Blog

Policy Brief – U.S. Cyber Threat Intelligence, Part 1: Introduction & Background

Dec 20, 2022

By Aaron Weathersby, CISSP . Aaron is the Chief Information Officer for Charles R. Drew University of Medicine and Science and holds a Doctor of Science in Cyber Security from Marymount University. He is an Information Technology professional with over 18 years of experience focused on cybersecurity issues.

CyberThreatIntelligence_Weathersby Abstract: A policy brief on the May 2021 White House Executive Order 14028 requiring the improvement of the nation’s cybersecurity through the lens of Cyber Threat Intelligence. A summative read geared towards federal agencies and government contractors who must implement the order. In this brief an exploration of the current state of cybersecurity and the impetus of this order is provided. A brief summary of key policy points is detailed along with recommendations and challenges in implementing the Executive Order.

Executive Summary: This policy brief was created to summarize the Biden Administration’s Executive Order on Improving Cyber Security through the lens of Cyber Threat Intelligence. This brief is geared towards those public and private entities required to implement the mandated elements within the EO. The brief details critical findings, recommendations, and challenges with implementing the orders.

INTRODUCTION

In May of 2021, the President of the United States issued Executive Order (EO) 14028 detailing an executive branch approach towards “Improving the Nation’s Cyber Security”. This EO identified 8 mandates directing the federal government to take steps necessary to “improve its efforts to identify, deter, protect against, detect and respond” to the actions of increasingly sophisticated cyber threat actors. A call to action was made presenting a need for “bold changes” and “significant investment” to protect and defend the computer systems of the United States.

The United States and its allies have been increasingly challenged by diverse and determined cyber threats. Cyber criminals have caused billions of dollars of damage, halted critical infrastructure, stolen personal information and directly impacted the lives of millions of Americans. Through the use of computers, malign nation states and their affiliated groups have directly challenged the institutions of law, governance, and democracy of our country. Within the last 6 months the confluence of cyber threats as seen in the SolarWinds/Sunburst attack as well as the Colonial Pipeline ransomware incident have woken law makers and the public to the systemic threat the lack of cyber security represents. And even though the United States and its allies have implemented laws, policies and structures to ameliorate the threat from these cyber attackers it is clear from the continued escalation of such events that these actions are not enough.

The focus of this policy brief will be to distill critical components of the EO through a recurring thematic lens of Cyber Threat Intelligence. Cyber Threat Intelligence/Information (CTI) is a critical component of modern cyber security and was clearly a focus of the Executive Order. While the EO contained 8 orders, a clear necessity for building knowledge of threat actors, incidents, and vulnerabilities is a CTI theme throughout. This brief will provide context to the nature of CTI and why it is important to the modern cyber security landscape. Analysis will be provided identifying critical events over the last 6 months that likely contributed to this EO and the urgency expressed within it. Benefits and barriers will be presented to provide decision makers an overview of the topic. Context through the lens of existing legislation and prior governmental policy will also be explored to provide a foundation as to the necessity and the challenges represented in this order. While finally, options to implement this policy and critical decision points will be highlighted to allow for effective implementation of both the requirements and the intent of this EO policy statement.

EO 14028 Policy Statements

  1. Removing Barriers to Sharing Threat Information
  2. Modernizing Federal Government Cybersecurity
  3. Enhancing Software Supply Chain Security
  4. Establishing a Cyber Safety Review Board
  5. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  6. Improving Detection of Cyber Security Vulnerabilities and Incidents on Federal Government Networks
  7. Improving the Federal Government’s Investigative and Remediation Capabilities
  8. National Security System

BACKGROUND / CONTEXT

As reported in a recent Forbes magazine survey, 1 in 5 Americans have been the victim of ransomware. In reading EO 14028 clear cyber security themes and concerns are present and top of mind of its authors. Over the last few years incidents of cyber security attacks have been increasing at an exponential rate.

While cyber-attacks have been a concern of policy makers for years, in the 6 months prior to this EO being issued uniquely significant cyber incidents have taken place within the U.S. Two attacks in particular captured the attention of the nation due to their scope and impact. Each represented a failure in intelligence by the federal government to prevent and identify them while they were occurring. It is the opinion of this brief that this failure in identifying, aggregating, and sharing this Cyber Threat Intelligence instigated this executive order. A summary of these attacks is below along with key questions and thematic elements found within them.

Supply Chain Attack / SolarWinds

In December 2020, the cyber security firm FireEye detected a major intrusion of its systems and of its customers. The intrusion for what would later be known as Sunburst or “the Solarwinds hack” would become remarkable due to its scope and scale. According to news reports, hackers from the Russian intelligence service (SVR) were able to gain unfettered access to hundreds of companies and dozens of federal agencies. Through what is known as a supply chain attack, the SVR was able to compromise a common technology monitoring tool from a company named SolarWinds and use that to gain remote access to the networks of the Department of Homeland security, the Cybersecurity and Infrastructure Security Agency, Microsoft, and dozens of others. Code within a SolarWinds product was maliciously modified to provide a trojan back door of access. The Russian SVR was able to then move around these networks for a period of months undetected by the largest technology companies and the intelligence services of the United States. Confidential data was compromised and exfiltrated from these networks. As was described by news accounts, while many different cyber security firms had real time indicators of the breach, it was only a single private firm that detected the nationwide attack. While the attack was by a sophisticated threat actor, it was latter hypothesized to have stemmed from a single compromised password of “solarwinds123” used by an intern to secure a publicly reachable file transfer site. To that end, in later postmortem forensics, it was published that basic cyber security hygiene was lacking at SolarWinds that further contributed to the initial breach of their product.

Key Points

  • A hack of a single private company allowed for a breach of dozens of sensitive government
  • The S. government, the federal agency charged with domestic Cyber Security and their existing technical detection system did not detect the attack.
  • Multiple companies had artifacts that the breach was taking place but lacked the ability to tie the information together.

Critical Infrastructure Attack / Colonial Pipeline

In April of 2021, foreign hackers gained access to the network of the Colonial Pipeline Corporation. The Colonial Pipeline Corporation is a private company responsible for transporting 2.5 million barrels per day of fuel representing “nearly half the gasoline, jet fuel and diesel flowing across the East Coast”. The hackers, a criminal cyber gang known as DarkSide deployed ransomware into Colonial Pipeline computer systems that encrypted and stole confidential information and was used to extort a ransom payment of $5 million dollars. While public reporting on the incident suggested the hackers were physically located in Russia, it was thought they were not directly affiliated with the Russian government. In response to the attack, Colonial Pipeline corporation shutdown their technology systems resulting in a halt of oil operations, a regional impact of long gas lines, higher fuel prices and nationwide concern. Ultimately public reporting suggests that in response to the breach, Colonial Pipeline paid a ransom of $4.4 million which resulted in the restoration their operations. Not unique to this incident was that the cyber gang DarkSide was not a monolith and instead operated as a service model with many different affiliates and criminal business partners. Different actors within the DarkSide supply chain created, distributed, hacked and operated their ransomware in exchange for a percentage of received ransoms. Critically important as per a FireEye blog post, the operations of DarkSide had been seen 6 months prior to the Colonial Pipeline breach. DarkSide had attacked other U.S. organizations and their tactics, techniques and procedures had been documented by the industry. Public forensic reports suggest poor cyber hygiene led to the breach at Colonial Pipeline, with an unused remote access VPN account being a point of ingress into their network.

Key Points

  • A breach of a single private company resulted in the disruption to millions of Americans.
  • The hackers were known to cybersecurity firms and their criminal affiliates had been actively breaching other organizations for over 6 months.

Conclusions

Similar thematic elements are present in both the SolarWinds and Colonial Pipeline cyber incidents. A lack of cyber hygiene and ineffective process had contributed to major disruptions of their operations and to U.S. public. Most importantly, the impacted organizations, the Federal Government and the cyber security industry had previously acquired broad knowledge of the cyber attacks but were unable to use this information to prevent the attacks from tacking place. It is in this point that EO 14028 seems to draw its conclusions.

 

 

 

Bibliography

Exec. Order No. 14028. (2021). Retrieved from https://www.whitehouse.gov/briefing-room/presidentialactions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

Brooks, C. (2021). Alarming Cybersecurity Stats: What You Need To Know For 2021. Retrieved from https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats——-what-you-need-to-know-for-2021/?sh=d24630958d3d

Cichonski, P., Millar, T., TimGrance, & Scarfone, K. (2012). Computer Security Incident Handling Guide. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

FireEye. (2020). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved from https://www.fireeye.com/blog/threat-research/2020/12/evasive-attackerleverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Guide to Cyber Threat Information Sharing. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

Kelly, S., & Bing, C. (2021, 05/07/2021). Top U.S. fuel pipeline operator shuts whole network after cyber attack. Reuters. Retrieved from https://finance.yahoo.com/news/colonial-pipeline-halts-pipeline-operations-045443078.html

Nuce, J., Kennelly, J., Goody, K., Moore, A., Rahman, A., Williams, M., . . . Wilson, J. (2021). Shining a Light on DARKSIDE Ransomware Operations. Retrieved from https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-ondarkside-ransomware-operations.html

Samtani, S., Abate, M., Benjamin, V. A., & Li, W. (2019). Cybersecurity as an Industry: A Cyber Threat Intelligence Perspective.

Sanger, D. E., & Perlroth, N. (2021, 05/14/2021). Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity. Nytimes. Retrieved from https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html

Service, C. N. (2021). Scripps Health Says Some Patient Info Acquired During Ransomware Attack. KPBS. Retrieved from https://www.kpbs.org/news/2021/jun/01/scripps-health-says-some-patient-info-acquired-dur/

Temple-Raston, D. (2021). A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack. NPR. Retrieved from https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

Turton, W., & Mehrotra, K. (2021, 06/4/2021). Hackers Breached Colonial Pipeline Using Compromised Password.

Bloomberg.com. Retrieved from https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonialpipeline-using-compromised-password

Zibak, A., & Simpson, A. (2019). Cyber Threat Information Sharing: Perceived Benefits and Barriers. Paper presented at the Proceedings of the 14th International Conference on Availability, Reliability and Security, Canterbury, CA, United Kingdom. https://doi.org/10.1145/3339252.3340528

Zrahia, A. (2018). Threat intelligence sharing between cybersecurity vendors: Network, dyadic, and agent views. Journal of Cybersecurity, 4(1). doi:10.1093/cybsec/tyy008