Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The so-called insider threat remains a potent one for cybersecurity practitioners. But old fashioned outside hackers have been raising their capabilities. Now they’re the biggest threat to governments at all levels. Those are among the findings of the latest annual cybersecurity survey done by software vendor SolarWinds. With the highlights, the Federal Drive with Tom Temin spoke to SolarWinds chief information security officer, Tim Brown.
Tom Temin: And this is a survey. So tell us who you spoke with and the types of people and some questions you asked them.
Tim Brown: So we spoke to about 400 IT, operations and security people. About 200 in the federal space, 100 state and local and 100 educators. So a good cross section of folks, federal, state and local.
Tom Temin: All right, and so the top line finding at least one that came out at me was the idea of hackers, as opposed to say phishers or people doing stupid things internally, has risen in terms of their threat capabilities.
Tim Brown: Yeah. And actually just the awareness and what people are concerned about. We’ve always seen more concern, especially in the federal government for the insider. And the insider threat has been higher than the general hacking population. This year, we saw a shift to the nation state as one of the largest threats that people believe that they face. Now, that’s an interesting shift from saying, hey, not the general hacker community, not the insider, but the nation state actor.
Tom Temin: And so what are the indicators of threat for that? And are people generally up to speed on having those indicators feeding into them reliably so they know what’s going on?
Tim Brown: Yeah, it’s hard, right? When you face a nation state attack, that nation state attacker is extremely quiet. They’re extremely thoughtful in what they’re doing. They’re trying to do reconnaissance on the back end, they’re trying to be quiet and stealthy in their approach. So when you look at our incident, which is now attributed to the Russian SVR, when we look at that, they came in for a specific purpose. They were on a specific mission. They were like the science fiction movie theater actor that’s on a mission that said, I’m going to come in do one thing, and then I’m going to get out, I’m not going to make noise, I’m not going to be loud, I’m not going to be easy to find, and I’m going to perform everything on a mission level operation. What we’re seeing now, though, is that the ransomware vendors are doing those types of same things. They’re getting more sophisticated in their attack models.
Tom Temin: So they are using the techniques of people who want information and data for strategic purposes, and applying those techniques for ransomware.
Tim Brown: Yeah, absolutely. Because they know that if you look at the ransomware payouts that have happened over the year, they’re getting larger and larger and larger. So if you’re going to get a payout of $5 million, is it okay to invest $500,000? Right? You don’t just get it for free. They can create a mission plan, they can be prescriptive, they can be long term, quiet, stealthy, and make that investment because the payout on the other end is so great.
Tom Temin: And SolarWinds has a pretty big footprint in the federal government. Do you get the sense that even though the federal government has not had a successful ransomware attack that we know about, there have been some at the state and local levels, and they have paid to the entities to get their data back and so forth. Do you sense that the government has a plan of action? Should a ransomware attack be successful, and data is taken or somehow encrypted, that they know what they would do? How they would respond?
Tim Brown: I think there are plans in different areas and different segments have the correct plans for saying, hey, what would I do? And the realization that, hey, this can happen. If you look at the evolution, ransomware is just simply a better business model for threat actors. They don’t need to steal data and sell it to someone, they simply need to get access, encrypt the data, they take out a middleman, and then they get paid. So don’t think of ransomware as something that is brand new, you still have to get in, you still have to take action. But you’ve taken a middleman out from the selling perspective. So that’s why it’s so popular of an attack model. You get paid quickly, you get paid directly, you don’t have middlemen in the way, but again, the stealthy tactics at the nation state are starting to get applied by that type of threat actor.
Tom Temin: We’re speaking with Tim Brown, he’s chief information security officer at SolarWinds. And relative to state and local government, the federal government seems to be more capable at cyber, but that’s an issue because of the interaction sometimes between federal and state systems. It’s actually quite a widespread phenomenon.
Tim Brown: Yeah, so one of the things that survey showed as well, it’s just the lack of people, right? The lack of, in some cases, it’s not funding for people but it’s funding for finding the right people, bringing the right people in. Private sector still usually pays more than public sector so just the talent and the people that are necessary in the breath, with cyber becoming such a big business, every commercial operation is looking for cyber people as well. So there’s a lot of competition for the right people and the right architecture and design of security systems and systems in general.
Tom Temin: Now, phishing has been a popular vector for implanting bad software. But that is kind of visible and kind of exciting when it happens. Do hackers with mal-intent still use the old fashioned techniques of trying to code their way in stealthily? I think you implied that?
Tim Brown: Yeah, absolutely. The old school techniques still are absolutely applied to even sophisticated attacks. How do you understand what an environment looks like? You get in, you do reconnaissance on an environment, you get access to the top level, you get access to email and other things. And you start learning. Phishing is always a good entry point, social engineering is still an entry point. So there’s a lot of kind of classic entry points that are utilized by even more sophisticated folks.
Tom Temin: Has remote work made this worse? This threat, simply because people that are not in the standard office setting may be using different networks to connect to the internet that are varying degrees of security.
Tim Brown: Yeah, so one of the things that survey showed was a couple things that were interesting, right? So, what were the three top technical implementations that folks were looking for? One was remote collaboration, the other one was remote control, working, how to be able to remote into system. And the third was troubleshooting.
And interesting on the third one being troubleshooting. Why troubleshooting? We look at environments, they have greatly increased in complexity. So we’ve got people working from home everywhere. So we have that component, then we have networks that have gone hybrid, we have systems that are everywhere, they’re in the cloud, they’re on premise or in what we used to call our network, right? They’re everywhere. And then we have the remote workers on the outside. So the contained model of saying, hey, I got this thing that it’s a big thing in the middle that I can protect, is just, changed incredibly in the last year. So that’s our challenge is how do we now not protect just a remote work? But how do we protect the hybrid IT environments that are just everywhere in place.
Tom Temin: Looking at the same environment from a different angle, the federal government has a large program with many manifestations, to deal with a supply chain security threat. And of course, SolarWinds had that issue about a year and a half ago. What’s the status there? Are agencies getting better at understanding that vector?
Tim Brown: Yeah, so, I think one of the questions we had was, how much awareness of the executive order do folks have? And a lot of good awareness there a lot of good hope there. So I think the awareness of supply chain is there, I think solutions for supply chain are difficult, right? Just think about something like Microsoft Windows, how many third party components it has inside of it? And then think about how many third party components those third party components have. We just have a big, big, big, big, big, big supply chain where things like Log4j came out December again, and affected so many. It’s like, how many are utilizing it? Where’s it being utilized? What’s going on? How does this affect my other systems in my applications that I’m in use? So it’s a good example of a component that’s common, that’s utilized, that had a major vulnerability and utilized. So we’re still working on the kind of procedures around how we get it all right, and how we both understand what we have, and then take actions when something like this occurs. So I think the good news on supply chain is that it is understood, people are thinking and people are trying to come up with solutions that will be appropriate and be practical and work.
Tom Temin: Yeah, that thinking component, I guess, is the most important one.
Tim Brown: It is it is realization that, hey, this is a problem realization that hey, I don’t know what I’m doing here, maybe. I don’t know what I’m going to do. I don’t know what components I have. So thinking about it. It’s kind of stage one. Once we get awareness, great.