To me, the SolarWinds hack is remarkable because it (momentarily) managed to upend one kind of strategy with the other. A broader strategic calculus is palpable from the operational choices made in this intrusion — from the Concept of Operations which underpins it.
At the heart of it, the US and Russian strategic models for cyber operations could be neatly delineated around toolchains and tradecraft, respectively.
The former invested heavily in structural frameworks planned and built over years — like Quantum, passive access and traffic shaping — which paved the way for surgical, pinpointed operations with robust operations security.
Halvar Flake premised it on the fact that such an approach exponentially increases the compromise boundary: “Hack almost any node in the graph, and you get to attack other nodes by transitive trust.”
Russia, however, simply could not afford such an enviable vantage point. And so, its tactically-driven model relied on blending in with the supply chain, using camouflaging techniques, living off the land and establishing covert channels. The SolarWinds operation neatly ticks all the boxes.
But deception and other cognitive aspects, too, played a role — something which Russia intrinsically knows how to exploit. The distraction caused by the presidential elections and the pandemic, the heightened mainstream obsession with the SVR’s unruly cousin GRU, and the marginal exposure of US counterintelligence capabilities (with political efforts like the DoJ indictments) possibly added fuel to the fire.
It was also an ambitious effort by the SVR to corrupt the second tier of American capability upon which its at-scale defense is premised: telemetry. The NSA used the same access-based frameworks — like Turbulence (Turmoil, QFire and QuantumTheory) and DefiantWarrior — for Active Defense. I am not saying that this is the only tier of American defense, but surely is the pillar.
In what may signify how the fulcrum of cyber power shifts with the ongoing disintermediation, it’s Microsoft which actually leads the US incident response efforts in the SolarWinds case. It’s the “sheepdog” herding the federal agencies (in Brad Smith’s own words) — a non-state actor harbouring the most potent telemetry-economy-of-scale. But I am not surprised by it.
Lastly, I am reminded of Mudge’s prophetic tweet forewarning how the decomposition of operations into quanta of capability, used by MITRE ATT&CK, may fail to flag events which are deemed dependent for the adversary but may look independent to the defender.
I would write another post on how it upset the US doctrinal framework.
Once inside recon, collection, and exfiltration, are dependent events for an adversary and independent events for business.
This allows probability to remove false positives while identifying adversary campaigns post exploitation.
MITRE’s framework is light in this area. https://t.co/KOL7GwT4dt
— Mudge (@dotMudge) February 21, 2019
Yes.
But also: follow how the data is found, accessed, and moved. That’s what the adversary is doing that sticks out inside your environment.
Care less about identifying specific tools. Those are easily changed. Goals not so easily – look for campaign goals.
Insiders too 😉
— Mudge (@dotMudge) February 21, 2019