Jump to content

Recommended Posts

  • Replies 277
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

A few points to ponder: 1.  It is NOT a foregone conclusion that the Russians hacked anything.  Shockingly the mainstream media is starting to push back on the administration narrative that it wa

Well,   It's been awhile since I've posted in here with the latest happenings from the cyber front.   Since the last time AFSPC finally gave up it's choke hold on cyber ops and it moved over

NS, overall I agree with and appreciate your post.  The one place I disagree is quoted above, and it's semantics.  Did they really hack our democratic institutions and processes?  They didn't actually

Posted Images

2 hours ago, Sua Sponte said:

So.  Whatever was used to get in is going to get burned, or turned over to the Fed for examination and use.

Every tool they have is going to get hashed and given to the cybersecurity vendors out there.  Be interesting to see if we see any attributable patches to vulns they might have developed.  Kinda like WannaCry after the alleged-NSA loss of tooling.

Overall...it sucks!

Link to post
Share on other sites

Alright ladies and Gentlemen, we got a big one today.

So, first is news that the Tres was hacked (and probably a ton more agencies) - https://www.msn.com/en-us/news/politics/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/ar-BB1bToak
 

This is on the heels of the FireEye hack, and now it looks like Solar Winds (a network monitoring/management tool) was hacked leading to the access into the Fed.  This is inline with the supply chain attack, similar to NotPetya a few years ago.

So, you'll notice that the hack was discovered this weekend and agencies are already burning whatever tools there were that allowed allegedly Russia to get in.  CISA, the "new" DHS agency that Chris Krebs was running before the orange dummy fired him, has come a long way and is doing a good job so far.  This would have taken them weeks just a couple years ago.  Now they've sped that up to hours after compromise report, with intel to check for.  Pretty cool!

In case you were wondering what Russia has to say about it - "The Russian Embassy in Washington on Sunday called the reports of Russian hacking “baseless.” In a statement on Facebook it said, “attacks in the information space contradict” Russian foreign policy and national interests. “Russia does not conduct offensive operations” in the cyber domain."

Thoughts moving forward.  I think this will be seen as another escalation in norms (like the OPM hack).  I expect Trump's admin to do nothing as they continue pouting.  I think that Biden is going to have a very interesting line to walk, but we will not see what comes out of it for about 2 years.  With USCC stepping up their game, there could be legitimate cyber consequences (hit some type of clearly military infrastructure) and the usual financial sanctions/diplomats kicked out.  Previous to Biden's admin, cyber responses to these actions have not been made public (usually) even though they are effective.

Link to post
Share on other sites

Not as much an imminent threat as the recent Russian Cozy Bear, but appears the Chinese are conducting more widespread mobile phone intelligence gathering. 
https://www.yahoo.com/news/china-may-tracking-intercepting-americans-170926880.html

https://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks

  • Upvote 1
Link to post
Share on other sites
  • 2 weeks later...

https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/

I’m completely uneducated in cyber security and the likes. However even I know that the password for an update server shouldn’t be your company name with 123 on the end of it.

Any input on this? US Government was listed as a customer of solarwinds/sunburst. Along with like 452 of the Fortune 500 companies.

How far could they (hackers) have reached, what could already be done that hasn’t even been looked at yet? The article mostly focuses on the power grid/production side of it. While seemingly trying to downplay the severity of it.


Sent from my iPhone using Baseops Network mobile app

  • Upvote 1
Link to post
Share on other sites

It’s bad. I’ve heard many say that an “11/10” on the scale of how bad it is would be an understatement.

Solarwinds stores network topology, configuration, and credentials for all of those organizations. The Air Force is also a prime user. If the network was a bank, the hackers would have access to floor plans, schedules, vault keys and maybe even have an inside man still depending on the level of compromise. 

CISA/DHS is saying that if you have Solarwinds installed (or Orion) that was updated since March of this year, you need to assume everything in your network is compromised. It’s actually insane how big of a deal this is. Many affected companies and organizations are literally talking about entire server rebuilds of everything.

SIPR is just one example of a potentially entirely compromised network:

https://www.naturalnews.com/2020-12-18-pentagon-orders-shutdown-classified-networks-solarwinds-orion.html#

 
  • Like 3
Link to post
Share on other sites
On 12/28/2020 at 2:56 PM, JTsundevil said:

https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/

I’m completely uneducated in cyber security and the likes. However even I know that the password for an update server shouldn’t be your company name with 123 on the end of it.

Any input on this? US Government was listed as a customer of solarwinds/sunburst. Along with like 452 of the Fortune 500 companies.

How far could they (hackers) have reached, what could already be done that hasn’t even been looked at yet? The article mostly focuses on the power grid/production side of it. While seemingly trying to downplay the severity of it.


Sent from my iPhone using Baseops Network mobile app

Sorry all been taking a break w/ family this holiday season.

Correct, there's federal guidelines about what passwords should be for government systems.  Of course, commercial providers don't have to follow those.  Never should it have been that easy.

Everyone uses solarwinds, it's a product that does pretty well for what it is and I don't think it was that expensive either.   The hackers could probably get wherever they wanted with these hacks.  @Negatoryis correct in his estimation as well, though SIPR is generally well protected with the gaps, this was a Russian hack and they're no slouches.

Million-dollar-question - what can be done.  Domain wise, identifying the TTPs and indicators of compromise and finding and eradicating them.  This is an expensive undertaking because of the avenues for persistence in a network with technology (SolarWinds) that's so deeply embedded.  While it shows the US getting hacked...this is a problem for the entire world because of how far SolarWinds is used.  This is worse than the OPM hack in my humble/not important opinion.

Political-wise, a whole lot but it appears that the Pres has decided to do nothing/confuse everyone about it.  I'll leave it at that for the politics thread.  There needs to be something done about it, but we're waiting until the new Prez comes in I guess.  I'd also add there could be stuff happening at higher classifications, but I have no access to that anymore and wouldn't put it here anyway.
 

On 12/28/2020 at 5:25 PM, filthy_liar said:

Well, no.  I have no questions about what a cyber red team is.  I was just curious if you knew what one was.

Sorry, misunderstood the question.  A cyber red team is a team of hackers that you invite to hack you to prove your defenses and response capabilities.  They're like red/adversary air in Red Flag, but with 1/0's.  They generally are bound to certain activities in certain areas to make sure there's no extreme impact to operations.  Unfortunately, this is usually mucked up by leaders to "not impact the exercise" so we never really lost email/phones/comms...which is among the first thing I'd degrade/disrupt/corrupt.

 

  • Like 1
Link to post
Share on other sites
On 12/28/2020 at 8:02 PM, Negatory said:

It’s bad. I’ve heard many say that an “11/10” on the scale of how bad it is would be an understatement.

Solarwinds stores network topology, configuration, and credentials for all of those organizations. The Air Force is also a prime user. If the network was a bank, the hackers would have access to floor plans, schedules, vault keys and maybe even have an inside man still depending on the level of compromise. 

CISA/DHS is saying that if you have Solarwinds installed (or Orion) that was updated since March of this year, you need to assume everything in your network is compromised. It’s actually insane how big of a deal this is. Many affected companies and organizations are literally talking about entire server rebuilds of everything.

SIPR is just one example of a potentially entirely compromised network:

https://www.naturalnews.com/2020-12-18-pentagon-orders-shutdown-classified-networks-solarwinds-orion.html#

 

That article is bullshit, not surprising the source.   Not to get into the details but the attack, while extremely dangerous in the right situation, is ineffective in a properly configured zero trust environment.  

Link to post
Share on other sites
43 minutes ago, jcollins said:

...is ineffective in a properly configured zero trust environment.  

Very rare to see those around.

Link to post
Share on other sites
On 12/31/2020 at 7:24 PM, 17D_guy said:

Very rare to see those around.

Exactly. Those cost more money due to the increase management and oversight an organization has to spend to implement it. So you know the government won’t have one with maybe an exception or two for three letter agencies.

Link to post
Share on other sites
On 12/31/2020 at 9:24 PM, 17D_guy said:

Very rare to see those around.

It doesn't have to be a perfect zero trust environment, it just has to have a certain policy implemented.  The organizations that didn't have this policy and are getting pwned as a result are the same ones getting pwned in thousand other ways that are not as sophisticated that this.

However, the real reason people should be extremely worried about this type of attack is that a supply chain attack coupled with advanced AI payload would be virtually unstoppable in nearly all environments, and it's only a matter of time until that day.  

The only way to deal with this type of attack is to migrate to full zero trust and deploy machine learning AI countermeasures, of course in the DoD we are screwed because A) Our acquisition process sucks (we still use McAfee which is a joke) and B) our flag officer leadership doesn't understand how this stuff works.

Link to post
Share on other sites
9 hours ago, Negatory said:

How many flag officer 17Ds are there?

You’d be surprised. Many of them are pilots who got a Computer science bachelors, but there are some who’ve spent a career as 33/17 officers.  
 

biggest problem is Cyber still isn’t a priority and senior leaders don’t REALLY believe it could cause them to lose an Air Battle. Some get it but they are few and far between.

Link to post
Share on other sites

Yeah, but a pilot in a cyber role probably won’t have the tactical understanding to be truly excellent when compared to someone that was actually trained properly. In fact, I could see that as part of why we aren’t as good in some aspects. I’m wondering how many homegrown cyber folks end up in leadership.

 

Link to post
Share on other sites

I would posit that the issue is less generals understanding the details of cyber (that's why they have their staffs), and more that a lot of cyber fixes really amount to maintaining and improving comms infrastructure.

Upgrading our comms backend, maintaining servers, securing accounts and access, and maintaining and securing our networks all costs money. And it's much less sexy than a shiny F-35/KC-46/new weapons/etc. After all, we are the Air Force, and we should focus on airpower, not keeping email and SharePoint or share drives up and running...even though a lot of how we fight and execute C2 relies on those capabilities.

Every dollar spent improving our IT to be more cyber resilient (much less on any true cyber capabilities) is a dollar not spent on another program. And it has to be sold at multiple levels: within the AF, DoD, and Congress. And if someone at any of those levels above AF doesn't see the value in the investment, then the AF loses that money. Maintaining infrastructure isn't sexy, and that creates a challenge in actually funding the changes that need to be made.

  • Upvote 1
Link to post
Share on other sites
1 hour ago, jazzdude said:

I would posit that the issue is less generals understanding the details of cyber (that's why they have their staffs), and more that a lot of cyber fixes really amount to maintaining and improving comms infrastructure.

Upgrading our comms backend, maintaining servers, securing accounts and access, and maintaining and securing our networks all costs money. And it's much less sexy than a shiny F-35/KC-46/new weapons/etc. After all, we are the Air Force, and we should focus on airpower, not keeping email and SharePoint or share drives up and running...even though a lot of how we fight and execute C2 relies on those capabilities.

Every dollar spent improving our IT to be more cyber resilient (much less on any true cyber capabilities) is a dollar not spent on another program. And it has to be sold at multiple levels: within the AF, DoD, and Congress. And if someone at any of those levels above AF doesn't see the value in the investment, then the AF loses that money. Maintaining infrastructure isn't sexy, and that creates a challenge in actually funding the changes that need to be made.

One of the biggest hurdles is working cyber considerations not only into new acquisitions, but figuring out how to protect the acquisition/lifecycle chains of legacy systems that were built without a lot of consideration for it.  I don't envy those guys having to go to the SPO/HAF and say... "hey, you really need to spend money on this really boring back-end thing for the next software upgrade on this sunset system."

Link to post
Share on other sites



One of the biggest hurdles is working cyber considerations not only into new acquisitions, but figuring out how to protect the acquisition/lifecycle chains of legacy systems that were built without a lot of consideration for it.  I don't envy those guys having to go to the SPO/HAF and say... "hey, you really need to spend money on this really boring back-end thing for the next software upgrade on this sunset system."


"Oh, and we're not going to give you any extra money for it, figure it out..."
  • Upvote 1
Link to post
Share on other sites
12 hours ago, jazzdude said:

I would posit that the issue is less generals understanding the details of cyber (that's why they have their staffs), and more that a lot of cyber fixes really amount to maintaining and improving comms infrastructure.

Upgrading our comms backend, maintaining servers, securing accounts and access, and maintaining and securing our networks all costs money. And it's much less sexy than a shiny F-35/KC-46/new weapons/etc. After all, we are the Air Force, and we should focus on airpower, not keeping email and SharePoint or share drives up and running...even though a lot of how we fight and execute C2 relies on those capabilities.

Every dollar spent improving our IT to be more cyber resilient (much less on any true cyber capabilities) is a dollar not spent on another program. And it has to be sold at multiple levels: within the AF, DoD, and Congress. And if someone at any of those levels above AF doesn't see the value in the investment, then the AF loses that money. Maintaining infrastructure isn't sexy, and that creates a challenge in actually funding the changes that need to be made.

This is a really good point. Most AF GO's I've worked for were more interested in how to get airplanes airborne and thought Cyber was someone else's job. In all honesty, Space Force should have taken EW, and Cyber and created a new branch of ulterior domain warfare. 

Link to post
Share on other sites



This is a really good point. Most AF GO's I've worked for were more interested in how to get airplanes airborne and thought Cyber was someone else's job. In all honesty, Space Force should have taken EW, and Cyber and created a new branch of ulterior domain warfare. 


Partially agree. I'll admit I don't know too much about cyber, but with the little I do know, it does make sense for them to be a separate service (and not a department under any existing branch). And generals do tend to focus mostly within the scope of their authority, and assume that someone else is handling issues outside their scope (like cyber).

That being said, that alone would not solve our cyber problem as it relates to protecting our information and ability to communicate; every service and every other federal agency needs to secure their data and networks. DISA fills the role now of enforcing standards within DoD, but it doesn't seem to have the teeth to force service to comply now (compliance mandates seems to always be stretched over several years). There probably needs to be a federal agency that enforces standards across the federal government, and I'm not sure if DoD is necessarily the right agency to be the lead.

And all this ignores reliance on common/shared commercial infrastructure (phone lines, commercial internet connections, power, etc). Though the US did make a good case to prevent US telecom companies (and some allied nations as well) from installing/using Huawei 5G technologies in their communications network as they modernize their networks.

The scariest thing about cyber is that it removes one advantage we've taken for granted: we're pretty well isolated by two large oceans, so an enemy executing kinetic effects against our homeland is difficult (though not impossible as we saw with the 9/11 attacks). Sure, ICBMs have been around for a while, though with those comes the baggage of not knowing if it's a nuclear or conventional attack, which significantly raises the likelihood of a nuclear retaliatory response. But as we're starting to see (or at least recently acknowledged publicly) that safety provided by distance disappears in the cyber domain, and an active posture is required to secure the cyber domain.
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...