Digital attackers are increasingly launching sophisticated campaigns in an effort to target U.S. federal agencies and other organizations. Two recent examples demonstrate this reality. These are the SolarWinds supply chain attack and the HAFNIUM Exchange exploit campaign.
The SolarWinds Supply Chain Attack
In mid-December 2020, the security community learned that an advanced persistent threat (APT) had targeted SolarWinds’ Orion network management software with a backdoor. Tripwire VERT warned that the those responsible for the attack campaign could use the backdoor to compromise a network and move laterally in order to ultimately exfiltrate sensitive information.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently ordered Federal Civilian Executive Branch agencies to disconnect their Orion software from their networks until it provided them with guidance about patches sometime in the future. Even so, plenty of federal departments confirmed a compromise in the weeks and months that followed. Those entities included the Pentagon, the Department of Homeland Security, the Department of State, the National Institute of Health, the Department of Justice, the National Nuclear Security Administration, NSA and the Federal Aviation Administration (FAA).
The HAFNIUM Exchange Exploit Campaign
Not long after SolarWinds disclosed the supply chain attack, Microsoft warned of a threat actor called “HAFNIUM” exploiting four vulnerabilities in its Exchange Server software in an effort to steal data from vulnerable organizations. The tech firm said in its security advisory that it briefed U.S. government agencies about HAFNIUM’s ongoing attack campaign. In response, CISA released another emergency directive urging Federal Civilian Executive Branch agencies to either implement Microsoft’s security updates immediately or disconnect their Exchange servers until a time when they could deploy those patches onto their software.
CISA officials had not found any evidence of a federal agency having suffered a from HAFNIUM as of March 10. But plenty of other organizations fell victim to HAFNIUM. Just days after Microsoft published its security advisory, KrebsOnSecurity reported that the threat actor had compromised at least 30,000 organizations in the United States alone.
What These Attacks Mean to Federal Organizations
The attacks discussed above, among others, highlight the need for entities in the U.S. government to augment their digital threat actors. One of the ways they can do this is by implementing the Center for Internet Security Critical Security Controls (“CIS Controls”). Indeed, a previous study found that organizations can prevent up to 85% of attacks by adopting the first five controls and 97% of attacks by adopting all 20.
Tony Sager, senior vice president and chief evangelist at CIS, feels the CIS Controls reflect a reality in which most organizations are faced with the same kinds of digital threats. As quoted in an interview with Tripwire’s Tim Erlin:
At CIS, we feel there’s this bad soup of bad things that we all have to deal with, right? As a practical matter, most enterprises don’t have the kind of threat information or the people and the time and the luxury of thinking about this. So, our view is that there’s a set of things that we all ought to do. That’s really the kind of philosophy behind things like the CIS benchmarks and the CIS critical security controls.
The only issue is finding the best way for federal agencies and other organizations to incorporate the CIS Controls into their environments. Indeed, CIS leaves it open on how to implement the security measures. This can pose a challenge to both private and public organizations, as they might…