Jul 30 2021

Q&A: How Agencies Can Stay On Top of Evolving Cybersecurity Threats

Tom Kellermann, head of cybersecurity strategy for VMware and member of the United States Secret Service Cyber Investigations Advisory Board, explores a complex IT security landscape and what the federal government can do about it.

The cybersecurity threats federal agencies face are multiplying and transforming. They include software supply chain attacks, which were involved in the so-called SolarWinds breach, as well as ransomware attacks and insider threats.

The government is taking steps to combat the threats, including mandating a shift to zero-trust architectures and developing a common governmentwide playbook for cyber incident response.

What other threats are out there and what more can the government be doing to counter them? FedTech spoke recently with Tom Kellermann, head of cybersecurity strategy for VMware, to discuss the federal cybersecurity threat landscape, VMware’s intrusion suppression approach and how the threat from groups linked to nation-state actors is evolving.

EXPLORE: How can VMware help your agency build security into the fabric of its IT environment?

FEDTECH: How do you think cybersecurity threats against federal agencies and other high-profile targets are evolving?

Kellermann: First and foremost, there are more zero-day exploits being unleashed against us that are being purpose-built by the Chinese intelligence services and the Russian intelligence services. In addition, because of telework due to the pandemic, more and more government employees are being targeted at home. The implicit trust that the government places on VPNs to access sensitive government systems allows for someone to basically hack that executive at home and ride that VPN tunnel into the agency’s environment.

It’s fairly easy for them to move laterally, because the U.S. security posture was very much focused on network security, network defense and prevention. Network defense is not as effective when most of your workforce is remote, because you have to put implicit trust in those tunnels. More and more of those endpoints are being successfully compromised, and not just through spearfishing. More and more of these attacks are specific to attacks on applications, but allow for the initial intrusion, a watering hole where trusted websites or mobile apps are compromised and used to attack those customers and or those employees.

Then, we have this “island-hopping” phenomenon, which has a compounding effect, because geopolitical attention is manifesting in cyberspace. Our Cold War adversaries are well aware that it is in their best interests to use the environments that they have compromised to leverage attacks against those constituencies. You hack one government agency and then use the footprint that you have in that agency and the network of that agency and the website of that agency to attack other agencies and other facets of the U.S. government. SolarWinds didn’t occur in a vacuum. This type of island hopping occurs in 49 percent of all incidents. How do I know that? Here at VMware, we’re partnered with 142 different incident readiness and response firms and managed security service providers who use the Carbon Black threat hunting capabilities in their investigations.

From that telemetry, it’s noted that when they go into conducting an investigation, they’re realizing that yes, that organization or that agency was breached, but more important, the infrastructure of the agency was now being used to attack other entities. We need to pay attention to that phenomenon.

There is more and more of a nexus between the cybercrime cartels and the intelligence services of at least five rogue nation-states that exists for a couple of reasons. One is that the cybercriminals are perceived as national assets. The other point is they have to share access to systems that they’ve compromised with those intelligence services, providing almost brokerage access to those compromised environments. Then, they’re used in order to offset economic sanctions imposed upon them by the West. So, for all those reasons, we have really had a tipping point in my 23 years of practicing cybersecurity.

DIVE DEEPER: What are best practices for securing devices used for teleworking?

FEDTECH: How do you think President Biden’s recent cybersecurity executive order is going to help improve the government’s posture, especially with its mandate that agencies adopt zero trust?

Kellermann: It is historic. I’ve never seen such a great leadership team in the positions of cybersecurity across the government, from the NSA to the new CISA director, all the way through the government. The folks in charge of cybersecurity now are very savvy. They’re very experienced, and they know what needs to be done.

In addition, the zero-trust mandate is imperative, because it makes the assumption that you’ll be breached at some point — period. That inevitability is such that it’s a reckoning that 100 percent prevention is impossible. We need to do a better job of having the environment protect itself from the inside out, to the point where President Biden met with Vladimir Putting and he stated, “Verify first and then trust.” I think that that is the direction that we’re going with cybersecurity across government agencies and the major systems integrators.

Tom Kellermann
The implicit trust that the government places on VPNs to access sensitive government systems allows for someone to basically hack that executive at home and ride that VPN tunnel into the agency’s environment.”

Tom Kellermann Head of Cybersecurity Strategy, VMware

That being said, foundational to that effort is that we need to get the adversaries that already have back doors and systems out. So, the increased impetus and funding for cyberthreat hunting is a priority, and that it can be demonstrated by the dramatic increase of open positions in CISA for conducting cyberthreat hunting.

In addition, there’s greater information sharing occurring between the government and the private sector in levels of information sharing, such that we’re getting real situational awareness from our government friends who are allowing us to better defend ourselves so that we don’t become compromised.

I think that the NATO meetings were significant when they amended Article 5 of the NATO charter to say that a destructive cyberattack against a critical infrastructure of one member will be seen as an attack against all, and they would respond with collective defense, not limited to only cyber, but it could include kinetic, and that is game changing. I think, finally, the U.S. government is beginning to have that “come to Jesus” moment with what has gone wrong and what is occurring within our systems. I think we’re beginning to take our gloves off.

RELATED: How will agencies’ zero-trust strategies come into focus?

FEDTECH: How can agencies go about finding and addressing back doors that may have been created in the SolarWinds cyberattack?

Kellermann: You need to increase that hunting across those systems to identify behavioral anomalies that exist on systems. Then, you have to come to a recognition that there is a modus operandi for APT29 and how they embed themselves in systems. That was the group behind SolarWinds, and that M.O. is they’re typically going to deploy multiple command controls with primarily a second C2 on a sleep cycle that only activates when you terminate before the initial C2, which is the initial back door.

In addition, they like to deploy that secondary seed through steganography, through embedding that in image files. We need to do a better job of identifying and conducting scalable analysis for the presence of steganography.

Finally, when they hit a target endpoint or they compromise a given system, one of the first things they do is disable the Windows Antimalware Scan Interface, and they may disable the security agent on the device as well. If you see evidence that AMSI was ever disabled, then that means this machine was infected by them. They like to delete the logs associated with when they were using that environment. So, if you see gaps in logs as well, you should know that that device is compromised by them and do a more thorough investigation.

FEDTECH: What is VMware’s intrusion suppression paradigm, and how can agencies practically go about deploying it to help protect themselves?

Kellermann: It’s all about achieving cyber vigilance, and really, what is zero trust manifest? Zero trust should allow you to suppress intrusions in real time and give you telemetry associated with the entirety of the campaign of the adversary in real time. If you look at the architectural model espoused by NIST in the past and/or the NSA, it’s very much focused on defense in depth and is very much focused on a fortified infrastructure with spheres circles of defending capabilities.

The challenge they’re in is that there there’s implicit trust made vis-a-vis protocols, applications and encrypted tunnels that exist to allow for that environment to function and to conduct business. So, that castle-like security paradigm must be inverted on its head.

It needs to look a lot more like a supermax prison, like the one out here in Florence, Colo. The supermax, the ADX facility, which was built by cognitive psychologists and the world’s best prison architects to hold the worst of the worst. The reason for that is that they knew that the worst of the worst would develop cults of personality in prison and be allowed to run their criminal conspiracies and/or terrorist conspiracies from inside the prison walls against the outside world, because of who they were and how they had high-functioning emotional intelligence.

So, how do you actually limit their capacity to communicate? How do you limit their situational awareness? How do you limit their capacity to move laterally in the environment? How do you limit their capacity to understand the outside world, so that even if they got outside, they wouldn’t know where to go or how to go anywhere? That’s why that facility is in the middle of a desert. So, intrusion suppression is really about how do you apply a supermax prison model to your infrastructure, your environment.

Here at VMware, we want the infrastructure to defend itself. We want the infrastructure to detect, deceive, divert, contain and allow you to hunt the adversary in the environment, unbeknownst to the adversary. That’s why we’ve made a $3 billion investment in cybersecurity capabilities. That’s really where we’ve gone from a design perspective, and where we continue to evolve the capability set. But again, think of the supermax prison versus the castle: At the end of the day, you want to make it harder for the adversary to move freely within the environment. You want to make it harder for the adversary to take control of the environment, and you want to make it harder for the adversary to leave the environment. That’s much more important than allowing the adversary to get in.

EXPLORE: Zero trust depends on role-based access management. 

FEDTECH: How do you think the threat of malicious cybercriminals backed by nation-states is going to evolve?

Kellermann: I have hope for the first time in 23 years that we’re going to proactively disrupt the dark web forums on the cybercrime cartels themselves, but there will come a day where we are going to butt heads directly between our intelligence communities and theirs, because these cybercrime cartels are not just made up of cybercriminals. There are intelligence operatives that are part of these cartels and vice versa.

In addition to that, I do think that the recent reclassification of ransomware and ransomware gangs as terrorism or terrorist actors is significant in that it gives us the authorities we needed in both a cyber and kinetic context to go after those groups. However, I am very concerned that more integrity attacks are coming, more manipulation of data and manipulation of the value of data.

I’m particularly concerned with a stark reality presentation. In a presentation I will give at Black Hat, I note that 58 percent of the time, these adversaries are manipulating the value of time and systems when they compromise the system. So, I’m concerned that the future of cyberattacks, and the future of these cartels, is that they’re becoming much more virulent. They’re going to become much more punitive and much more aggressive as they know that the circle is closing on them. I’m concerned that they may someday take over a major public cloud and launch destructive cyberattacks from that environment. I’m also concerned with the level of counter-incident response and the level at which many defenders are really having to get into a knife fight with adversaries nowadays, versus before they decide to shine a light.

It really will come down to the diplomacy. I think there’ll be a direct correlation between geopolitical tension and what I would consider to be systemic cyberattacks. These cyber cartels are the tip of the spear. Many times, they already have access to certain systems, and they’re allowed to act as proxies. If there’s one thing we should learn about the history of our Cold War adversaries, it’s that they love to use proxies when engaging in a true Cold War. And I do think there is a Cold War in cyberspace that is ongoing.

Brought to you by:

gorodenkoff/Getty Images