Supporting the DoD’s Defend Forward Initiative

 

What is Defend Forward?

The DoD’s Defend Forward operational concept has been rolling out over the past few years. Policy makers and cyber defenders in government realized that, as the situation in Afghanistan led directly to the rise of Al-Qaeda and the 9-11 attacks, the situation in cyberspace was going to lead to crippling cyber-attack of similar power.

However, unlike Afghanistan, where a power vacuum was created by the withdrawal of the Soviet Union, the Internet was designed from the outset to be open. By design, there are no police; no organization with the authority with the power to punish bad actors. The cavalry are stuck in the fort.

Something had to change.

Cyber Protection Teams (CPTs) working at the Department of Defense (DOD) were restricted to preparing for and responding to attacks on their own network. Hacktivists, cyber criminals, and nation state adversaries were not restricted in the same way. This unequal playing field was addressed by removing the restriction on CPTs and allowing them to operate, if asked, in the networks of foreign countries. This new operational concept is called Defend Forward.

The goal of Defend Forward is to move out into cyberspace and inflict costs on bad actors, especially other nation states. As most adversary cyber teams tend to use and reuse the same tactics, techniques, and procedures (TTPs), finding malware on foreign networks and publicizing it forces those cyber attackers to create new methods. This takes time, effort and money. By shining a light on these playbooks, friendly nations, other parts of government and civilians will know what to look for, further disrupting cyber attacked operations. Lastly, this serves as a signal to enemies that we know about their procedures and puts them on the defensive.

 

How Do We Protect the Base?

While Defending Forward is off to a promising start, it is only a part of the ongoing cyber war. A “whole – nation” effort is needed –involving both government and industry. Only 10% of the critical infrastructure networks in the U.S. are controlled by our government. Industry needs to do its part and protect the home base.

We need to know our networks better than the attackers do. We need to make sure our networks are set up securely as we intended. We need to find and mitigate the highest risk issues first. Our complex networks make this very hard to do without technical support.

RedSeal’s cyber terrain analytics platform and professional services help all organizations improve their resilience to security events by understanding what’s on their networks, how it’s all connected, and the associated risk. RedSeal verifies that network devices are securely configured; validates network segmentation policies; and continuously monitors compliance with policies and regulations. RedSeal continually checks to see if a network’s segmentation is working as designed, ranks end point vulnerabilities in order of risk, and adds knowledge of your network to determine how accessible the vulnerability is to untrusted networks and what it will expose if compromised.

Click here to view the webinar titled, “Defend Forward, But Protect Your Base” with Wayne Lloyd, RedSeal Federal CTO and Mike Lloyd, RedSeal CTO.

Contact us for more information about how RedSeal can help you support our cyber protection teams.

Why I Chose RedSeal

I’ve been in cybersecurity for 19 years and love the field.  It’s technically a very challenging problem to solve and the stakes are extremely high. Those of us in this field are defending the foundation of the information age.  We are protecting the money in people’s bank accounts, their personal privacy and dignity, and even the elections at the heart of democracy. That makes for a strong sense of purpose.

When I looked around for a new opportunity, I knew I wanted to make a real difference. Rather than run an existing large operation, I wanted to help something new and important grow. I have a passion for it. McAfee went from $500M to $2B in sales while I was head of product. At Sophos, my BU grew 25% per year while I was there. I think RedSeal is the perfect position to grow. We are in a nascent market that should be much larger.

The important things are in place for growth. RedSeal has an outstanding customer value proposition. It addresses a huge hole in cybersecurity and network understanding.  It has a unique and powerful technology. When I got my first demo of the product, I was frankly blown away by how powerful it is. It is something everyone should have. No network administrator of a large network really knows what’s on his network and how it’s configured.

RedSeal has a great team and a great culture. Innovation is really a function of having a collection of smart motivated people and getting them to build on each other’s ideas. To do that you need a culture in which people enjoy working with each other, where they hold each other to a high standard, and where they feel comfortable sharing their ideas. That is what we have here at RedSeal, and that environment isn’t as common as you would think in the high-tech industry.

What’s more, cybersecurity in general is always rife with opportunity. All high-tech markets are highly dynamic because innovation is forever changing the landscape and creating opportunities. Cybersecurity is doubly so because it has a variable other markets don’t – bad guys. Cyber criminals are also innovating, and what they do drives us to respond in kind. So, the cybersecurity space moves even faster than the rest of high-tech. That is why there are always so many startups in cybersecurity.

In our space specifically, there is a huge opportunity for innovation. Networks are going through two simultaneous technical revolutions with the advent of software defined networking technology and the movement of data centers to the cloud. These trends make networks even more complex than they have been historically.  A typical corporate network now spans on premise infrastructure and a presence in one or more public clouds. And the world is still figuring out how to secure that kind of hybrid environment.

In 1999, Bruce Schneier famously wrote “complexity is the worst enemy of security.” At that time, his plea was to create a simpler cyber world that could be secured. Unfortunately, that turned out to be impossible. The relentless demand for features and functionality drives ever increasing complexity. At RedSeal we use technology to understand the complexity of technology. We simplify an almost incomprehensible world so it can be understood and secured – a very gratifying and exciting mission.

High Severity Security Flaw with Cisco ASA: Find It and Prioritize Patching Quickly

RedSeal Cyber Threat Series

Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) have a known vulnerability – CVE-2020-3452. This security vulnerability can allow an unauthenticated attacker to remotely conduct a directory traversal attack as well as read sensitive files on a targeted system.

Exploiting this vulnerability, the attacker can view files within target device’s web services file system. The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs. There are no workarounds that address this vulnerability.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  The web services file system is at risk when the WebVPN or AnyConnect functionality is enabled.  Note: The Cisco ASA or FTD system files or underlying Operating System files are not readable.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices.
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

 

References

Be Prepared with RedSeal: DOD-Required Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification (CMMC) is a tiered system in which defense contractors—or any organization holding Controlled Unclassified Information (CUI) must be vetted by a third-party assessor on a five-level scale to determine the maturity of their enterprise security. This requires companies that do business with the Department of Defense to protect their data since it is critical to national security and America’s competitive military edge.

Even though China and other countries have been stealing plans and other intellectual property (IP )for some time now, the defense industrial base have been allowed to sign off on their own audit of compliance with cybersecurity regulations concerning unclassified information.

As cyber theft of IP has continued, it is important and worth doing to hold contractors to a higher, enforceable standard.

Essentially, CMMC is an expanded, enhanced and enforced version of NIST SP 800-171 compliance. The key differences are:

  • Enhanced controls for Levels 4 and 5
  • Requirement for third-party audit instead of self-certification

A non-profit organization, the CMMC Accreditation Body has been established to oversee certification of Third-Party Assessment Organizations (3PAOs), assessors who will serve as auditors. A certification is expected to be valid for three years.

The 110 security controls established by SP 800-171 are the foundation of the 171 practices across 17 security domains required to reach the highest level of CMMC. Each Request for Proposal (RFP) will state the level of certification required to be awarded the contract. Based on what we know right now, it is expected for CMMC Level 3 certification to be the de facto standard for most organizations to do business with the DOD— with Levels 4 and 5 reserved for more sensitive projects. The DOD is working on a DFARS rule change to incorporate CMMC into contracts by Fall 2020, although full roll-out is targeted for 2025.

How Can RedSeal Help?

For defense contractors who want to continue to bid and win business, maintaining CMMC standards will now be mandatory. For large organizations, adding CMMC to already existing audit and compliance processes may not be that hard of a lift. However, smaller companies will not have sufficient staff or resources. Therefore, automating and simplifying as much of the process as possible is key to success.

RedSeal’s cyber terrain analytics platform helps automate 67 of the 171 controls mandated by CMMC. Many of the controls are tedious to complete and must be checked repeatedly at specific intervals determined by NIST 800-171. By using RedSeal, your team can quickly identify where your network has drifted out of compliance, allowing them to rapidly remediate identified misconfigurations without having to pore over hundreds of spreadsheets, reviewing tens of thousands of lines of firewall rules and access control lists to determine if you are still compliant.

Additionally, when it comes time for re-certification you can rest assured that your company is prepared for the audit because RedSeal has been continuously monitoring the configuration state of those 67 controls, allowing your network and cybersecurity teams to efficiently use their time by keeping the business prepared and mission ready.

This comprehensive, continuous inspection allows RedSeal to report a risk-based audit of a network and then continuously monitor its security posture. Operators, analysts, and members of your leadership team can track how defensive operations are trending over time via RedSeal’s Digital Resilience Score, which also measures vulnerability management, secure configuration management, and overall understanding of the network.

RedSeal’s platform shows you what is on your network, how it’s connected, and the full context of the associated risk. With RedSeal, you can visualize end-to-end access, intended and unintended, between any two points of the network to accelerate incident response. This visualization includes detailed access and attack paths for individual devices in the context of exploitable vulnerabilities to speed decision making during a mission.

RedSeal builds a complete model of your network—including cloud, SDN, and physical environments—using configuration files retrieved either dynamically or completely offline. It brings in vulnerability and all available endpoint information. Your teams will be able to validate that network segmentation is in place and configured as intended. RedSeal checks all network devices to see if they comply with industry best practices and standards such as DISA STIGs and NIST guidelines. This proactive automation greatly reduces audit prep time (CCRI, others) and assists with speedy and better informed remediation.

RedSeal provides the DOD—as well as commercial, civilian, intelligence organizations—with real-time understanding and a model of their cyber terrain so they can discover, detect, analyze, and mitigate threats and deliver resilience to the mission.

For more information, click here to read the RedSeal and CMMC PDF or click here to visit our webpage focused on CMMC.

‘Red Teams’ Need to Deliver Context — Let’s Help Them

Working on a Red Team is frustrating. I know, I was on one.

Red Teams work hard penetrating systems, gathering data and presenting findings to senior management only to get strongly dismissive responses- “So what?” This is frequently followed by an order to not to share detailed information with the Defensive Cyber Operations (DCO) teams defending the network. Sometimes the reason is obvious. Sometimes not.

I came to realize that the underlying problem is that the findings don’t include enough information to make an impact on a culture of inertia that comes with the cybersecurity world. I have actually had executive leaders tell me they would lose plausible deniability.

This obviously sub-optimal situation hasn’t changed since my time serving on a Red Team.

The DOD Office of Inspector General just released a new report, “Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions.

This was a check up on the earlier report “Better Reporting and Certification Processes Can Improve Red Teams’ Effectiveness,”  a more easily understandable title.

They investigated three areas to see what had changed in eight years.

  • Did DoD Cyber Red Teams support operational testing and combatant command exercises?
  • Were corrective actions being taken to address DoD Cyber Red Team findings?
  • Did the assessed risks affect the ability of DoD Cyber Red Teams to support DoD missions and priorities?

The results? In a word: No.

The data generated by Red Teams and the teams conducting Defensive Cyber Operations is still not being shared. Worse, even with better procedures, part of the problem is that both the results and the analysis of the results of penetration testing and vulnerability management functions are superficial.

They don’t pass the “so what” test.

But, Red Teams can’t do their job well unless they have an accurate map of the cyber terrain to put information into a larger context. This context is more important for reducing the risk to missions.

Unique in the industry, RedSeal can model and evaluate Layers 2, 3, 4 and now 7 — application-based policies. And, it includes endpoint information from multiple sources.

If both Red Teams and the DCO teams tasked with defending the cyber battlespace can easily analyze 3-4 layers of complex attack depth to connect vulnerabilities exposed to the Internet with pivots and attack paths buried deep in a network’s hybrid infrastructure, their recommendations will be seen as worthy of immediate attention. This will lower the risk to mission in a real way.

Maybe then, senior management will listen, the process will radically improve, and the DOD Inspector General will not have to write a report saying nothing has changed in seven years.

For more information, click here to speak with a RedSeal government cyber expert.

U.S. Not Ready for Online Voting, Stick to Mail-In Ballots

American democracy is resilient. From its rebuilding after our civil war to recovering from the Great Depression, America has been able to overcome the largest of obstacles. However, 2020 gives us unprecedented challenges that will test this resilience. Central to our country’s recovery from this pandemic will be ensuring the foundation of our democracy remains intact: free and fair elections.

Despite the current news cycle, our election system is very resilient because of our forefathers’ design. State and local governments distribute and implement elections individually, leading to different procedures and regulations within each jurisdiction, which creates independent – or segmented — operations.

In the cyber world, segmentation is central to digital resilience. A segmented network can help organizations minimize damage from some of the most advanced forms of cyberattacks by preventing them from overtaking the entire network. The independent orchestration of our elections is very similar. However, COVID-19 presents a conundrum: keeping people physically distant is profoundly challenging with in-person voting.

So, how do we combat this issue?

A few states are beginning to explore online voting to help citizens maintain social distance and ensure their franchise. The CARES Act even allows states to use some of the funds to pursue online voting systems. However, while online voting holds promise, there is simply not enough time to roll out a secure, vetted system before November’s elections. Plus we still haven’t repaired the issues that our 2016 elections revealed about the vulnerabilities of our existing online systems. America’s election process remains extremely vulnerable to cyberattacks. In fact, last December Valimail confirmed only 5% of the country’s largest voting counties are protected against email impersonation and phishing scams. Specifically, this vulnerability was found in Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin, six key swing states in this upcoming election cycle. This vulnerability opens a door to bad actors that could allow voting data to be stolen, manipulated or deleted in 95 percent of the highest populated counties in the nation.

Luckily, we have a solution that’s already in place, accessible nationwide, resilient and in a sense, “un-hackable”: absentee voting by mail.

For decades, absentee ballots have been the bridge connecting those who are unable to make it to the polls on election day. Now, it can be the cornerstone for everyone. While filing for an absentee ballot can be an arduous process, states are now making it more accessible. For example, Michigan is automatically sending absentee ballot applications to every resident to both encourage social distancing and support democratic participation. This supports secure, offline elections with segmentation still in-play. Additionally, an overwhelming majority of Americans support expanding access to voting by mail. Recognizing that any change is difficult, 16 states delayed their primaries, which illustrates the urgency to act now so we can move onto the general election by November.

In these unprecedented times, we must support all efforts to ensure our elections remain fair, free and guaranteeing each citizen’s franchise. While we have the technology and the ideas necessary to move to completely online elections, that can and should only happen when it’s secure and tested accordingly. In these pressing times, there is no bandwidth to do so. However, the $2 trillion stimulus package  included $400 million for states to prevent, prepare and plan for COVID-19’s impact on the 2020 elections. This amount is a significant step in the right direction, but a full roll-out of voting by mail, let alone ensuring secure online voting would require a much larger investment. I urge lawmakers at both the state and federal level to embrace mail-in ballots. We need to ensure this year’s elections are available to every citizen, whether they are practicing social distancing or fully quarantined and without fear that exercising their franchise will expose them to a deadly illness. We can maintain the resiliency of our country and our elections and our health with mail-in ballot elections. We just need the will to do so.

Change Management Processes are Critical — From Nuclear Submarines to Your Network

How often have you made a network change that didn’t work the way you expected or even created a new issue? The list of configuration changes needed to build, maintain, and secure a network is daunting.  It’s all too easy to act without thoroughly thinking through and considering the impact on the whole network.  Initially it may appear as though quick action to make a small change would save time, but that can be a trap that leads to costly mistakes. Oftentimes changes have complex implications. The wrong change can result in in downtime and millions of dollars in lost productivity or revenue. No one wants to be that person.

Change management is the organizational process to ensure that we stop and consider the impact of change before acting. It’s used in many industries, including IT. Submarine commanders need change management in an environment just as complex as information technology but with more serious, life or death repercussions. In his book, Turn the Ship Around!¸ former submarine commander David Marquet describes “Deliberate Action,”  the process he used to create competency, reduce errors and improve resiliency. It required sailors to stop and think before making a change. Stopping, thinking, and then acting provides an opportunity to review and thoroughly think through the impact of an action.

Marquet got great results:

“Later, when Santa Fe earned the highest grade on our reactor operations inspection that anyone had seen, the senior inspector told me this: ‘Your guys made the same mistakes—no, your guys tried to make the same number of mistakes—as everyone else. But the mistakes never happened because of deliberate action. Either they were corrected by the operator himself or by a teammate.’

He was describing a resilient organization, one where error propagation is stopped.”

A nuclear submarine has highly engineered systems that are tightly coupled, all of which need to work for the whole system to operate properly. Errors can damage valuable and sensitive nuclear reactor equipment or even result in complete system failure and death of an entire crew.

Like a nuclear submarine, IT networks are highly engineered and tightly coupled and need resiliency to avoid catastrophe. Every interconnected system relies on others, as in nuclear submarines. And having a change management process to ensure that everyone stops and sufficiently thinks before acting is just as important. We need to avoid the temptation to bypass the change management process and execute a change quickly, thinking we’re “saving time.” Catastrophe can be lurking around the corner, and none of us wants to be responsible for a Code Red.

The RedSeal platform gives you the ability to quickly think through the impact of change prior to acting. It tells you what you have, how it’s connected, and where your risks are. RedSeal discovers the devices on your network and creates a digital network model of how everything is connected. The model can provide deep insights into the implications and impact of change. On the submarine, the requirement to stop and think not only gives sailors time to process using their own experience and knowledge, but also allows teammates with additional experience and knowledge to think and intervene before mistakes are made. RedSeal is a reliable teammate you can have by your side as you execute change management.  It knows how everything is interconnected and can better show you the impact of a proposed change.

 With RedSeal, you can engineer “Deliberate Action” into your change management. It may seem that stopping and thinking may take time and be expensive, especially during an incident, but errors can be significantly more damaging. RedSeal allows you to stop for shorter periods of time and avoid errors. By automating analysis steps and reducing complexity RedSeal helps you make your network more secure and resilient.

 

Marquet, David L., Turn the Ship Around! Penguin RH 2012. Pg 124

To Recover and Rebuild, Look to Technology

As I write this, our society is amid an economic collapse and social closure the likes of which no one in our lifetime has ever seen. People everywhere are trying to create some kind of certainty so that they can plan their future, get back to their “day job” and feel safe while resuming a normal, active life. While the recovery process will be long and the challenges many, when we emerge on the other side it’ll be our uniquely American characteristics which help us triumph.

A recent op-ed in USA Today perfectly summarized the opportunity this pandemic presents: In recovering and rebuilding, every American should contribute and can do so by utilizing our most unique quality: ingenuity. While many characteristics define us as a nation, ingenuity is the engine which drives our success.

As each industry sector finds ways to contribute, the technology sector has its own unique role to play. Among the many advancements that have proved essential during this time, technology has allowed for productive work away from an office and schooling at a distance, automation has reduced in person interactions and supercomputing has helped model the spread of the disease. It is important that while we adopt new technologies and further embed others ever deeper into our daily lives, we consider how to secure those devices and the networks on which they function. As we apply techniques in the physical world to keep us healthy – handwashing, social distancing – we must also implement cyber hygiene principles to keep our networks healthy.

Implementing cyber hygiene means your organization is less likely to battle common cybersecurity issues. Utilizing a cyber terrain modeling tool like RedSeal as part of regular cyber hygiene practices means executives and business leaders can automatically view and monitor their network and identify potential problems before they manifest. This allows organizations to make better decisions about where to allocate budget and funding and to put greater focus on their primary goals.

Technology can both contribute to solutions and help guard against the challenges we face. Practicing good cyber hygiene keeps businesses healthy so executives and business leaders can focus on what really matters—producing original and inventive ways to improve our society and creating a future we all want to live in.

Know What to Protect and Why

In my last article, I discussed the importance of walking the terrain, or knowing your network. I suggested beginning at the at high level: identify your sites, then group your assets by site or facility. This is a great place to start understanding your network because network controls tend to be fairly static. However, discovering network devices like routers often leads to discovering subnets and previously unknown endpoints.

These this begs two questions: Why should I care about my endpoint inventory? What should I do with this data?

Maintaining accurate endpoint inventory data is a daunting task. In modern environments, endpoints are changing all the time. In fact, endpoint entropy continues to grow exponentially. We need to prioritize. There are two aspects of endpoint inventory security professionals should focus on.

The first is to look at your network through the eyes of an adversary and ask, “What is most valuable?” In a military example this might be a bridge, an airfield, or a key logistics site. In the cyber world this might be your credit card holder data, your intellectual property, or the CFO’s laptop. Consider what an adversary might want to accomplish. Are you concerned about a nation state stealing intellectual property? Might someone want to disrupt your operations? Could organized crime try to extort money after encrypting your systems?

Most security professions believe that “everything is important.” While that’s true, we all have limited resources. We need to prioritize where to apply preventative technologies, which vulnerabilities to patch, and what incidents to investigate. It is imperative to identify the key data or systems in order to identify a control framework to protect them.

The second important aspect of endpoint inventory data is using it to maintain the accuracy of your operational systems. Many key security systems depend on the accuracy of endpoint data. Our customers almost always have a CMDB, vulnerability scanner, EDR agents, and a patching system. The numbers coming from these systems never agree. We see CMDBs that are about “80% accurate;” endpoints that aren’t being scanned; endpoints that are missing agents; and some endpoints that aren’t being patched. Being able to quickly see the difference between these operational systems will identify gaps in your operations. For example, if your EDR count is greater than the one from your vulnerability scanner, you can quickly identify the exact systems that are not being scanned. If the count you’re getting from your vulnerability scanner is greater than the one from your patching system, you can quickly identify systems not being patched. Organizations that operationalize this process aren’t just maintaining an inventory count, they’re ensuring a more accurate use of their key operational systems.

Best Practices for Cyber Resilience: Step One, Walk the Terrain

 

You’ve been asked to defend your organization from a myriad of threats: state sponsored attacks, cyber criminals, insiders. But where do you start?

Many years ago, as a young Marine lieutenant I learned that the first step to establishing a defense is to understand what you’re defending. You must know the terrain. Walk the terrain. Understand the key parts of the terrain and all avenues of approach. Then ask yourself how you would attack the same terrain. You must understand your own terrain better than the enemy.

In information security, we haven’t been given the luxury of understanding what we have — but we need to understand what we have to effectively defend it. Our networks were built to optimize for performance and availability, not for security. Understanding our cyber terrain has become a daunting task – but one fundamental to security.

Today, we rely on current inventory management technologies, but they provide just part of the picture. You get an overwhelming amount of detail and yet still struggle to understand how everything interconnects.

Ideally, you’d like to be able to understand what you have, how it’s all connected, and what’s at risk. Specifically, you’ll want to:

  • Visualize each of your sites and the connectivity between them.
  • Locate and identify devices missing from your inventory management and NCCM solutions.
  • Rationalize data from multiple data sources, including vulnerability scanners, CMDBs and EDRs.
  • Quickly determine where an attacker can traverse to in your network — from any point.

Most organizations begin by trying to get their endpoint or host inventory. This seems logical, since that’s where your applications and data are housed. But without an overall picture of how your network is configured, you have a collection of data points that don’t tell a full story.

The first step needs to be organizing your cyber terrain at the highest level. Identify your sites, then group your assets by site or facility. For example, assign devices to your Austin data center, Denver data center, branch offices, and AWS. Next determine the conductivity within and between these sites. This requires an inventory of networking devices and their configurations. You’ll end up with a model of your network devices, security groups and VPCs and quickly be able to get a picture all the connections and interconnections — intentional and unintentional — in your network. Inevitably, you’ll discover unknown network devices.

Then, with this framework in place, you can add your host information.