National Cyber Security Policy: An Industry Viewpoint
A few weeks ago, I spoke with Dave Venable of Masergy, a network company that now provides managed detection and response services, to get an industry viewpoint on national cyber security policy. Masergy’s perspective in general is that attacks are fairly pervasive. As Venable put it, “It was shown over the last several years that you’re never going to prevent all the attacks from being successful, but what you can do is detect it very quickly and respond rapidly, and that minimizes the impact. That’s our primary focus – the managed detection and response piece.” Venable also leads the company’s professional services work, which involves penetration testing, vulnerability assessments and policy recommendations. Masergy can also serve as a virtual CISO, maintaining and improving a cybersecurity program. Here is a recap of our conversation:
Hugh Taylor: How do you feel about embedded threats, threats that are contained in firmware or embedded in code that people are downloading?
Dave Venable: They are downright terrifying.
Hugh Taylor: Okay. Why do you say that?
Dave Venable: Because of the potential impact. I think the first time we saw this out in the wild was with the Equation Group. It was revealed by Kaspersky that the firmware for several hard drive manufacturers had been compromised by a state actor who had inserted a Trojan. No matter how one cleaned their hard drive, they could get right back in.
The potential impact is much more pervasive than with typical malware. It’s also much more difficult to accomplish this, so there’s that trade-off, but as we’ve seen, it’s quite possible for the tools created by state actors to fall into the wrong hands, and once that’s happened, there’s no going back. The cat’s out of the bag.
Hugh Taylor: In terms of national cyber security policy, does it worry you that a lot of hardware is manufactured in countries where the state actor is maybe adversarial to the United States?
Dave Venable: Absolutely.
Hugh Taylor: It seems like there may be firmware in systems that are involved in critical infrastructure or other sensitive things that may have been created in places where people want to spy on us or attack us.
Dave Venable: It’s definitely an issue, in my view.
Hugh Taylor: What do you think can be done about it?
Dave Venable: One potential option would be to do some really serious analysis of what’s being put out there. There’s sort of a needle in a haystack aspect to this that if you go buy an off-the-shelf hard drive, you’re going to get what everybody else is getting.
Now if the US Government puts in an order saying, “we’d like 10 hard drives,” from a manufacturer in an adversarial state, I would expect those to be heavily compromised, but I don’t think that’s actually what’s happening. I think that they’re going through intermediaries that are purchasing bulk hard drives and then using them for a variety of different purposes and clients.
If every single hard drive is compromised, then it’s really hard to find which key things to go after. It would be fairly difficult to know which particular hard drive or which particular chip is going to end up in the target equipment. If you’re manufacturing industrial control systems, then maybe that’s less difficult, but anything that’s more general purpose, yeah, you’d expect that it would be hard to figure out which components are going into target. You also have to keep in mind that at least, presumably, most of these critical infrastructure devices are not going to have open access to the Internet.
If it’s a single use or a much less general use piece of equipment that’s being manufactured, then yes, you’d absolutely expect something like that to be more thoroughly targeted, but again, I think there are some controls that can be put in place fairly easily to prevent that from necessarily having an impact. But, attackers can always find new ways around security controls.
Hugh Taylor: I’ve talked to a number of people and some of the solutions that they’ve suggested include things like using trusted computing software to check for changes in firmware.
Dave Venable: Right.
Hugh Taylor: Another is software that detects network anomalies that might detect exfiltration of data or unusual traffic around them. What do you think of those solutions?
Dave Venable: Yes, absolutely. Those are two very good options. Although one potential issue with looking for changes in the firmware is that, sometimes, you have a legitimate need to change firmware and two, if it was shipped in a compromised state, then the attacker doesn’t even need to change it.
Hugh Taylor: Right.
Dave Venable: An approach involving several of these different techniques would be recommended, so certainly looking for changes in firmware that you can’t explain would be good. Looking for anomalous network traffic is absolutely going to be one of the best options. In fact, just as a side note, that’s one of the main things we focus on here at Masergy.
One, understanding what normal traffic looks like is key in order to be able to differentiate anomalous traffic, and that’s going to be the case with any kind of exfiltration. It’s a hard problem though. It’s the classic example of the arms race.
However, with a really solid machine-learning approach, we’re seeing a major headway in detecting traffic that ordinarily wouldn’t be detected. In fact, one example of this, something we caught using our behavioral analytics, was an adversarial state actor who had compromised a government contractor and was stealing intellectual property.
We found a single server sending out tiny packets, just a few bits at a time and one packet every few hours. This is something that is typically unnoticed.
But by using this behavioral analysis, we were able to spot it almost right away. The first packet that was sent was actually flagged because it was outside of the norm for the network. Later, our analysis revealed they were attempting to exfiltrate significant pieces of intellectual property.
Hugh Taylor: Interesting. I had a conversation about this type of thing with someone who’s in a similar business, making these AI-based network detection tools, and she made an interesting comment. She has a Defense background. She said that “The Abram’s tank is really a computer with treads and a gun on top of it.”
Dave Venable: Exactly.
Hugh Taylor: Do you think that the Army should be concerned about hardware that’s in equipment like that, that it might be compromised?
Dave Venable: I would say that everyone needs to be concerned about it, including the Army.
Hugh Taylor: Do you think that it would help if there were some type of a higher level of authority in the United States to define and enforce security policy that said, for example, “If you’re a Defense contractor, you must use an American-made router” or something like that with real enforcement power? Do you think something like that would be helpful?
Dave Venable: Well, that does exist. The Defense Security Service, and a few other agencies, actually perform regular security audits at government and contractor facilities all the time. And there are a number of policies they must comply with, depending on the types of activity they’re involved in, the type of information they’re processing, storing, et cetera.
I’m not aware of any policies which would require use of a router that was entirely manufactured in the US though. I’m not sure you could find a router that was entirely manufactured in the US, but even if it were, how would we be certain that a foreign actor did not recruit an asset within that company to make some changes?
Hugh Taylor: I guess it’s about reducing the risk versus eliminating the risk.
Dave Venable: Exactly. For instance, we can fairly easily do a complete review of some of the code running on these devices. It will still be time-consuming, but it can be done. From there, have approved versions of firmware, and then you can actually confirm that that’s what’s running on any equipment. That would be one potential approach that would actually get at the heart of it.
If you know what’s in the code, and can confirm that code is what’s running on a device, then you’re going to be far better off than assuming equipment made in one place is more trustworthy than another. If you’re trusting something, that’s what I’m going to go after if I’m an adversarial actor.
Hugh Taylor: Do you have any thoughts you want to share about this with me or any insights you have about making the US more secure from these kind of threats?
Dave Venable: I think you’re probably on the same page, but I would say this is one of our most serious threats right now. I think it’s also important to note that even if the foreign adversary that created some vulnerability or some way of accessing something isn’t the one that’s using it, other adversaries are certainly looking for – and finding — these types of back doors and potentially able to exploit them. The threat really isn’t just confined to the state actor that perhaps manufactured or infected the equipment, but to any actor that has the capabilities finding and exploiting it.
Even if it were manufactured by a friendly state who was not adversarial to the US, inserted this type of backdoor and an adversarial actor were to discover it, they can start exploiting it. And every sufficiently sophisticated country out there is doing this type of research, it’s not limited to the state that put the vulnerability in there in the first place.