Read on Twitter
I haven’t posted a great deal over the past couple days. Work, work, work. Lots going on with SolarWinds, Department of Commerce, the IC, and other agencies.
There’s quite a bit out there that just doesn’t make sense.
There’s quite a bit out there that just doesn’t make sense.
Have you heard many updates from the agencies that were effected? I suspect not.
Some were caught complete (and surprisingly) off guard. You have to remember - CONMON teams are routinely staffed by low-level “security” engineers (I use that term loosely). They’re inexperienced
Some were caught complete (and surprisingly) off guard. You have to remember - CONMON teams are routinely staffed by low-level “security” engineers (I use that term loosely). They’re inexperienced
Vulnerability Scanners (Admins) are not much better. CS grads who are glorified button pushers. Research how many contractors lost security contracts with agencies due to non-compliance or audits. It’s common. Everyone can name the contractors who lost SOC work.
Now imagine you’re an agency with inexperienced CONMON teams and inexperienced Vulnerability Scanners who COMPLETELY MISSED the breach of the decade. You have to play catch up. These agencies are hedging their relative lack of classified/sensitive information with public interest
That DOES NOT explain DOD and the IC.
THESE communities hold our nations VITAL secrets.
These networks are wired tight.
Sorry for the non-technical audience but here is where I’ll get REAL specific.
The DOD and IC have environments that are really difficult to penetrate
THESE communities hold our nations VITAL secrets.
These networks are wired tight.
Sorry for the non-technical audience but here is where I’ll get REAL specific.
The DOD and IC have environments that are really difficult to penetrate
First, the IC:
This is the ultimate air-gapped environment. Not only do they have their own custom air-gapped solution, but they use a proprietary solution that emulates a certain CSP, allowing them to build low-side and ship high side.
This is the ultimate air-gapped environment. Not only do they have their own custom air-gapped solution, but they use a proprietary solution that emulates a certain CSP, allowing them to build low-side and ship high side.
They also have their own regions, availability zones, and have vpc to vpc peering cross-region. Most orgs have bastion hosts.
Given those parameters, how are these nodes, even through dll files, so readily accessing resources without being noticed. There are NAT gateways. WAF...
Given those parameters, how are these nodes, even through dll files, so readily accessing resources without being noticed. There are NAT gateways. WAF...
They’re probably not. Many CSP’s have centralized logging. These logging resources have alarms. That aside, cleared solutions have custom logging solutions with alarms.
1. It would be difficult to access resources w/o being noticed
2. They’re “whitelisted” (overly simplified)
1. It would be difficult to access resources w/o being noticed
2. They’re “whitelisted” (overly simplified)
NAT, security groups, WAF, etc, make it almost impossible to access these resources unless it is intended. The lone exception is Cap One where they essentially cached log files in the WAF.
So here is the million dollar question...
So here is the million dollar question...
How did the access to classified networks go “unnoticed” for months?
Ok Twitter is going after me now. If they nuke me, find me on Gab or parlor midnightride21
