Since its inception in early 2022, the Department of Homeland Security’s (DHS), Cyber Safety Review Board (CSRB) has generated some interesting outputs, specifically: reports on the Lapsus Hacking Group and the ongoing challenges created by the Log4j Vulnerability. Find the details here.
Background (February 2022)
Cyber Safety Review Board Launched by DHS
Consistent with our analysis back in November ’21 – “Cybersecurity and Cyber Incidents: Innovation and Design Lessons from Aviation Safety Models and a Call for a “Cyber NTSB” – the DHS has now established a Cyber Safety Review Board (CSRB). The announcement was made today by the DHS. According to the WSJ: “The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments, and other transportation accidents. The new panel’s authority derives from an executive order that President Biden signed in May to improve federal cybersecurity defenses. The cyber board isn’t an independent agency like the transportation board and will instead reside within the Department of Homeland Security. It will have 15 members—three times as many as the full complement of the transportation board—from the government and the public sector who don’t need to be confirmed by the Senate. It lacks subpoena power, unlike the transportation board.
The Inaugural CSRB Report (July 2022)
DHS undersecretary: Log4j problem is not over, may take ‘a decade or longer’
“Log4j is not over. This was not a historic look back and now we’re in the clear,” Silvers said. “The board found that it is likely that organizations are going to be dealing with continued Log4j exposure for years to come, maybe a decade or longer.” – Rob Silvers, Board Chair, CSRB
“Concern around Log4j is far from over, according to the chairs of the Cyber Safety Review Board, which recently released a wide-ranging report on the bug’s origins. Rob Silvers, the undersecretary for policy at the U.S. Department of Homeland Security and board co-chair, spoke at the Black Hat conference on Thursday about ‘the largest mass scale cyber response in history’ after the vulnerability was discovered in December 2021.
While Silvers and co-chair Heather Adkins, Google’s vice president of security engineering, lauded the industry’s efforts to address the issue, both acknowledged that it will be years before Log4j is found and addressed in all its forms. The vulnerability in the open-source software opened up hundreds of millions of devices to exploitation.
The vulnerability in the widely-used Log4j Java library was discovered by an engineer working for Alibaba in early December and reported to the Apache Software Foundation. The controversy around the bug became the focus of the inaugural report in July from the DHS’s Cyber Safety Review Board — which found that, despite efforts by organizations across the federal and private sectors to protect their networks, Log4j had become an “endemic vulnerability” — meaning unpatched versions of the omnipresent software library will remain in systems for the foreseeable future. Silvers said the 15-person board — which spent five months on the report — filled a gap in the cybersecurity ecosystem, given its expertise from both the public and private sector. He noted that the board offered confidentiality protections to the more than 80 organizations that spoke about Log4j and anonymized the information provided. Adkins said the board spoke directly with Apache Software Foundation, cybersecurity vendors who had watched the ecosystem respond in real-time, and even representatives from the Chinese government.”
Review of the December 2021 Log4j Event
Publication: July 11, 2022
Cyber Safety Review Board
Key Findings and Recommendations from the report can also be found here.
Section 3 of the CSRB Report on the Log4j Event includes recommendations. The Recommendations are broken into four categories:
Address Continued Risks of Log4j: continued vigilance in addressing Log4j vulnerabilities for the long term.
1. Organizations should be prepared to address Log4j vulnerabilities for years to come.
2. Organizations should continue to report (and escalate) observations of Log4j exploitation.
3. CISA should expand its capability to develop, coordinate, and publish authoritative cyber risk information.
4. Federal and state regulators should drive implementation of CISA guidance through their own regulatory authorities.
Drive Existing Best Practices for Security Hygiene: adopt industry-accepted practices and standards for vulnerability management and security hygiene.
5. Organizations should invest in capabilities to identify vulnerable systems.
6. Develop the capacity to maintain an accurate information technology (IT) asset and application inventory.
7. Organizations should have a documented vulnerability response program.
8. Organizations should have a documented vulnerability disclosure and handling process.
9. Software developers and maintainers should implement secure software practices.
Build a Better Software Ecosystem: drive a transformation in the software ecosystem to move to a proactive model of vulnerability management.
10. Open source software developers should participate in community-based security initiatives.
11. Invest in training software developers in secure software development.
12. Improve Software Bill of Materials (SBOM) tooling and adoptability.
13. Increase investments in open source software security.
14. Pilot open source software maintenance support for critical services.
Investments in the Future: pursue cultural and technological shifts necessary to solve for the nation’s digital security for the long run.
15. Explore a baseline requirement for software transparency for federal government vendors.
16. Examine the efficacy of a Cyber Safety Reporting System (CSRS).
17. Explore the feasibility of establishing a Software Security Risk Assessment Center of Excellence (SSRACE).
18. Study the incentive structures required to build secure software.
19. Establish a government-coordinated working group to improve identification of software with known vulnerabilities.
The 2nd CSRB Report (July 2023)
US should crack down on SIM swapping following Lapsus$ attacks: DHS review
“The DHS review said the attacks showed how SMS-based multifactor authentication…can be undermined by cybercriminals due to lax security practices at telecom firms.”
“A string of high-profile cyberattacks carried out by teenage hackers in 2021 and 2022 highlights systemic weaknesses in the telecommunications industry and security practices used by a wide range of businesses, a Department of Homeland Security review found. In a 59-page report…the department’s Cyber Safety Review Board called on the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to strengthen their oversight and enforcement activities focused on SIM swapping, and ask telecommunications providers to report these attacks to the regulators. The board also recommended that organizations transition away from widely-used SMS and voice-based multifactor authentication, and instead “adopt easy-to-use, secure-by-default-passwordless solutions.”
The report, commissioned by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, focuses on a group of young hackers known as Lapsus$ that carried out a series of attacks on major technology companies, including Uber, Okta, Samsung and others. The attacks drew attention not only because of the victims involved, but because of their audacity — the hackers would often gain access to a company’s systems and sensitive data, and then post screenshots and emojis in companywide internal chat messages.
The DHS review said the attacks showed how SMS-based multifactor authentication — a practice widely used by organizations to add an extra layer of security when employees and customers log into accounts — can be undermined by cybercriminals due to lax security practices at telecom firms. Lapsus$ was able to obtain basic information about its victims, such as their name and phone number, and used them to perform fraudulent SIM swaps and intercept text messages that allowed them to sign into accounts or perform account recoveries.”
Review of the Attacks Associated with LAPSU$$ and Related Threat Groups
Publication: July 24, 2023
Cyber Safety Review Board
An Executive Summary of the report can also be found here.
Summary of the Report
The U.S. Department of Homeland Security established the Cyber Safety Review Board (CSRB) in February 2022, pursuant to President Biden’s Executive Order 14028 on improving the Nation’s Cybersecurity. The CSRB reviews significant cyber security events in order to make concrete recommendations that would drive improvements within the private and public sectors. The CSRB is comprised of senior U.S. government officials and senior industry executives. The CSRB is led by Robert Silvers, Under Secretary for Policy at DHS (Chair) and Heather Adkins, Vice President, Security Engineering at Google (Deputy Chair). The CSRB’s first review covered the vulnerabilities in the Log4j software library, and was published in July 2022. The CSRB’s second review focused on the activities associated with a loosely organized criminal group known as Lapsus$, which successfully compromised the systems of some of the world’s most well-resourced and well-defended companies.
Between 2021 and 2022, Lapsus$ conducted extortion-focused attacks against dozens of companies and government agencies around the world. Lapsus$ exploited vulnerabilities in the identity and access management ecosystem, penetrated corporate networks, stole source code, and demanded ransom payments. Lapsus$ operated against a backdrop of other criminal groups employing similar methods that were studied as part of this review. These groups demonstrated the still-prevalent vulnerabilities in the cyber ecosystem. They showed adeptness in identifying weak points in the system—like downstream vendors or telecommunication providers—that allowed onward access to their intended victims. They also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.
Key Findings
The CSRB engaged with nearly 40 organizations and individuals to gather insights into Lapsus$’s actions and develop recommendations on behalf of public and private sector organizations. Highlights of the CSRB’s findings include the following.
- Lapsus$ employed low-cost techniques, well-known and available to other threat actors, revealing weak points in our cyber infrastructure that could be vulnerable to future attacks.
- The Board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers. In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.
- Threat actors can easily gain initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks, which are exacerbated by a lucrative SIM swap criminal market. Current security protocols in the U.S. are not sufficient to prevent fraudulent SIM swapping.
- Many companies do not sufficiently consider third-party service providers and business process outsourcers (BPOs) in their risk management programs, enabling threat actors to exploit client relationships and conduct downstream attacks.
- The juvenile status of certain threat actors can limit federal law enforcement’s role and yield lighter penalties under their home countries’ legal frameworks. Less severe consequences may not adequately deter juveniles and few cyber-specific intervention programs exist that can help divert potential offenders to legitimate cybersecurity activities.
Recommendations
Identity and Access Management (IAM): IAM weaknesses are some of the most serious vulnerabilities in the digital ecosystem and will require dramatic improvements focused on innovative controls and alternative authentication factors.
Telecommunication and Reseller Vulnerabilities: Customers and retailers are at risk for social engineering and other manipulation schemes, which allow threat actors to access sensitive information and backdoors to additional targets. The telecommunications industry, as well as federal regulators, should take steps to build resiliency against illicit activities and help defend against threat actors.
Resiliency with a Focus on Business Process Outsourcers (BPOs): Organizations should design their security programs to cover both their own information technology environments as well as their vendors that host critical data or maintain direct network access, to create a strong foundation for ongoing risk management.
Law Enforcement/Juvenile Cybercrimes Disincentives: Disruption of threat actors and their attacks requires coordination among law enforcement, industry, and international partners.
What Next?
Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security
CSRB’s Third Review Will Provide Recommendations to Help Organizations Protect Against Malicious Access to Cloud-Based Accounts
…Secretary of Homeland Security Alejandro N. Mayorkas announced that the Cyber Safety Review Board (CSRB) will conduct its next review on the malicious targeting of cloud computing environments. The review will focus on approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud. The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers.
The Department began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July. The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves. Once concluded, the report will be transmitted to President Joseph R. Biden, Jr. through Secretary Mayorkas and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.
Additional OODA Loop Resources
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat
Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.
Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat
