Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!
Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:
- Kevin Mandia, CEO of FireEye
- Sudhakar Ramakrishna, CEO of Solarwinds
- Brad Smith, President of Microsoft
- George Kurtz, President and CEO of CrowdStrike
This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!
There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.
So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.
SHOW NOTES – Episode 121 – Tuesday March 1st, 2021
[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!
Quick Catching Up
- What’s new?
- Working on S2Org r3, IR assessment, and other things.
- The Gray Matter Society
- Who would make a good guest next week?
- Anything else new at FRSecure and/or SecurityStudio?
Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary – https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary
- Kevin Mandia’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
- Sudhakar Ramakrishna’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
- Brad Smith’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
- George Kurtz’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
- The hearing went ~2 1/2 hours, did you make it through it all?
- So, Amazon Web Services didn’t show up. They haven’t been forthcoming or helpful
- U.S. Senators: AWS Infrastructure Used In SolarWinds Attack – https://www.crn.com/news/security/u-s-senators-aws-infrastructure-used-in-solarwinds-attack
- AWS: SolarWinds Hackers Used Our Elastic Compute Cloud – https://www.crn.com/news/security/aws-solarwinds-hackers-used-our-elastic-compute-cloud
- Amazon’s Lack of Public Disclosure on SolarWinds Hack Angers Lawmakers – https://www.wsj.com/articles/amazons-lack-of-public-disclosure-on-solarwinds-hack-angers-lawmakers-11614258004
- AWS criticized over how it shared information on SolarWinds hack – https://siliconangle.com/2021/02/25/aws-criticized-shared-information-solarwinds-hack/
- An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
- Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
- Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers.
- Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
- Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
- Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
- Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
- Senator Wyden: Very good.
- Mr. Smith: I’m squarely in the “it depends” camp.
- Senator Wyden: OK.
- Mr. Smith: For the same reasons that Kevin said.
- Senator Wyden: OK, I think we have one other person, don’t we?
- Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
- Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
- Other thoughts and discussion about the hearing.
- There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks
News stories to cover this week, include:
- Hackers release a new jailbreak tool for almost every iPhone – https://techcrunch.com/2021/03/01/hackers-unc0ver-jailbreak-iphone/
- Chinese businessman plotted with GE insider to steal transistor secrets, say Feds – https://www.theregister.com/2021/03/01/china_mosfet_theft/
- NSA embraces the Zero Trust Security Model – https://securityaffairs.co/wordpress/115121/security/nsa-zero-trust-security.html
Wrapping Up – Shout Outs
Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.
- Who’s getting shout outs this week?
- Closing – Thank you to all our listeners! Send things to us by email at firstname.lastname@example.org. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!
…and we’re done.