Digital attackers are increasingly launching sophisticated campaigns in an effort to target U.S. federal agencies and other organizations. Two recent examples demonstrate this reality. These are the SolarWinds supply chain attack and the HAFNIUM Exchange exploit campaign.
The SolarWinds Supply Chain Attack
In mid-December 2020, the security community learned that an advanced persistent threat (APT) had targeted SolarWinds’ Orion network management software with a backdoor. Tripwire VERT warned that the those responsible for the attack campaign could use the backdoor to compromise a network and move laterally in order to ultimately exfiltrate sensitive information.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently ordered Federal Civilian Executive Branch agencies to disconnect their Orion software from their networks until it provided them with guidance about patches sometime in the future. Even so, plenty of federal departments confirmed a compromise in the weeks and months that followed. Those entities included the Pentagon, the Department of Homeland Security, the Department of State, the National Institute of Health, the Department of Justice, the National Nuclear Security Administration, NSA and the Federal Aviation Administration (FAA).
The HAFNIUM Exchange Exploit Campaign
Not long after SolarWinds disclosed the supply chain attack, Microsoft warned of a threat actor called “HAFNIUM” exploiting four vulnerabilities in its Exchange Server software in an effort to steal data from vulnerable organizations. The tech firm said in its security advisory that it briefed U.S. government agencies about HAFNIUM’s ongoing attack campaign. In response, CISA released another emergency directive urging Federal Civilian Executive Branch agencies to either implement Microsoft’s security updates immediately or disconnect their Exchange servers until a time when they could deploy those patches onto their software.
CISA officials had not found any evidence of a federal agency having suffered a from HAFNIUM as of March 10. But plenty of other organizations fell victim to HAFNIUM. Just days after Microsoft published its security advisory, KrebsOnSecurity reported that the threat actor had compromised at least 30,000 organizations in the United States alone.
What These Attacks Mean to Federal Organizations
The attacks discussed above, among others, highlight the need for entities in the U.S. government to augment their digital threat actors. One of the ways they can do this is by implementing the Center for Internet Security Critical Security Controls (“CIS Controls”). Indeed, a previous study found that organizations can prevent up to 85% of attacks by adopting the first five controls and 97% of attacks by adopting all 20.
Tony Sager, senior vice president and chief evangelist at CIS, feels the CIS Controls reflect a reality in which most organizations are faced with the same kinds of digital threats. As quoted in an interview with Tripwire’s Tim Erlin:
At CIS, we feel there’s this bad soup of bad things that we all have to deal with, right? As a practical matter, most enterprises don’t have the kind of threat information or the people and the time and the luxury of thinking about this. So, our view is that there’s a set of things that we all ought to do. That’s really the kind of philosophy behind things like the CIS benchmarks and the CIS critical security controls.
The only issue is finding the best way for federal agencies and other organizations to incorporate the CIS Controls into their environments. Indeed, CIS leaves it open on how to implement the security measures. This can pose a challenge to both private and public organizations, as they might not know how to implement the controls on their own. As a result, they might consider working with a trusted security vendor that can help to guide them through the details of implementing the various CIS Controls.
Tripwire and the CIS Controls
Tripwire can help all kinds of organizations, including federal entities, to implement the CIS Controls. Let’s use the first five security measures to illustrate this fact.
CIS Control 1: Inventory and Control of Hardware Assets
The first CIS Control requires organizations to gain visibility into all hardware that’s connected to the network. Using Tripwire® IP360™, federal organizations can use active discovery to identify the host as well as to collect app and OS data for each identified device. Simultaneously, they can leverage Tripwire Log Center® to mine log data for previous unknown assets.
CIS Control 2: Inventory and Control of Software Assets
In addition to hardware, organizations need to have an inventory of running software. Tripwire IP360 can pinpoint all software that’s collected to the network and link the resulting inventory to the hardware inventory created through CIS Control 1. Federal organizations can then rely on Tripwire Enterprise to discover when new software is installed and to warn the IT team about the existence of unauthorized applications.
CIS Control 3: Continuous Vulnerability Management
This CIS Control requires that federal organizations scan their networks for potential vulnerabilities. Fortunate for Tripwire customers, the IP360 solution comes with a vulnerability scanning tool that can help them to prioritize known security weaknesses and remediate them in a manner that accords with their security requirements.
CIS Control 4: Controlled Use of Administrative Privileges
Federal organizations need to lock down their administrative credentials. Towards that end, Tripwire Enterprise can monitor systems and ensure that administrative access and privileges are configured securely. Together with Tripwire Log Center, it can also detect when users with administrative privileges or added or removed from the userbase.
CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Finally, federal organizations need to track instances of configuration drift on their authorized systems. Tripwire Enterprise can help them in that regard by using file integrity monitoring (FIM) to issue reports about observed variances as well as to provide security team members with remediation instructions on how they can return an asset to its secure configuration.
Tips for U.S. Federal Organizations Going Forward
Federal organizations can lay the foundation for their security efforts by incorporating the CIS Controls into their environments. Security professionals at those organizations can help to facilitate this by bringing up the CIS Controls in discussions and meetings with management as well as by emphasizing the need to use control frameworks to simply security efforts and identify overlaps. All that then remains is for them to contact Tripwire to explore how its solutions can help them to implement the CIS Controls with little effort and expenditure.