National Intelligence Council Report on 2020 Elections; FBI Internet Crime Report for 2020; Threat Actor Breached Mimecast Production Grid; CISA Tool Detects SolarWinds IoCs

Back in the late 1950’s a faked experiment led to concern over subliminal advertising frames inserted into films shown in movie theaters. In the early 2000s scientific research proved subliminal advertising did lead to unknowing influence and many countries banned it, while in the US the FCC “discouraged” its use. Much of the influence techniques used by nation states and terrorist groups on social media is essentially subliminal advertising and legislation needs to evolve – it is not something market forces will address.

John Pescatore

Social engineering, influencing others to act in a fashion that supports your desired outcomes, is not new. Often this manifests itself in advertising, or social media posts where the legitimacy is difficult to discern. Changes in legislation can make it harder or add consequences, but it still falls to the consumer to verify information provided.

Lee Neely

Just to put that $4B number in perspective: the 2020 National Retail Federation shrinkage survey estimated that 2019 shrinkage (inventory loss from shoplifting, employee theft, supplier error/fraud, cashier errors and other causes) was $62B in the retail sector alone. Three key points here: (1) the FBI IC3 data comes from complaints filed with the FBI, the numbers don’t reflect overall losses in anyway; (2) in many industries, traditional crime continues to have a much larger business impact that cybercrime; (3) retail has kept shrinkage in the range of 1.5 – 2% over the years, while spending 1-1.5% of revenue on loss prevention/shrinkage control, meaning a 3% loss of revenue to shrinkage and the loss prevention program is an acceptable cost of doing business. Increasing spending in loss prevention without reducing shrinkage enough would result in a loss of profit, even if the absolute level of shrinkage went down. Can you talk similar language about the effectiveness of  your spending on security controls to justify increases or changes?

John Pescatore

When implementing MFA, make sure to not leave exceptions. Verify that remains in effect. Make sure that access credentials, including certificates, are only accessible where absolutely needed. This also raises the question – when you discover a credential is compromised, and change it, and then discover you still have attackers in your system, do you update it again? Or do you wait to make the initial update until you’re absolutely certain the attackers are gone?

Lee Neely

Private keys should not be stored online when not in use.

William Hugh Murray

Similar to the Sparrow tool which scans for signs of APT compromise in a MS 365 or Azure environment, CHIRP scans for signs of APT compromise in an on-premise environment. CHIRP is available as a PowerShell script or compiled executable and is a command line tool. Unlike the Microsoft tool, CHIRP makes no changes to systems and takes 1-2 hours to run. Ingest the JSON results in your SEIM.

Lee Neely

Such tools will enable one to detect some, perhaps even most, but not all compromises. "The absence of evidence is not evidence of absence."

William Hugh Murray

Rather than “build back better,” use cloud or outsourced services which are built and maintained at a higher level of assurance. One of the appeals and challenges of using cloud services is that the provider is patching and updating, as well as setting the security parameters they can manage. This leaves the customer with a smaller set of responsibilities. In the FedRAMP cloud space, system security is based on the same security framework that agencies need to follow when securing their own systems, with the added benefit of an external auditing company which holds them accountable for fully meeting those controls. While a more aggressive update schedule may stress existing resources, they also provide guidance to minimize the risks associated with updates.

Lee Neely

The "Exchange Server" problem pales in comparison to SolarWinds.

William Hugh Murray

TrickBot is getting more exposure after legal actions shut down some competing botnets. Please do not focus too much on blocking specific IP addresses as they tend to change quickly. One interesting method to detect TrickBot is by inspecting TLS certificates. Tools like Zeek are excellent to collect this information and it tends to be quite useful not just for TrickBot.

Johannes Ullrich

Attackers use TrickBot to drop other malware such as Ryuk and Conti ransomware, or serve an Emotet downloader. The Alert warning below includes a layout of TrickBot’s techniques, mapped to MITRE ATT&CK techniques. That mapping can be used to help others understand the relevance of ATT&CK. Mitigations include user training, policy and procedures for reporting suspect email, firewall rules as well as segmenting systems to limit lateral movement. I have seen great success in reporting by adding a reporting button to email clients. Note: You will have to respond to reported messages for use to continue past the initial rollout.

Lee Neely

When configuring devices like these, limit access to the administration interface to authorized devices only. Do not enable remote administration without requiring a VPN. These routers were released in 2016; it’s a good time to consider replacing them with newer models, particularly if you are out of support and unable to apply the update.

Lee Neely

Centralizing services like this enables leveraging a consolidated pool of expertise, and provide opportunities for increased coverage. The trick is not only relocation of services, but also having them operate in a consistent fashion, leveraging common  patching, updating and backup processes as well as common platforms and application stacks to eliminate pockets of specialized support staff and processes. Security boundaries also have to be considered, much like when merging businesses, including verification of resources and services before trusting them in the new environment.

Lee Neely

With a giant distributed system such as the Grid, not only do remote connections for management and monitoring need to be secure, but data communication paths, whether wireless or ethernet over powerline, need to be verified to limit unauthorized interception. The most common mitigation response I have heard to malicious behavior on control systems is to revert to manual control. While good on paper, verify that is actually practical and timely before relying on that plan.

Lee Neely

We have been saying this for a decade or more. Time to stop "admiring the problem." We need a narrow focus on what to do. Start with strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) wherever controls are connected to the public networks. Then end-to-end application layer encryption and finally application content control.

William Hugh Murray