Federal agencies – and there are several of them at least – affected by the SolarWinds cybersecurity fiasco are under a new deadline. Days ago policy from the Cybersecurity and Infrastructure Security Agency gives them to the end of the month to complete forensic analysis and to harden their systems. Michael Hamilton questions whether this will be even possible, as he told Federal Drive with Tom Temin. He’s the former vice chairman of the DHS Coordinating Council, now the chief information security officer at CI security.
Insight by Qlik: Executives from the Environmental Protection Agency, Department of Health and Human Services, U.S. Agency for International Development and Qlik will explore how to reduce friction with FedRAMP SaaS capabilities in this free webinar.
Tom Temin: Michael, good to have you back.
Michael Hamilton: Tom, good to talk to you again.
Tom Temin: So reading the guidance, it seems to presuppose that agencies have already done their forensics on their systems. What does all that mean? And do you think they have the capability to do forensics, as CISA seems to imply?
Michael Hamilton: I don’t think they can scale broadly enough to actually be able to do real forensics for the number of assets we’re talking about here. You know, if there are a handful, maybe half a dozen federal agencies involved, you know, that could be tens of thousands of systems. And a real forensic examination is time consuming and requires human resources that are in extremely short supply. So I would hesitate to believe that they’ve already done a complete forensic analysis of that many assets. It’s just not possible.
Tom Temin: Because the guidance says it requires agencies – the version 3 guidance just out last week – that ran affected versions conduct forensic analysis. Let’s start there, agencies that ran affected versions to conduct forensic analysis. What about contractor support, but that be available to help them get through it?
Michael Hamilton: It’s a little tough right now, actually, right? You know, CI Security does this kind of work. And the phone is ringing for incident response, much, much more than it ever has. And our resources are stretched. We’ve had to reach out to other companies for assistance. So I know that this capability, which was always in short supply, is now being taxed quite a bit. So the federal government would necessarily have to reach out to contractors. There’s probably resources at the NSA or in federal law enforcement, that are capable of doing this kind of thing, but not at the request of the agencies to go writ large through all of the computers, right? It’s mostly for law enforcement, and investigating very specific crimes. What they may have been able to do is have complete forensic workups done on servers that were housing SolarWinds and Orion, which is different from go out and do forensics on all of your assets, which is essentially what the guidance says. So I think there’s just a little bit of confusion as to what they’re talking about.
Tom Temin: And what would they be looking for, in this analysis if they could do it?
Michael Hamilton: Sure. Well, there are indicators that they’ve released. So if you have a compromised binary, they know what the cryptographic hash is of that binary. So you have a file on disk, and you run it through the hashing algorithm. And the hash is the same as the one that they distributed, you know that you’ve got the bad one. There are other forensics, depending on how well they monitor, they can see things like registry changes that happen, users-added communications made to command and control sites that they’ve identified and things like that, all that’s very time consuming. So again, on the Orion servers, you know, which are probably not that numerous, it’s likely possible to have that done. But when they say, you know, you need to harden all your systems and do forensics on all of them. I think the language, our lexicon is just a little confusing here. I think what they mean is, here are these indicators. And we want you to go search for these indicators. And some of these are not having to do with the SolarWinds and Orion server. These are having to do with the way that the Security Assertion Markup Language has been used to get credentials to do things like evade multi factor authentication. So it’s not just SolarWinds and Orion. It’s other systems that may have been compromised to use this other technique. And I think they just want all of them examined for the indicators of whether or not they have been compromised, which is different from creating a forensic image of every piece of digital media and then running it through a real forensics process where you’re able to see everything that happened. That’s the one that’s very, very time consuming. And again, the resources are in such short supply that I just don’t think it can scale.
Tom Temin: We’re speaking with Michael Hamilton, chief information security officer at CI Security, former CISO of Seattle. And is it practical or possible in any way to simply roll back systems to prior to the breach, use those versions, sort of a recovery point in time type of exercise, and start over from there or did it happen too long ago to be able to do that at this point?
Michael Hamilton: Well, for some systems, definitely the software, they have already done that. They’ve rolled back to versions that were known not to be compromised, so that they can wait for SolarWinds to come out with a non compromised new version. So I think that’s what everybody did they rolled back. In terms of rolling back your operating system, right, Windows 10, or whatever they’re using – that doesn’t make much sense because if you roll it back, what you’re doing is you’re introducing vulnerabilities that have been patched. So I think for the applications in scope. Yeah, that’s true. For operating systems not so much.
Tom Temin: And what about the other pieces of advice coming from CISA here? The hardening required, the question of whether to rebuild or upgrade and so on, there’s a lot of – sort of decision trees coming from CISA. What’s your sense of whether agencies are on to this task yet?
Michael Hamilton: I think this one’s easier, because some of the hardening that they can do that can be automated. And so they can roll out configurations to all of their systems from a single point. And that’s a whole lot easier than taking every disc apart with a toothpick and Q-tip. So I think that in terms of the hardening, and the guidelines that they released are pretty straightforward. So the IT organizations in these federal agencies, probably close to getting that done already.
Tom Temin: And is this type of thing that CDM should have caught, or the Einstein 3 program and all of these things, running for so many years now, that seem to just overlook the SolarWinds update?
Michael Hamilton: You know, I mean, this is the kind of thing that would have been very, very difficult for network-based detection to get, because this was an authorized update from a real vendor. And it looked exactly the same as every other update that came in. You know, they had compromised the cryptographic authentication of the software itself. So it all checked out. And it’s not clear that Einstein would have been able to see that. Now, subsequent to that, as you know, the malware lands, it’s got a beacon out. And it’s got to say, “I’m here, what do you want me to do?” Those communications Einstein should have seen those. But my understanding is that they use domestic systems in the United States for command and control. You know, if you’re using AWS for your command and control, you can’t block that. Because everything uses AWS. So AWS, Azure, Google Cloud, I mean, all of these things make it very, very difficult to detect what is a command and control communication for espionage or organized crime – you know, versus, I’m using Salesforce. I mean, it’s going to look a lot the same. So, you know, Einstein is a good network-based detection system. I think that some of the tactics used here were specifically designed to evade that.
Tom Temin: Sure, because it came in from the supply chain. Is your sense that the CMMC program, which is still barely underway, really, will be the ultimate answer for this type of threat?
Michael Hamilton: Wow, so there’s a bucket of fish! Ultimately, I do. I don’t think in today’s incarnation, they’ve gotten serious enough yet about going out and actually auditing the organization’s to make sure that they are compliant, right. It’s still a lot of self assessment right now. So you know, we’re just gonna have to see.
Tom Temin: Sure. But let me ask you this, then what is the bigger lesson in all of this as they get past the emergency?
Michael Hamilton: Well, the bigger lesson is this – everybody needs to – everybody, every business, every government organization, needs to have everyone show their security papers before you do business. And it’s got to reach out to, I’m not just worried about you, my business partner, I’m worried about your other business partners, because you know, the nth party now is kind of in scope as part of your threat circle. You brought up CMMC, as they get more and more serious about this, this thing is going to evolve. And they’re going to start being much, much more vociferous, I believe, about what kind of examination you give to your business partner.
Tom Temin: And do you think that an outfit like SolarWinds can still be a trusted partner to the government because of how deeply it’s already involved and has been trusted for some time now?
Michael Hamilton: Well, you know, candidly, I think that SolarWinds’ fate is in the air right now. From what I’ve heard, the SEC is moving against SolarWinds because they didn’t report what they should have as a known risk. The executives are part of a class action suit brought by a shareholder. And so we’re going to be looking at claims of executive negligence and this is going to get pretty ugly. And I think all that’s going to go into the decision as to whether or not SolarWinds continues to be a federal partner. That said, their software is great. I mean, their network management stuff is the best. So you know, both of those things are going to have to be considered.
Tom Temin: I suppose every cybersecurity vendor is looking at their own supply chain, their own practices right now with not too much smugness because it can happen to the best of them it sounds like.
Michael Hamilton: Yep, that’s exactly right. Everybody is scared. That’s a fair statement.
Tom Temin: Michael Hamilton is chief information security officer at CI Security and former chief information security officer of Seattle. As always, thanks so much for joining me.
Michael Hamilton: You bet, Tom. Really enjoy talking to you.