Tag Archive for: respond

Biden needs to respond to Russian hacking

/in


President Joe Biden is a famously nice guy. Maybe he should stop being nice, just for a while.

His administration is reportedly close to punishing Russia for a series of glaring transgressions and abuses, including the epic SolarWinds Corp. computer hack that has left governments and businesses worldwide exposed to a mammoth data breach. As Bloomberg News reported Wednesday, the White House may soon announce economic sanctions against individuals close to Russian President Vladimir Putin and expel Russian diplomats from the U.S. There also may be “private talks with Russia laying out further actions the U.S. would be prepared to take.”

I don’t know. When you haven’t taken any action, telling the people who have been picking your pocket that there are further actions you would be prepared to take if they don’t change their ways doesn’t seem threatening.

And the clock is ticking. The SolarWinds hack burst into view in December, but by then it had been running undetected for months. In late February, amid congressional inquiries into the intrusion, National Security Advisor Jake Sullivan said the Biden administration would soon deploy a “mix of tools seen and unseen” against Russia that went well beyond economic sanctions. Those actions were said to be just weeks away. In March, White House Press Secretary Jen Psaki said a “mix of actions seen and unseen” were on the way.

Now it’s April, and Biden still hasn’t acted. What’s more, he has yet to appoint a national cyber director, the person with the authority to coordinate speedy responses to cyberattacks. Congress created the position late last year through defense legislation that overcame a veto from former President Donald Trump. The expectation was that Biden’s White House, which has prioritized cybersecurity, would fill the role quickly. But bureaucratic squabbles have left it empty.

Source…

A CISO and a hacker detail how they’d respond to the Exchange breach – TechCrunch

/in


Aaron Fosdick
Contributor

Aaron Fosdick is CISO at Randori, a cybersecurity firm that provides offensive security services.

David Wolpoff
Contributor

A career hacker, David “Moose” Wolpoff is CTO and co-founder of Randori, a company building a continuous red-teaming platform.
More posts by this contributor

  • After the FireEye and SolarWinds breaches, what’s your failsafe?

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

Don’t wait for your incident response team to take the brunt of a cyberattack on your organization.

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as…

Source…

Concern mounts over government cyber agency’s struggle to respond to hack fallout

/in


With Microsoft acknowledging for the first time this past week that suspected Russian hackers behind a massive government security breach also gained access to its source code, pressure is mounting on US officials and cybersecurity experts to explain how the attackers infiltrated various US computer networks, what they did once inside and the steps that are being taken to mitigate the damage.

As US officials struggle with the fallout, questions are swirling about whether the agency tasked with protecting the nation from cyberattacks is up to the job.

On Wednesday, the Cybersecurity and Infrastructure Security Agency, (CISA) signaled it’s still working to patch the known vulnerabilities, advising agencies to update their software from SolarWinds, a private contractor attackers exploited to gain access into potentially thousands of public and private sector organizations.

Congressional Democrats and the Biden transition team are demanding more information about the massive hacking campaign, calling on the Trump administration to address concerns about its handling of the fallout and perceived lack of transparency in the weeks since the data breach was first discovered.

The Biden team in particular has stated that it’s been stonewalled by Trump officials in its effort to learn more about key national security issues, including the hack.

Trump administration officials say those accusations are exaggerated but have also acknowledged they are wary of any transition activity that could provide the Biden team a head start in dismantling the President’s priorities.

To date, the White House has offered few public details about what is believed to be the most significant cyber operation targeting the US in years. The lack of…

Source…

US establishes Cyber Unified Coordination Group to respond to SolarWinds compromise. Report on Chinese influence ops delayed.

/in


The US Government and a large number of private organizations continue to assess the extent of the SolarWinds incident. The scope and extent of the damage are known to be large, but just how large, and who specifically was affected, remains under investigation. An op-ed by former US Homeland Security Advisor Bossert probably has it right in saying that the breach is “hard to overestimate.”

A joint statement yesterday from the US FBI, CISA, and ODNI says that the Government has invoked Presidential Policy Directive (PPD) 41 to establish a Cyber Unified Coordination Group to coordinate a whole-of-Government response to the Russian cyber operation that exploited SolarWinds’ Orion platform.

According to KrebsOnSecurity, FireEye, Microsoft, and GoDaddy cooperated on a response to the SolarWinds compromise by establishing a killswitch to disable Sunburst backdoor instances still beaconing to their original domain. As FireEye said in widely quoted statement, “this actor moved quickly to establish additional persistent mechanisms to access to [sic] victim networks beyond the SUNBURST backdoor,” so the killswitch is far from representing a thorough remediation. BleepingComputer has a summary of what’s publicly available so far.

Bloomberg reports that the US Director of National Intelligence said yesterday that the Intelligence Community will not meet tomorrow’s deadline to report to Congress about Chinese influence operations in the 2020 election season. That there were attempts seems clear enough, but how extensive they were, and how much prominence they should be given, remains a matter of disagreement among the agencies in the Intelligence Community.

Source…