As we begin the new year, most media pundits will continue to focus their attention on the U.S. sanctioning of Russian entities and the expulsion of nearly three dozen of their intelligence agents from the U.S. An even bigger story, however, is the unprecedented steps taken by the Obama administration to shine a light on the tactics and procedures behind Russia’s “malicious cyber-enabled activities.” These were revealed in a 13-page report published jointly by the Federal Bureau of Investigation and the National Cybersecurity and Communications Integration Center, a branch of the Department of Homeland Security.
Publicly laying this level of detail out sets a dramatic precedent that could serve a significant blow to Russia’s current and future cyberoperations in the U.S. and elsewhere. The technical details of the report constitute an intelligence windfall for ordinary network defenders who have been starving for rich real-time threat information from the federal government to protect their systems against sophisticated actors. While there are downsides to such a dramatic reveal, it is clearly the right thing to do.
The report from the D.H.S. and F.B.I. marks the first time the federal government has gone to such lengths to attribute “malicious cyberactivity” to specific threat actors associated with a designated country. To most Americans, its contents are confusing and highly technical. The report’s files contain a lot of random IP addresses, signatures and character combinations known as file hashes.
Publicly laying this level of detail out sets a dramatic precedent that could serve a significant blow to Russia’s cyberoperations.
But for any information security practitioner charged with defending against network intrusions, this data is a gold mine. Now that these cyber signatures have been disclosed, governments and companies of all sizes can automatically ingest and neutralize them. And perhaps more importantly, they can go hunting on their own networks to root out any previous compromises. Once the data is in hand, a quick scan or review of log history can lead defenders to the Russian activity.
In many respects, releasing information on an adversaries’ tools and operational infrastructure is the cyber equivalent of naming undercover spies. Once disclosed, malicious code becomes harmless, and the command-and-control nodes ― usually vulnerable web servers or other unwitting endpoints ― are either abandoned by the hackers or hardened to prevent further exploitation. In other words, the adversary’s avenues of access to a target are burned, forcing them to seek additional vectors of attack.
Burning a hacker’s access revises the economics of the operation in favor of the defense. Gaining and maintaining persistent access to infrastructure “hop points” using custom-developed programs is a human and time-intensive endeavor ― especially the operation involves physical intervention. In fact, one of the reasons most cyber intruders sit dormant for months on a victim’s network before executing an attack is to protect themselves against the consequential fallout of detection.
Of course, there are two sides to every story. While exposing the hacker’s tradecraft can be highly damaging to the offense, it also poses risks to the defense. The Obama’s administration’s decision to release Russian threat signatures was a calculated one that undoubtedly weighed the cost of compromising intelligence sources and methods. Indeed, it is safe to assume that the U.S. burned some of its assets as a result of this report.
It signals a promising development in the government’s efforts to streamline the disclosure process.
Nevertheless, the costs of publishing the report are dwarfed by the benefits of proliferating more intelligence for citizens, businesses and governments to consume and use in the interest of network defense. Unlike traditional intelligence, where policymakers or war fighters are the primary customers, cyberthreat intelligence ― especially the technical details ― is most valuable when shared with software manufacturers, network administrators and even ordinary users. In this respect, the Obama administration’s action is not about “naming and shaming” but rather about enabling collective cyber defense through information sharing.
It is worth noting that the process of identifying and disclosing new cyber tradecraft, threats and vulnerabilities is well-established. The antivirus industry, for example, is constantly consuming signatures from security researchers and updating their software to protect end users. But the normal cycle of identifying a new vulnerability, disclosing it to the appropriate manufacturer and hardening the affected system is often protracted, leaving network defenders multiple steps behind the attackers.
Recent advances in automation, however, have contributed to significantly closing the gap between detection and remediation of new threats. Specifically, the practice of “automated indicator sharing” allows for real-time machine-to-machine sharing of threat intelligence ― precisely the type of data contained in the joint D.H.S. and F.B.I. report. The sharing of trusted and structured data enables organizations to, for example, automatically block traffic associated with a newly identified attack vector.
It’s time for government cybersecurity investigators to reveal more of their findings for the greater good.
While the technology behind trusted and automated information sharing is in place, most of the data shared is not particularly high-value intelligence ― either because the federal government is unwilling to declassify it or, by the time it is declassified, the information is stale. In this case, this intelligence contained in the joint D.H.S. and F.B.I. report is far less valuable than it would have been had it been released months ago.
Nevertheless, it signals a promising development in the federal government’s efforts to streamline the disclosure process and its appetite to serve a broader public base. After all, the vast majority of the nation’s cyber infrastructure is owned and operated by the private sector. It’s time for government cybersecurity investigators to reveal more of their findings for the greater good.