Soon after the specifics about the SolarWinds attack came to light, the Department of Homeland Security went to work to limit the damage.
Among the first things it did was put the attack signatures into the EINSTEIN toolset that is used by nearly every agency.
“As part of the SolarWinds campaign, EINSTEIN was extremely useful in terms of identifying suspicious network traffic from a handful of federal civilian agencies that upon further investigation by those agencies helped identify additional victims of this campaign. It’s worth noting that EINSTEIN didn’t prevent the intrusion nor was it able to detect the intrusion until, in this case, we received threat information from private sector partners to inform our detection and prevention mechanisms,” said Matt Hartman, the deputy executive assistant director for cyber at CISA, in an interview with Federal News Network. “As soon as CISA received indicators of this activity from industry partners, we immediately leveraged EINSTEIN to identify and notify agencies of anomalous activity on their networks, which helped accelerate response, remediation and recovery activities.”
Hartman said it also helped CISA as part of the Unified Coordination Group to provide asset response and remediation of the attacks.
“Without EINSTEIN, we may have departments today that still did not know they were victims of this campaign. Through the EINSTEIN 1 NetFlow capability to — after the fact — look at indicators, identify potential indications of compromise has proven extremely useful,” he said. “This is just one example over the last few months of CISA being alerted via EINSTEIN of a potential compromise of a federal agency’s network. We are consistently flagging this sort of anomalous activity to agencies, which then kicks off further investigation and incident response activity, as appropriate.”
Hartman said EINSTEIN provided insights into specific indicators or call-outs to internet protocol addresses or domains that were known to be part of this campaign at other agencies or the private sector.
He added EINSTEIN helped confirm to multiple agencies that they were victims of the SolarWinds attack.
The value EINSTEIN demonstrated during SolarWinds is overlooked by many in the federal community. Part of the reason is the Homeland Security Department’s poor communication and lack of transparency about EINSTEIN’s capabilities over the last 15 years.
Limitations well known
Suzanne Spaulding, the former undersecretary of the National Protection and Programs Directorate at DHS and now the senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, said NPPD, now known as CISA, could’ve done a better job educating the public, Congress and the media about what EINSTEIN was designed to do.
“I can remember these conversations post-OPM breach about what EINSTEIN allowed us to do once we detected malicious activity. We took the signature information and loaded it into EINSTEIN. It provided protection to other agencies who deployed EINSTEIN. It was valuable in that sense,” she said. “I remember having these conversations with folks on the Hill. It missed the initial attack because it was something we hadn’t seen before, but the important value of EINSTEIN was that it prevented the same attack from being used against others.”
Spaulding and other former DHS cyber officials readily admit EINSTEIN’s limitations can be frustrating. Among the complaints about EINSTEIN over the years has been that it is only reactive to known problems and don’t help agencies address the threats in real time.
Additionally, CISA has been slow to evolve the tools and capabilities in EINSTEIN. The technology that EINSTEIN uses doesn’t work well with cloud services and causes latency in networks.
For example, E2, which is a network intrusion detection tool looking for malicious or potentially harmful network activity, is less effective over the last few years because so much of the data is encrypted.
Hartman said CISA recognizes those shortcomings and is trying to move E2 toward the end points.
“We have been working on a pilot or proof of concept for the better part of 18 months now. We’ve seen some great successes, really pairing CISA’s threat hunting analysts, who have an intelligence-driven focus, with the agency security operations center analysts, who have a tremendously rich understanding and context of their environments, to help rapidly detect anomalous activity and potentially malicious activity at the end point to include lateral movement,” he said.
Future of cyber at the end points
Tom Bossert, the former homeland security advisor to President Donald Trump and now president of Trinity Cyber, said he was encouraged by CISA moving its tools closer to the end points and to cloud environments.
He said agencies understood the push to remote work over the last 15 months created a broader attack surface, but only now do they realize they have to do more to protect their employees, data and applications.
“The future of cybersecurity is a different architecture. We put active sensors at the internet-facing edge of network where a department or company connects to the internet and that usually goes through things like firewalls or intrusion detection and prevention tools,” he said. “But if you aren’t going through a central access point and going straight to the cloud, your protections are more limited. The only thing that is preventing the agency or company from being hacked is that web gateway which aren’t necessarily that good. If a hacker accesses a machine that is a pathway to cloud services. Any internet facing access should run through a break-and-inspect type of service that fully interrogates all traffic. You have to decrypt it first, but if you apply that standard you will end up with a better option to protect your networks.”
Despite EINSTEIN’s limitations over the years, cyber experts agree agencies wouldn’t be as safe without it.
“The value of EINSTEIN is old exploits and signatures are still valuable if you are not looking for them,” said Matt Coose, the former director of Federal Network Security Branch at DHS and now CEO and founder of Qmulos. “The real goal is to move the timelines to the left so we get updated signatures more often so we can detect what is going on more quickly. Without the early warnings, we still are in reactive and monitoring mode against old threats.”
Spaulding added because 98% of user population across civilian agencies are using EINTSEIN, it gives CISA a level of visibility into what’s happening on agency networks that is essential for other cyber tools and activities to work well.
CISA fully recognizes that EINSTEIN needs to change more quickly especially as remote work remains this widespread.
“We are evolving all our core programs and capabilities to provide the protections at the network, at the host levels and anywhere else we can secure the civilian enterprise while increasing CISA’s ability to rapidly detect threats,” Hartman said. “We also are working with OMB and the inter agencies to drive toward more sophisticated architectures, including zero trust concepts that are focused on identifying and securing the federal government’s highest value data.”