Lots of agencies are hearing chirp, chirp these days. Not cicadas, but alerts from the Cybersecurity and Infrastructure Security Agency. It has a system called the CISA Hunt and Incident Response Program (CHIRP). It’s designed, in the agency’s words, to help network defenders find indicators of compromise from two recent and broadscale attacks. For more, Federal Drive with Tom Temin turned to CISA deputy associate director Jermaine Roebuck.
Insight by RavenTek: Explore how infrastructure visibility is the first requirement for maintaining best performance in this exclusive executive briefing.
Tom Temin: Mr. Roebuck, good to have you on.
Jermaine Roebuck: Good morning.
Tom Temin: So tell us about CHIRP tool. It’s designed to help agencies do what exactly?
Jermaine Roebuck: We developed CHIRP as part of our ongoing support to federal departments and agencies affected by thread actor activity associated with certain versions of the SolarWinds Orion platform and the Active Directory in 365. compromise. CHIRP is essentially a forensics collections capability that is intended to help network defenders find indicators of compromise associated with the attack.
Tom Temin: And is this something they install on their own networks? Or is it a piece of software they download? How does it work?
Jermaine Roebuck: That’s a great questions. This new resource is outcome of our team’s focus in ongoing commitment to support federal D’s and A’s. During the response efforts, we quickly realized that a subset potentially impacted organizations likely lack the capability to perform the level of forensics analysis necessary to determine if there are machines will compromise. To address this, we decided to develop something simple that organizations could run in order to help them make that determination. Within CISA, we have a talented group of individuals that develop this program mostly in Python, in order to scan for signs of APT compromise within on premises environments.
Tom Temin: APT compromised meaning?
Jermaine Roebuck: Advanced persistent threats.
Tom Temin: Got it. Okay. And what specifically is the threat from the SolarWinds hack? We’ve heard so much about it on a grand scale, but what can it actually do if a threat from it advances in persists on your network.
Jermaine Roebuck: So with this particular activity, what occurred was essentially a software supply chain attack. So the attacker was able to embed code within specific systems. And essentially what it did was when organizations downloaded what they assumed to be secure code, essentially allowed a backdoor for threat actors to be able to get into these environments, what’s in these environments, they’re able to move laterally throughout the environment, and basically take control of an enterprise environment through threat stuff, credentials, etc.
Tom Temin: In other words, the downloads that an agency would do thinking they were secure, they would still get the download, but they would get something extra that they weren’t aware of.
Jermaine Roebuck: That’s exactly right.
Tom Temin: And is there any knowledge at this point, any figures on how often this has actually happened? Or I guess maybe you need the CHIRP tool to find out.
Jermaine Roebuck: So I don’t have the necessary metrics to explain how often this does happen. But the CHIRP tool was developed specifically for this campaign related to solar winds. So essentially, what we did was we compiled a number of different indicators, TTPS, etc. and put the most common ones into a package. So that organizations that didn’t necessarily have full forensic capability, they could use this platform to make a determination as to whether or not they have a problem. From there, we provide them with instructions on how to use the tool. And we also offer assistance in the form of contacts is. And that way we could potentially advise you on follow on steps.
Tom Temin: And is this something that would become part of the CDM program? For example, would you want to have it forever in place to keep checking?
Jermaine Roebuck: What’s unique about CHIRP and the way that we develop it, it essentially can be used for more in the future. So essentially, what it does is take any sort of indicators that you can throw at it, depending on whether or not it’s compatible. And you could since we look for other things, so the future for CHIRP is really much more about as we uncover huge complicated threats like this, we may look to use that platform to essentially push indicators to allow folks that don’t have or have the capability to quickly make assessments.
Tom Temin: We’re speaking with Jermaine Roebuck, he’s Deputy Associate Director of the Cybersecurity and Infrastructure Security Agency, part of DHS. So in other words, it’s almost like CHIRP is a microscope, and you can just change the slides, depending on what bacteria you’re having people look for.
Jermaine Roebuck: That’s a very good analogy. That’s exactly right. All right.
Tom Temin: And what kind of a team did it take? You said they’re talented, but did it take a lot of programming, or is this something relatively lightweight?
Jermaine Roebuck: It was not lightweight, it did take some programming talents. But fortunately, we have individuals that we use to do analysis oriented response engagements that also have the capability and the ability and education to write and develop programs. So it took quite a bit of time because obviously, when we create these things, we’re very careful that organizations when they run it to make the risk low that it might have negative effects. So we took quite a bit of care to do A bit, obviously, we open sourced it as well. So we’re looking forward to the community, taking a look under the hood, if you will, and adding improvements and things like that.
Tom Temin: I was gonna say, because SolarWinds hit so many corporate entities, that would be something the private sector would probably want to get its hands on to and sounds like they can.
Jermaine Roebuck: Absolutely.
Tom Temin: Have you had much interest in it so far, have you had those downloads and inquiries about it?
Jermaine Roebuck: We’re tracking several hundred downloads, we have partnered with a few private sector organizations that we routinely work with, that has taken a look at the tool, sort of that partnership model, if you will. But by and large, this tool isn’t necessarily aimed at large organizations, it’s more or less aimed at the small and midsize businesses that could potentially be part of this supply chain attack, or even really small federal departments and agencies as well.
Tom Temin: Yeah, often, it’s the small ones, the small federal agencies that simply have to rely on the expertise of the bigger ones to be able to get things done, you find that to be the case?
Jermaine Roebuck: We find that to be the case routinely, what typically happens with some of these small organizations, you have folks that do had, as you know, the IT administrator and the forensic specialists. So sometimes they need a little bit of help or augmentation to perform some of these analysis.
Tom Temin: And in giving the instructions to agencies on how to use the CHIRP tool, do they also know what to do if something should turn up that an APT is found using the CHIRP tool?
Jermaine Roebuck: Yeah, that’s a that’s a big part of it. So what we’ve instructed departments and agencies to do is that if they should run this tool, there’s instructions on how to context as a. So if they do see something, they do have the ability to reach back to scissor where we can provide a follow on instructions.
Tom Temin: Safe to say that you are gathering instances of what is found using CHIRPs so that you can get a better perhaps understanding of the extent of what solar winds might have done in the federal government, or I guess, throughout the world, for that matter.
Jermaine Roebuck: Yeah, CHIRP is more of that quick gut check to see what’s happening on that box. In order to really peel back the layers of the onion to identify what may have taken place in these environments. The following actions are typically where we send forensic specialists and to further dissect the devices and to further look throughout the environment for additional indicators.
Tom Temin: You’d probably want to get your hands on the code that is found so that you can better understand the structure of the thread itself to, I imagine.
Jermaine Roebuck: Yeah, that’s a very big part of it. So essentially, when we’re able to pull back the offending underlying code or backdoor, we’re able to assess what additional functionality may be there. That’s also a big part of trying to understand what the threat actor capabilities may be on that device to further their additional goals within an environment.
Tom Temin: And what are you cooking up for the next project?
Jermaine Roebuck: It’s on a case by case basis. So as we get new compromises that come in, we assess whether or not there are tools available to be able to counteract a threat or investigate the threat. If we identify that there’s a gap, that’s when we go into overdrive, and we start to think outside of the box to create new and additional capabilities to help the community. So right now, thankfully, we’re not at that place. But beyond the lookout, if there are additional compromises at this scale, and with this complexity, that’s when we start to think outside of the box and develop these sorts of capabilities.
Tom Temin: Well, we’re glad you’re on the job. Jermaine Roebuck is Deputy Associate Director of the Cybersecurity and Infrastructure Security Agency. Thanks so much for joining me.
Jermaine Roebuck: Thank you.