(Continued from page 1)
"I think the agreement in the community is in cases like this [in which] we see these mass compromises, someone should be helping people fix these because not all enterprises can do it themselves — [and] by not doing it, they're endangering others," he says. "I think the main disagreement is whether the original compromise constitutes enough of a crime to warrant the FBI entering."
Brumley's concern is how this precedent could be used to pursue crime in the future. If someone compromises a personal computer and left behind a backdoor, could the FBI access the machine under the same conditions it used here? What if officials access a server because they believe there is illegal activity, but it turns out to be a more pedestrian crime?
"Is it going to turn into a slippery slope where we think the server is compromised so we can enter because that's evidence of a crime?" he says.
This case points to a need to centralize the computer security effort from the defense mission, Brumley says. Removing Web shells helps the Internet become more secure, but having the FBI do the task "is really breaking shaky ground, and we should rethink our approach to this."
Considering both sides of the matter, it's also interesting to note the FBI's decision to remove Web shells but not patch affected systems or remediate post-exploitation activity, says Nickels. Some security pros believe if the FBI is already on a system, why not deploy a patch? For law enforcement in this case, though, going beyond the Web shells is tricky.
"I think the challenge is that post-exploitation activity can look so different," she says. One of the reasons why the Web shells were detectable is they followed a pattern: It was the same file name and same folder path, so it was easier to say with confidence that they were malicious. However, trying to learn what happened after a Web shell drops is harder.
"Those are unique investigations that will differ per victim, per endpoint, and per environment, and so I think that's where … thinking of the levels of risk for the FBI trying to do that investigation, at scale, I don't think would be sustainable."
Public Private Collaboration: The Need for a Plan
A public-private partnership can help improve communication and information sharing after incidents such as the Exchange Server attacks. The problem is, there is often a gap between private sector defense and government offense, and not consistently much coordination between the two, Henry says. Over the years, there have been improvements in coordination and some successes; however, there remains a lot of work to be done.
"There have been successes, and I don't want to minimize the successes, but the reality is there have been so many more successes by the adversaries," he says. "And the successful deterrence, the successful attribution, the successful arrest, pale in comparison to what the adversaries have been able to do, and that is a function of public-private partnerships don't scale." There are one-off successes, but overall defenders are catching up and not in front.
The solution, Henry believes, is building an infrastructure that allows for sharing of threat intel.
When companies are breached, they collect artifacts and indicators that may lead to identifying the adversary behind an attack. If the public sector isn't allowed in, or those indicators are not shared, then they don't have access to intelligence that could help deter cybercriminals in the future.
How to bridge the gap? Public-private partnerships are often a topic of conversation among government executives, but nobody ever lays out a clear path to collaboration, he says, laying out three specific things the government should communicate to make this partnership work.
"What is it you want from the private sector? Tell the private sector specifically," Henry says. If it wants malicious IP addresses; pieces of malware; indicators of tactics, techniques, and procedures; or other intelligence, the public sector must be clear about what it's looking for. And that's only the first step.
Next, the government must determine what it will do with that information when it gets that. How will the information be stored, handled, and secured? Who is the point of contact for that intelligence? Which agency handles it? If it's shared, where does it go? When people say "public-private partnership, share with us," what does that mean in terms of handling shared information?
And finally, the public sector needs to explain how it will use the information and what the private sector can expect back. This must go beyond "give us all your data," Henry says. The government has to convey to organizations how they will analyze the data to inform strategies.
"I'm simplifying it, of course," says Henry of the foundation for a public-private partnership. "But we've had 20 years to address the problem and I still hear 'we need a public-private partnership.' And I agree."
At a time when foreign governments have remote access tools in the US power grid and are launching large-scale campaigns targeting US devices, the implications and risks of malicious activity are high. There must be accountability for, and review of, the government's actions and now is a good time for private citizens to question and start a discussion around it.
Henry will join other security practitioners and former public officials in an upcoming RSA Conference talk, "Total Security: Investigative Perspectives from Public to Private Sector," to discuss how their experiences in counterintelligence and counterterrorism have informed their security practices.