By Chris Cubbage, Editor
The US Department of Defence Cyber National Mission Force (CNMF), and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) shared details for the first time this morning on recently declassified cyber operations, showcasing how both organisations work together to bolster cyber defenses.
U.S. Army Maj. Gen. William J. Hartman, Commander for CNMF, USCYBERCOM and Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA provided ‘vignette’ sample operations at the RSA Conference 2023 in San Francisco. In a fireside style chat, the two explained how the US Government responded to threat actors and made it harder for them to threaten national infrastructure, partners and allies.
CNMF Hunt Forward Operations disclosed included the 2021 Solarwinds supply chain breach, the large scale attacks on Microsoft Exchange servers by Chinese threat actors and the 2020 Federal Election subjected to an Iranian initiated breach of a local municipality, which may have potentially discredited the election.
It often starts with a text from the private industry, Mr. Goldstein explained. In the Solarwinds case, “We got this tip, which was amplifying information, as we’ll get these from several community partners at the CISA, and we’re immediately using a visibility system. Using data from Mandiant and Microsoft, we were able to rapidly identify nine agencies that appeared to have been impacted by the Solarwinds campaign, which most broadly, was a campaign targeting Microsoft Office 365 infrastructure. We kicked off into the responses at many of those victim agencies, and in many cases, hand in hand with the private sector.
We undertook the initial steps to understand the breadth of the intrusions, understand the phases of the backdoor, payload, and derive actionable artifacts that we could use to enable the community’s broader response. As part of this effort, we began to identify the extrapolating image of the compromised SolarWinds servers that were used by many of these impacted agencies. And as we imaged those servers, we instantaneously shared that information with our partners at CNMF for use in their operations.”
Maj. Gen. William J. Hartman explained the next steps by CNMF, he said, “The ability to gain access to an image of the compromised server is invaluable for us. We immediately mock that up in our virtual training environment. And then we start to hone our skills to hunt for similar adversary activity across a number of our mission elements. We’re the Department of Defense, we’re really good at this. It’s what we do.”
Within a number of days, CNMF were able to develop a high-end capability to hunt for the adversary, and about the same time that intelligence from the intelligence community indicated a foreign partner had been compromised by the same hackers.
Maj. Gen. Hartman continued, “Because of the information that was shared from DHS CISA, we knew exactly what we were looking for and as we started to execute our hunt forward operation, we almost immediately saw adversary activity. The important part here is because of the relationship and because of the preparation, not only were we able to gain access to the adversary, but we were able to do so in a manner that the adversary didn’t know we were there. So now we see an active intrusion. We’re collecting information, and we’re immediately sharing that information back with DHS CISA, and other partners.”
We were eventually able to collect 18 pieces of novel malware. With permission from the partner, we were able to bring that malware back to the United States and share it very broadly. We were able to help the mission partner overseas and remediate their network.”
“Now back to the public part”, continued Eric Goldstein, “As we continued our incident responses across the nine impacted federal agencies, we realised that the broader community needed guidance and an understanding of the breadth of the campaign, the Techniques, Tactics & Procedures (TTPs) that we were actively using, and how to take steps towards potential litigation. And so we worked together, across the community to develop our Public Security Advisory in April 2021.”
FOREIGN OPERATIONS – HUNT FORWARD OPERATIONS
Maj. Gen. Hartman confirmed, “Our mission is to defend the nation against malicious cyber actors that threaten our national security. We do this through people and we do it through partnerships. We have 2,000 joint service members assigned to the CNMF. And when I say service members, this includes Army, Navy, Air Force, Marines, Coast Guard and Guardians from the new Space Force.
This is generally a fairly young force. About 20 percent of it does consist of civilians from various federal agencies that do provide continuity and experience. But it’s a young force that is explicitly training. It’s highly motivated, and every day we do everything we can to defend the nation. From a CNMF standpoint, we are foreign focused. We execute operations in foreign states in order to do everything we can to protect the Homeland, while also supporting our allies and partners.
“It really is based on partnerships”, Maj. Gen. Hartman continued, “It’s really important for everybody in here to understand that on a daily basis, the CNMF in DHS work side by side. And when I say side by side, I don’t just mean in a chat room, which we certainly do. We have liaison officers that are in each other’s locations, from senior leaders down to individual analysts or operators.
The ability for DHS is to rapidly provide us information has become a large driver for CNMF operations around the globe. We immediately evaluate the information, we ensure that it fits within the authorities that we operate under. And then we look to what are the things that we might do in order to again either disrupt an ongoing threat, or deter future attacks.
The maturation in this relationship and the fact that it happens real time every day has really become a significant driver for our mission”, Maj. Gen. Hartman confirmed.
RANSOMWARE TASK FORCE
The Ransomware Task Force is co-chaired by the CISA and FBI, of which DoD CNMF is a charter member.
‘The Ransomware Task Force”, Eric Goldstein highlighted, “has the intention of bringing together. with cohesion, all of the work occurring in the US government, in the private sector, with Allied governments.”
“So we are all in the same direction, we are focusing in a few areas. In this context, we’re focusing on making sure that we know how ransomware attacks occur and that we are closing down those accesses across the country. We have an initiative that we call the Ransomware Vulnerability Warning Pilot, and we are constantly scanning US IP states for vulnerabilities that we know when foreign actors are using them. If we see those vulnerabilities open in those organisations, they’re going to receive a call or knock from our regional personnel out in the field across the country, to help close them down before they’re compromised.
We’re also undertaking an effort that we call the Pre-Ransomware Notification Initiative. This is where we get tips from researchers and industry who can see the connections with the node, node infrastructure and with ransomware groups. In particular those where an intrusion has occurred but the payload has not yet been detonated.
We need to respond and in a matter of hours or days. And we’re doing this constantly. We think that combined with the work being discussed here, this is all part of the broader model to move away from theoretical and really focus on actionable measurable risk reduction work. We are closing down the vulnerabilities and have assisted over 160 organisations already this year. We feel that these are all tools in the quiver that over time will actually make a real difference in the prevalence of intrusions that are targeting US organisations.
When asked by MySecurity Media for an Australian perspective on the organisational structure of CISA and CNMF, similar to the structure of the Australian cybersecurity framework, Maj. Gen. Hartman stated, “I’ll just say from an Australian standpoint, as far as recommendations on how they structure, we’ll leave that to them, but the partnership with Australia, adds another toolkit that we’re able to utilise in order to get after these operations globally, and so much of what we’re able to share with [CISA], we’re also of course, able to share with Five Eyes partners. Many of the times they actually see information that is relevant to both of our mission set and so the coordination that we do with DHS system, we also do with Australia, Five Eyes partners, other like-minded nations and that really does allow us to scale.”
Maj. Gen. Hartman noted, “We live in an interesting time in that a threat a foreign partner sees, a threat to government networks. It’s also a threat to the network so that many of the people in this room either own or provide support to and I would offer that, we have not been in this position as it relates to a foreign threat related to any other time in our history. And so a threat to us is a threat to you. It’s also a threat to other government systems. And we have to share information rapidly.”
Maj. Gen. William J. Hartman and Eric Goldstein responding to media questions following the briefing
