The attack surface of the government is incredibly, extremely massive. It's pretty much impossible to stop every single intrusion attempt. When combined with nation-state backing, it's nearly impossible to stop widespread compromise as it's currently structured.
Personally, I assume that MAD applies to this system to ensure that no rational nation would leverage this access for anything beyond intelligence-gathering.
Paradoxically, the more gross the failure, the less responsibility large organizations seem to take. Thinking of Equifax, or PG&E and the wildfires.
Maybe this is the real rotten core that needs changing. Orgs need to be held to account. And that points to an even deeper core -> we are the ones who need to change, to actually hold orgs to account.
The market process and diseconomies of scale tend to constrain the size of firms, so much so that "bigness" is a strong indicator that a firm is instead being propped up by the political process, e.g., bailouts, regulatory capture.
What does it mean to "hold orgs to account?" Let's unpack this.
When some organization promises to do a thing and they fail to do the thing, then sure, you can blame them for breaking their promise.
This doesn't fix anything though.
To fix things you need to talk about preparedness. Whose job is it to prepare? Do they know what to do? Do they have the resources to do it?
Increased penalties for failure aren't going to fix it. And especially, deciding afterwards that someone should have known it's their problem isn't going to fix it.
I agree on all fronts. Preparedness is the clearest way. But our economy (and capitalism in general) don't reward preparedness, in fact they often punish for it. I read some article about how building slack into systems is equal to building resiliency into them. How can we build an economy that aligns incentives to be resilient?
The same applies to pandemic preparedness. There is no incentive for a hospital to over-provision beds that are empty most of the time.
Looking for examples of cultures and organizations that over-provision, the military might be an example. Why do we translate worry about physical attacks into action but not cyber attacks or environmental harm?
The underwriting of business ventures goes back at least three centuries, and the market process aligns incentives pretty well. But if you think you can price over/under-preparedness better, that sounds like a profit opportunity for you.
Why wouldn't increased penalties for failure do it? We're in an environment where spending money on better security and preparing is seen as waste. If the alternative is having a large fraction of your profits confiscated because you were being negligent, that seems like the most direct way to address the mindset at the organization level.
If investors ask why you're spending so much on ITSEC, you point at regulatory requirements.
Someone has to point out the possibility of failure to someone who can do something about it. Where is the incentive to point it out or spend time looking for failures? Particularly when it's not their job? You need to make it someone's job.
In some cases, insurance can do it. It's the insurance company's job to understand and minimize risk.
But the best idea I've read is to have a regulatory agency like the NTSB.
It's probably a fallacy to assume this can be fully digested in a public forum. Things like this require committees and trust and understanding of the problem. Software threw all that out the window years ago.
In short, the insurance companies have a phrase where they don't have to pay out for business losses caused by disease as specified by a certain law.
But that law got wiped from the books and replaced with a new law. And the terms of insurance for most of the companies never got updated and so are irrelevant on that point.
So the insurance companies should pay up for business losses due to covid. They are now saying "never mind the exact lettering of the agreement, go by the spirit of it"....
Going based on this Washington Post article, it seems its a DHS system called Einstein, which according to a GAO investigation/report was found to have had issues:
"In that report, we also noted that NCPS was partially, but not fully, meeting most of its stated system objectives.34 Although the system’s intrusion detection capabilities provided the ability to detect known patterns of malicious activity on agency networks, it was limited in its capabilities to identify potential threats using anomaly-based detection. We also reported that although DHS had developed metrics for measuring the performance of NCPS, the metrics did not gauge the quality, accuracy, or effectiveness of the system’s intrusion detection and prevention capabilities.The department had also identified needs for future capabilities, but had not defined requirements for the capability to detect threats entering and exiting cloud service providers. Further, DHS had not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities.
The department had also identified needs for future capabilities, but had not defined requirements for the capability to detect threats entering and exiting cloud service providers. Further, DHS had not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities."
> CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.
They refer to the actor as APT, but this sounds like a highly sophisticated attack. That the malware knows it is in a sandbox and shuts down is not simple code.
This does not sound like a script kiddie
What type of actor would have the time and resources for this type of attack?
"State actor" is a who. "APT" is more of a "how". It describes adversaries who are very technically sophisticated ("advanced"), and who can remain in your network undetected for a long time ("persistent"). Another aspect of "persistent" is that they can be very hard to eradicate - you have to find all the backdoors that they left on all the machines.
Maybe I am misunderstanding your post, but I get the impression you consider APT == script kiddie. I was of the opposite understanding, that Advanced Persistent Threat != script kiddie. It seems right there in the name, an entity that's been and continues to be around, and has shown from TTP analysis that they have the resources to have nice tools, and the competence to use them well. I suppose you could maybe consider the constant presence of skiddies over time to be a Persistent Threat, but probably not an Advanced one. I have also heard of companies claiming to have been breached by an APT to try to excuse their poor or lack of security process.
But my understanding of script kiddies vs APT was that the former does things like buying lists of systems accepting RDP connections from the public internet, and then proceeding to light up the SOC like a Christmas tree when they start deploying crypto miner bots. And that the latter comes in over a supply chain compromise, uses heretofore-not-analyzed malware to compromise monitoring so their traffic data is "accidentally" discarded by the netflow collectors, and then patiently spreads across the enterprise through lateral movement until they find the credit card numbers or diplomatic documents, depending on whether they are a criminal fraud group or state espionage group.
While serious, this should come as no surprise to anyone who has had the "pleasure" of using a government IT system. The OPM hack a few years ago demonstrated this and the current SolarWinds crisis just reminds us of it.
You could liken the security issue to climate change – our entire global economy appears to depend on consumption, which appears to be accelerating climate change. But are we going to actually change anything significantly to address the problem? Uh no, not now, maybe later. Most people barely understand the problem and, even if they care, are powerless to change it. Furthermore, we are now completely reliant on the status-quo and seemingly incapable of imagining a different world. In the same manner, these software systems which now underlie every part of our day-to-day lives are taken as a given. They are now simply too convenient and ingrained in our lives to ever go away.
How do we overcome the inertia of change? Most likely, from what I can see, we will simply change our expectations – it is impossible to build a completely secure software system, so we should instead change how we use it/what we expect it to do.
We also feel pressure to constantly modernize the infrastructure without having a parallel discussion about the security impact of these innovations. As we get further and further from the bare metal with newer and more convenient abstractions, our engineers understand less and less about the realities of the systems they are constructing. And, arguably, as software becomes easier for users to use, they too lose sight of what the system is actually doing and how something can go wrong.
> our entire global economy appears to depend on consumption
I'm puzzled by this statement. For there to be consumption there must be production, i.e., supply and demand, which is the economy, not some separate dependent thing.
The existence of a mutli-trillion dollar advertising industry means you shouldn't be puzzled. The grandparent comment is talking about pushed consumption, i.e. that our economies are based on constantly pushing up consumption, not having it simply be based upon natural, unforced demand. Not to mention things like built-in obsolescence, designed to be thrown away, etc, etc.
> our economies are based on constantly pushing up consumption, not having it simply be based upon natural, unforced demand.
Setting aside the appeal to nature fallacy, there's nothing special about the market process in "our economies". Of course suppliers want to increase profits, and one way is to increase the quantity supplied -- but that takes willing consumers.
If consumers prefer a cheaper thing now with a shorter life span, or to pay for something with their attention instead of their money, is the "problem" that the market process gives people what they want, or that their preferences should be substituted with your own?
> How do we overcome the inertia of change? Most likely, from what I can see, we will simply change our expectations – it is impossible to build a completely secure software system, so we should instead change how we use it/what we expect it to do.
Hardening systems further would hopefully make breaches more difficult and less common, but never prevent them entirely, therefore we should instead start focusing security efforts on limiting the blast-radius of potential damage a breach can cause, resilience of organizations in the face of breaches, and mitigation and recovery from breaches.
There is probably a need/niche for a security equivalent to Netflix's Chaos Monkey that randomly breaches your own systems in order to encourage/enforce that resilience, mitigation and recovery.
> We also feel pressure to constantly modernize the infrastructure without having a parallel discussion about the security impact of these innovations.
We also have PE firms, like the ones that controlled Solar Wind, dictating the level of security investment and dumping their positions when the bill for their negligence comes due. PE wizz-kids call that "optionality". They love optionality.
Congress should listen to Dan Geer and adopt product liability for closed-source software. They should also do something about PE control over the economy, they are doing serious damage.
This is almost certainly just a funny and unfortunate coincidence. The malicious binary was signed, you can't do that with just FTP upload access. The code looks to be injected at build time according to this report by reversing labs: https://blog.reversinglabs.com/blog/sunburst-the-next-level-...
'Signing occurred within a minute of library compilation. That leaves no time for the attackers to be able to monitor the build system, replace the binary and change the metadata to match this perfectly. The simplest way for all these timestamp artifacts to align perfectly is to have the attackers’ code injected directly into the source, and then have the existing build and signing system perform the compilation and release processes as defined by the Orion software developers.'
I'm not sure why you say it's interesting, signed binaries was always known to be a useless measure against APT level threats, getting signing keys is probably the easiest thing at that level. I remember Microsoft even publicly admitted they can't do shit against APT, so all of their "security" PR is essentially not real security, but that's been a thing with all megacorps for years now.
Interesting that this post does not attempt to attribute the attack to a specific ATP. Wonder why that is? Most other platforms were fast with attribution.
Also, worrisome that they already say there were other attack angles besides what is public at this point.
This is great news for opsec. not because our stuff got hacked, but because we found out about it. Surely there are other APTs with hooks in our software/hardware; this one was just really big, and sloppy enough to get caught (after 6mo?).
The big lesson is that unless you take great pains, you're no more secure than your least secure 3rd party vendor. hopefully this attack will prove that lesson to a bunch of people. There are so many exciting solutions to that problem, and free software/hardware has a big part to play. .. yeah this feels like good news. Maybe people will even start asking where their wifi chips come from!
>CISA expects that removing the threat actor from compromised environments will be highly complex and challenging.
That's an understatement. It's potentially intrusion to a degree where firmware becomes a reinfection vector, and where even air gaps can be cleverly jumped and rendered useless.
It's almost always possible to rewritte shitty performing algo, but it's almost impossible to undo leak / hack.
Let's start asking security questions during FAAMG interviews and this alone will increase security knowledge among developers
But yea, it's easier to ask about big O differences that do not reflect reality than security because it'd require interviewer to be competent in that matter.
50 comments
[ 4.3 ms ] story [ 111 ms ] threadPreventing this kind of thing seems like their entire purpose.
Personally, I assume that MAD applies to this system to ensure that no rational nation would leverage this access for anything beyond intelligence-gathering.
I.e. a massive set of new assets
Maybe this is the real rotten core that needs changing. Orgs need to be held to account. And that points to an even deeper core -> we are the ones who need to change, to actually hold orgs to account.
But then again, as long as there is reasonably rapid evolution in society, I have no idea how one might curtail organizations from becoming too big.
At best it would become another game of Whac-a-mole[0] between regulators and organizations, with regulators more often on the losing side than not.
[0] https://en.wikipedia.org/wiki/Whac-A-Mole#Colloquial_usage
When some organization promises to do a thing and they fail to do the thing, then sure, you can blame them for breaking their promise.
This doesn't fix anything though.
To fix things you need to talk about preparedness. Whose job is it to prepare? Do they know what to do? Do they have the resources to do it?
Increased penalties for failure aren't going to fix it. And especially, deciding afterwards that someone should have known it's their problem isn't going to fix it.
Looking for examples of cultures and organizations that over-provision, the military might be an example. Why do we translate worry about physical attacks into action but not cyber attacks or environmental harm?
If investors ask why you're spending so much on ITSEC, you point at regulatory requirements.
In some cases, insurance can do it. It's the insurance company's job to understand and minimize risk.
But the best idea I've read is to have a regulatory agency like the NTSB.
It's probably a fallacy to assume this can be fully digested in a public forum. Things like this require committees and trust and understanding of the problem. Software threw all that out the window years ago.
We can just pray the AI will know better.
In short, the insurance companies have a phrase where they don't have to pay out for business losses caused by disease as specified by a certain law.
But that law got wiped from the books and replaced with a new law. And the terms of insurance for most of the companies never got updated and so are irrelevant on that point.
So the insurance companies should pay up for business losses due to covid. They are now saying "never mind the exact lettering of the agreement, go by the spirit of it"....
https://www.washingtonpost.com/national-security/ruusian-hac...
I think I found the full report here:
https://www.gao.gov/assets/700/696283.pdf
"In that report, we also noted that NCPS was partially, but not fully, meeting most of its stated system objectives.34 Although the system’s intrusion detection capabilities provided the ability to detect known patterns of malicious activity on agency networks, it was limited in its capabilities to identify potential threats using anomaly-based detection. We also reported that although DHS had developed metrics for measuring the performance of NCPS, the metrics did not gauge the quality, accuracy, or effectiveness of the system’s intrusion detection and prevention capabilities.The department had also identified needs for future capabilities, but had not defined requirements for the capability to detect threats entering and exiting cloud service providers. Further, DHS had not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities.
The department had also identified needs for future capabilities, but had not defined requirements for the capability to detect threats entering and exiting cloud service providers. Further, DHS had not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities."
It almost seems like a roadmap for an APT... :|
I wonder how they reached this conclusion
Ah
This does not sound like a script kiddie
What type of actor would have the time and resources for this type of attack?
But my understanding of script kiddies vs APT was that the former does things like buying lists of systems accepting RDP connections from the public internet, and then proceeding to light up the SOC like a Christmas tree when they start deploying crypto miner bots. And that the latter comes in over a supply chain compromise, uses heretofore-not-analyzed malware to compromise monitoring so their traffic data is "accidentally" discarded by the netflow collectors, and then patiently spreads across the enterprise through lateral movement until they find the credit card numbers or diplomatic documents, depending on whether they are a criminal fraud group or state espionage group.
You could liken the security issue to climate change – our entire global economy appears to depend on consumption, which appears to be accelerating climate change. But are we going to actually change anything significantly to address the problem? Uh no, not now, maybe later. Most people barely understand the problem and, even if they care, are powerless to change it. Furthermore, we are now completely reliant on the status-quo and seemingly incapable of imagining a different world. In the same manner, these software systems which now underlie every part of our day-to-day lives are taken as a given. They are now simply too convenient and ingrained in our lives to ever go away.
How do we overcome the inertia of change? Most likely, from what I can see, we will simply change our expectations – it is impossible to build a completely secure software system, so we should instead change how we use it/what we expect it to do.
We also feel pressure to constantly modernize the infrastructure without having a parallel discussion about the security impact of these innovations. As we get further and further from the bare metal with newer and more convenient abstractions, our engineers understand less and less about the realities of the systems they are constructing. And, arguably, as software becomes easier for users to use, they too lose sight of what the system is actually doing and how something can go wrong.
I'm puzzled by this statement. For there to be consumption there must be production, i.e., supply and demand, which is the economy, not some separate dependent thing.
Setting aside the appeal to nature fallacy, there's nothing special about the market process in "our economies". Of course suppliers want to increase profits, and one way is to increase the quantity supplied -- but that takes willing consumers.
If consumers prefer a cheaper thing now with a shorter life span, or to pay for something with their attention instead of their money, is the "problem" that the market process gives people what they want, or that their preferences should be substituted with your own?
It doesn't. Advertising heavily manipulates and subverts people's 'desires'. That was my point.
And just as an aside, discounting points by citing various dubious 'fallacies' is poor discursive etiquette.
Hardening systems further would hopefully make breaches more difficult and less common, but never prevent them entirely, therefore we should instead start focusing security efforts on limiting the blast-radius of potential damage a breach can cause, resilience of organizations in the face of breaches, and mitigation and recovery from breaches.
There is probably a need/niche for a security equivalent to Netflix's Chaos Monkey that randomly breaches your own systems in order to encourage/enforce that resilience, mitigation and recovery.
We also have PE firms, like the ones that controlled Solar Wind, dictating the level of security investment and dumping their positions when the bill for their negligence comes due. PE wizz-kids call that "optionality". They love optionality.
Congress should listen to Dan Geer and adopt product liability for closed-source software. They should also do something about PE control over the economy, they are doing serious damage.
Can someone explain how they were able to do this?
'Signing occurred within a minute of library compilation. That leaves no time for the attackers to be able to monitor the build system, replace the binary and change the metadata to match this perfectly. The simplest way for all these timestamp artifacts to align perfectly is to have the attackers’ code injected directly into the source, and then have the existing build and signing system perform the compilation and release processes as defined by the Orion software developers.'
Also, worrisome that they already say there were other attack angles besides what is public at this point.
Maybe they do not have clue who is doing it?
If an APT is competent, definite attribution of their activities becomes almost impossible.
Perhaps we now live in a weird world now where—with few exceptions—APTs can only be identified by other APTs.
The big lesson is that unless you take great pains, you're no more secure than your least secure 3rd party vendor. hopefully this attack will prove that lesson to a bunch of people. There are so many exciting solutions to that problem, and free software/hardware has a big part to play. .. yeah this feels like good news. Maybe people will even start asking where their wifi chips come from!
That's an understatement. It's potentially intrusion to a degree where firmware becomes a reinfection vector, and where even air gaps can be cleverly jumped and rendered useless.
It's almost always possible to rewritte shitty performing algo, but it's almost impossible to undo leak / hack.
Let's start asking security questions during FAAMG interviews and this alone will increase security knowledge among developers
But yea, it's easier to ask about big O differences that do not reflect reality than security because it'd require interviewer to be competent in that matter.
[1] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...