In April 2021, as organizations around the world reeled in a series of cyber attacks carried out through compromised on-premises Microsoft Exchange servers, the US Department of Justice (DoJ) revealed that it had obtained an order from the court allowing the FBI to access vulnerable people. systems and remove any malicious web shells it has found that have been placed there.
For starters, the Microsoft Exchange attacks were most likely orchestrated by Hafnium, a Chinese state-backed player – similar to the SolarWinds Orion incident, which likely originated with a Russian group. However, after their disclosure in March, other malicious actors quickly piled up, with reports of ransomware attacks quickly following.
As you would hope, Microsoft rushed an out-of-band fix to address zero days, but Hafnium having benefited from it for a while before public disclosure, a lot of damage had already been done.
For Huntress founder Kyle Hanslovan, the decision taken in April by US authorities represented a concerted, proactive and, above all, welcome intervention on the part of the Biden administration, a cyber scientist, helping to help organizations that , in his words, “are below the business safe poverty line.”
Why should he care? Hanslovan began his intelligence career at the United States National Security Agency (NSA) in the early 2000s, and spent an extended period in the United Kingdom alongside GCHQ, where he supported defensive and offensive cyber operations. on behalf of the Western allies.
He has since turned to civil security, founding defense consultancy firm StrategicIO before Huntress and playing an active role in the ethical hacking community as a Black Hat conference trainer, STEM (science, technology, engineering) mentor and math) and DefCon Capture. the flag champion.
In fact, Huntress was born out of a desire to give something back to those organizations that, through no fault of their own, cannot necessarily help themselves. During his time at the NSA, Hanslovan had become a big advocate for privacy – which he concedes is pretty funny if you think too much about the NSA – and around the time of Edward Snowden’s revelations he started to to think that having spent the best part of 15 years hacking and breaking things, it was time to fix them instead.
The cybersecurity poverty line
“It was a good foundation and a great story to start a business since we were leaving our offensive hats behind, but using that offensive mentality to secure businesses that fall below the corporate poverty line,” he says. “Huntress only focuses on companies with 1,000 or fewer employees, rather than most of the others that are in the Fortune 100, 500, or 1,000.”
It was these small businesses – collateral damage in many ways – that the US action was aimed at helping and, according to Hanslovan, these organizations were in urgent need of help.
“We had six very difficult weeks between February 27 and probably the second week of April,” he says, describing how Huntress for a time removed their salespeople from their regular calling schedule and redeployed them to inform the customers they were compromised.
“But two weeks later, we validated and the web shells were still there, so it was clear that they weren’t able to do anything about it. And that’s not negligence – sometimes they literally don’t have the server because they outsourced it to someone, or maybe they migrated to [Microsoft] Office 365 and forgot that they had this old server in their network – an old mail server that was taken out of service but never completely shut down, ”he says.
“So I was very happy when I saw the federal government take action to secure these people who are often denied. “
Successful proof of concept
At the same time, Hanslovan says, he was aware of legitimate fears that this action could be seen as excessive overstepping of the US government by exploring private networks without consent.
For this reason, he thinks it’s very interesting that the action was carried out by the DoJ and the FBI, and argues that while the DoJ may not be the most exciting of federal agencies, it shows its commitment to using the appropriate legal authorities and law enforcement, rather than turning to the intelligence community.
“I think it’s very important to keep US intelligence agencies like the NSA focused on their foreign targets and away from violating civil liberties,” Hanslovan said.
“Recourse to the courts to authorize the FBI disruption effort is a solid initial framework to ensure that these actions remain focused on increasing security and are limited to indirect targeting of intelligence. “
“It is very important to keep US intelligence agencies like the NSA focused on their foreign targets and away from violating civil liberties.”
Kyle Hanslovan, huntress
Hanslovan argues that given the apparent success of the initial operation, it should be seen as an exciting proof of concept and used to establish rules of engagement for future remedial cyber operations of a similar nature.
“I think it needs to be tempered – it probably won’t always be the quickest response if it’s the government, because it needs to be very sure that it has tested everything it intends to do,” he said. “But I think it will help all of us improve the security of the company.
“I would prefer a conservative approach instead of going too far, which maybe means the initial definitions – I think that’s where we are, it’s time to start defining some things based on what we learned.”
Some of these definitions that will need to be worked out include the question of what warrants a response at the government level? Nationally sponsored attacks, such as Microsoft Exchange or the SolarWinds incident, are a problem, but where does something like the recent withdrawal of Emotet by European authorities stand in this context?
Hanslovan suggests using some sort of menu to ‘diagnose’ an actionable incident, perhaps if a security event meets seven of the 10 criteria listed, it might warrant government intervention.
Then, if the authorities continue to take this more proactive path, it will require a model of transparency and disclosure after a successful transaction, a model of what happens when something goes wrong and a business organization is disrupted by a friendly government intervention, and a template for the protection of any proprietary or confidential data that might be seen during legal intervention. For example, do these data then become subject to freedom of information legislation?
“I don’t know if anyone is thinking about it right now,” says Hanslovan. But he hopes that, upon proof of Biden’s appointment of several former NSA members with a wealth of experience in privacy and legal issues – such as cyber boss Anne Neuberger – with experience in privacy and legal issues. legal issues, there are people in the right place to push to establish ground rules on how data can and cannot be used.
“Sometimes it’s too easy to say what you can do, but no one thinks about what you should never do with this data,” he says. “But I hope these are public conversations and public dialogues.”
A business owner may also have legitimate concerns about being carried over the coals for a breach of data protection regulations – such as California’s privacy law or the General Regulation. European Data Protection Policy – in a government-backed intervention.
Hanslovan agrees that this can become a problem and suggests that there will need to be some kind of double jeopardy type protection. He draws an analogy with the police, noting how some agencies will not push to prosecute for possession of drug paraphernalia found on someone who has overdosed.
“Often times when someone overdoses in the United States, even if they have drug paraphernalia on them at the time and the police respond, there is a framework to say that you are there to protect and serve, which means you’re there to get that community member on their feet, and get them medical attention, ”he says.
The flip side of this argument is that while a police department might not prosecute drug possession, if it saw that the user was involved in serious crimes such as human trafficking or child sexual abuse, a reasonable person would be very upset if the police did. do not take legal action for these reasons. This is another reason why it is important that the policy on cyber interventions is developed in a transparent manner and in the public domain.
Iterate and reiterate
Governments being governments, Hanslovan tends to think that it is inevitable that something will go wrong if coercive actions of this nature do indeed become routine, but he is also inclined to view such actions as iterations towards a ‘product’. final.
“Personally, I think we’re going to be wrong – like a product, sometimes you ship a product and it sucks, it sucks so much it’s embarrassing, but you repeat the product to the point that it’s great,” says -he. “Hopefully it will be the same – pull something out for a better effort, then iterate over it.”