWinds vuln. 1/
That would be an illusory correlation. If you’re jumping to that conclusion (or that FireEye and Treasury use a common MSP), at least be clear that you’re guessing.
It’s a lot like the DC Sniper case where we focused on white vans. SolarWinds (like white vans) is everywhere 2/
NMS are excellent targets. They have access to most (often all) systems on the network, so outbound IP ACLs are not a useful control. Netflow usually doesn’t help either since the NMS not only has access to everything, but it’s also talking A LOT. 3/
Buckle up folks, if you're looking for a fantastic example of the need for sound vulnerability management programs, read on (this is about more than Drupal):
The day before Thanksgiving, Drupal released a patch for a critical vulnerability for which exploit code is available. 1/n
Oh, BTW this is a serialization vulnerability. This is bad. It allows for a local file overwrite. In most cases, this means it will result in an RCE.
Did your team notice the vulnerability notification on Wednesday? The day before Thanksgiving? 2/n
I hear the choirs of "we don't use Drupal because CMS are all vulnerable" but that's dumb. Your corp website probably uses a CMS of some variety. "Custom developed" means that nobody else is looking at the code. In most cases, this is security through obscurity. 3/n