brief Flashcards
Intro: Hello! thanks…
for allowing me to help kick off what should be a fascinating day of deeply technical talks. Im humbled to be included with the other bright minds that will be sharing this venue, and I want to apologize in advance for mucking up what should be a fascinating groups of technologists with my government flavors.
Intro: by way of introductions…
I’m Josh Finney, and i’m from CISA. This is pronounced, for the record, as “CISA” not “Seesaw” or “SY-SA”, or any of the other hilarious versions we hear every year. We’re an agency that still has a “new car smell” as congress surged us into being under the department of homeland security umbrella in 2020.
Intro: I presently lead
CISA’s incident response teams and our proactive threat hunting cohort. This means that whenever things go bump in the cyber night, my team of exceptionally bright analysts are tasked with figuring out who it was that bumped, what systems got bumped, and in some cases……how do we evict the bumpers.
Intro: if that explanation…
makes any sense to you, then you’re doing better than friends and family of mine who I attempt to describe the very important work of CISA’s Threat Hunting team to.
Intro: Folks may be familiar
with the tendrils of CISA’s Threat Hunting team at work, whether it’s in our public advisory work that we help author for identifying specific activity or for securing cloud environments. Our collaboration with industry around our SCUBA project represents the new frontier for collaboration with the government, and I couldn’t be happier.
Intro: Folks may ALSO be familiar
with the some of our open sourced tooling, such as Untitled Goose Tool, which is an incident responders companon for hunting in Microsoft M365 SaaS environments.
Intro: we continue to partner
with our friends at the NSA, FBI, Cybercom, and across the USG to disrupt threats as early and as often as we can. That means active hunts across the federal civilian executive branch of government, in 16 critical infrastructure sectors, and in partnership with State and Local governments.
Intro: I know its popular
to say that “i’m from the government, and i’m here to help” but I swear we mean it, every time. There’s nothing that makes us happier than finding that final puzzle in an investigation and helping our stakeholders when they’re having the worst day of their life, in the midst of a cyber event.
Core Challenge: Over the last few
years, we continue to encounter identity related compromises in our partners.
Core Challenge: it’s worth providing some context
CISA is engaged with partners of a LOT of different sizes and maturity levels. We’ve worked with everyone from the threat hunters at Department of state, who are some of the best we know, all the way out to remote water and electrical municipal suppliers who’s network defenders sometimes double as the guy who does the daily lunch runs.
Core Challenge: We have a much broader
sphere of obligation than a lot of our friends in the incident response and threat hunting industries, and we also face an extremely challenging landscape of threasts.
Core Challenge: identity is a very different
conversation relative to the system owners complexity. It’s especially interesting when we add fun variables like physical control systems or embedded processors in places like Manufacturing or transportation.
Transitive Identity: i’m going to read the language we used in our guidance
to stakeholders experiencing a major identity compromise from the Solarwinds/M365 event. ““This [is an activity] that can be conducted, for example, using a transitive mapping of all potentially compromised credentials to the systems that those credentials accessed.”
Transitive Identity: To say that this language
didn’t resonate with our partners could be considered a massive understatement. I think the response, collectively, was a lottttt of raised eyebrows and requests for explanations.
Transitive identity: I think what we meant to say
in laymans terms, was “once an attacker has definitively gotten access to privileged credentials, what DID they, or COULD they, have done with them? What came next?” This is relatively simple stuff, but sometimes the simplest ideas are the most difficult to articulate.
Transitive identity: i think in the future
it shouldn’t take a PHD to dissect an attackers opportunity space, for what they can reach and what the context of their access is.
threat trends: We’ve heard from partners
that they’d like to transition from the term “assume breach” because it’s overly pessimistic. If anyone here can help me come up with a more positive spin on that term…..please let me know what it is. In the meantime, We’re going to continue to workshop ideas while only whispering “assume breach”
threat trends: CISA continues to work
with partners at OMB and in industry on Zero Trust methodologies and breach prevention techniques, but its worth noting that sophisticated threats (like the one on the screen) continue to prey on similar identity based attacks with small iterations, year over year…..because they’re effective.
Threat trends : these threats here share one thing
in common; they’re preying on normal traffic and identity structures to make evasion easier and detection much more challenging. The recently released blog post from Microsoft detailing the Storm 558 threat also illustrate how much of that responsibility is shared amongst customers and cloud service providers in the detection space.
Threat Trends: I know the feedback we’ve gotten
from our friends in industry about CISA continuing to talk about Solarwinds elicits some eyerolls. “This again?” I can relate to that, but also think that when the collective has mitigated the threat activity and neutralized those TTPs, we’ll stop talking about it.
