The Solarwinds incident is breathtaking in its scope, but it was also such a huge and delicate house of cards. It will take a long time to clear every organization, but really, one flagged bad device login brought so much infrastructure crashing down.
This really lends credence to the “adversaries only have to succeed once and defenders have to succeed all the time” mantra being bunk. One defender was successful once at a point in basic defense, and a bite got taken out of a very costly instrusion into multiple organizations.
Something else important to note for multiple reasons was the reuse of TTPs. A well resourced, state style adversary can scale up impressively to compromise multiple orgs simultaneously, but it came at the cost of some cookie cutter tactics that could be tied to one another.
(Because they’re just like infosec companies; there’s only so much trainable talent out there, and managing it requires a lot of playbooks, scripted tools, and a tiered structure of competence.)
Honestly, I’ll be nose down in endless Solarwinds IR mess for months (and it’s horrible) but it also gives me some hope in the fallibility of our adversaries. We can learn a lot from this as both attackers and defenders.
That’s your “glass half full” take for Jan 19 as I see the exact same IOCs for the (x)th time.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
It's Tuesday night on January the 19th of 2021, therefore time to burn it all down. Let's talk politics and infosec.
Let's try to put some very basic, hopefully not-too-terribly controversial concepts out there in discourse:
1) Tech (including infosec and hacking), is deeply political.
Technologies invented, hacked, or adapted in a well-meaning bubble will frequently be abused for political purposes, or have an unforeseen political impact on society. See: mobile phones, social media, facial rec.
2) Forget or ignore Rule #1 at your own risk, and the risk of the next generation.
This is why learning about history and ethics is really important to even the most isolated and insular tech communities. Stuff from the way back can come back to bite everyone in stunning ways.
I'm just instantly blocking people who try to gaslight me this week, be it on infosec, minimum wage, natsec, or human dignity. Don't care if they're blue checks, execs, or have 8000 infosec followers. I'm all out of bubblegum.
I'm getting a lot of questions on this:
Gaslighting is different than debate, even bad faith debate, because it involves a person with some kind of power or authority persistently trying to convince you or me that what we personally experienced with our own senses didn't happen.
For instance, we all watched the capitol riots from a dozen cameras in real time, but there are people persistently working to convince us we saw something else, and that on-camera events didn't happen.
We aren’t going to just forget that one of “ours” in our professional community enabled the events of the past week, are we? What ended up happening to this chucklenuts?
I know I am not the first one to say this, but there are a lot of very well credentialed people in tech worrying what would happen if internet giants collectively de-platformed a group who isn't right wing, while totally erasing the fact that it already happened to sex workers.
(Which is not a reason not to worry about the power that internet giants and infrastructure provide and the ethical and legal complications. Just stop erasing an entire group of people, many of whom have suffered horrible abuse or worse as a result.)
If there was one thing I was brought up wrong about even by a relatively liberal, non-religious family, it was what sex workers go through each and every day, and how unfairly persecuted they are. I regret not knowing that sooner.
It is really important, in infosec and natsec, to understand if your adversary is making a tactical or a strategic choice.
For instance, why are they moving laterally? Is it because they just aren’t able to get their tool to run, or because they know exactly what system they want to reach on your network?
Is the immediate attack a distraction, or is it the point?
I am so tired of conspiracy theories about 1) Nationwide blackouts 2) Nationwide internet takedowns
It's like suggesting somebody is going to simultaneously unscrew every screw of varying sizes and types in your home.
Neither of those things is happening in modern times without a nuke or an asteroid.
Also, the "national blackout" wet dream conspiracy theory is about the lamest one I can possibly think of - grow some post-apocalyptic creativity. Places all over the world do fine with unstable power. I think of 11 more interesting ways to destroy civilization by breakfast.