Cybersecurity: Amplified And Intensified

11. Executive Order or Compliance Rosetta Stone?

May 17, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
11. Executive Order or Compliance Rosetta Stone?
Chapters
Cybersecurity: Amplified And Intensified
11. Executive Order or Compliance Rosetta Stone?
May 17, 2021
Shiva Maharaj/Eric Taylor
Show Notes Transcript
Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. So talk to me about this executive order that was brought to us by the White House. Was it yesterday?

Eric Taylor:

Yeah, it was yesterday before. Let's see. So Joe Biden, and we're going to get a little political unfortunate on this one. So it's actually two days ago,

Shiva Maharaj:

no, US political Come on.

Eric Taylor:

Well, you know, we try to keep a political free form, right. But that's just the way it's going to be today it's

Shiva Maharaj:

gonna be, it is gonna, cybersecurity is political is the new staging ground for war.

Eric Taylor:

And this thing will be, the thing of conversation will probably get explicit. So please, if you don't want to hear foul language, you may want to turn away now, because who knows what's going to come out of my mouth in the next 10 minutes. So essentially, Joe Biden is said that, you know, we are going to crack down on cybersecurity, that, you know, we want to make sure that government's more secure going forward. yada, yada, yada. It's, it's a, when I look at this stuff, it really is a bunch of fluff that has been spoke about many, many times before, but to some degree, there's a framework called NIST and ISD. And most do D and D od contractors go by what's called the 801 71 framework, which is a set of controls, that's under self presentation. So you just say, Oh, yes, I comply. You know, I agree this, much like most of PCI compliance, these, but now the White House is actually saying, Well, no, you've actually got to prove, somehow, I guess that, you know, you're going to actually be conformed to these, the amount of time that it really took for Joe Biden to come out and say something about this. And this executive order actually being released, I think was under 24 hours. So I'm sure they had this in their back pocket ready to go. That just wasn't nor was just ready to say, okay, drop and, you know, put to the press. Have you read this thing at all?

Shiva Maharaj:

I've read it. I'm of two minds here. First, I'm really happy to see something put to paper and codified or ordered that? Yes, you need MFA? Yes, you need zero trust. And they even went so far as to define what zero trust is in the federal system. But then you have the other side of me. And that side says, Why are we waiting this long to do something like this, this should have been in play 510 years ago, this isn't something that should have came about today, because of a pipeline, or solar winds from last November. Other thing is the God is launching CMMC, which I like, except for levels one, and two, because they're just a waste of time. There's no logging, there's no sim components. And if you don't have that, either, there's not much postmortem that you can do. But why not take CMMC levels, three, four, and five and apply it across the entire federal base, and then have what would then become CMMC, level six through whatever be the top secret clearances. Let's have the entire government speaking a single compliance language, not saying Hey, your NIST 801 71 here, your D fours. I mean, it's confusing.

Eric Taylor:

It is. And I really do wonder, right, sorry, I'm gonna the screen is gonna blank out here for a moment. I'm trying to navigate through screens here. But I do wonder just how much this really is going to take and play. So we do have the transition already in place from the NIST 801 71 framework over to CMMC. So right now, that is still a self recitation, but the auditors are going through their certification right now. There's supposed to be auditing starting to happen. I think last I heard was in q3, maybe q4 now just because the whole COVID push back of things. August, I think it begins, maybe the end of q3. So it's really interesting to see what exactly is going on, right? I don't how much of this thing is going to actually potentially change as we're already going through CMMC? You know, there's been several publications that from some of the government officials like yeah, we already comply, because they already knew about CMMC. So they're already going down that pathway of compliancy. Getting ready for that. So this CMMC is just that level above the NIST 801 71 framework.

Shiva Maharaj:

Now, I think in terms of CMMC, we should make it clear that this is a D o t initiative. This has nothing to do with the civilian side of the government. So I'm sure There are probably some rules and some laws and strokes of a pen to make it applicable to the entire federal system, which I think is, I think that's what should happen. I don't see the point to anything dealing with self attestation. I've said it over and over again, I've seen instances where HIPAA and sieges are completely abused, because of the self attestation. Nonsense, and it's disappointing. The one thing about this executive order that I really don't agree with is the timeframes. I think it was 180 days to implement MFA, I'm sorry, that's a 30 day job, even if their skill if that, okay, they've got to go in there they've got, they have what they need. It's not like they have to go that new solutions, it's a matter of rolling it out. And the other thing is NIST has been charged with coming up with these new guidelines, they have six months to give the first draft and another six months to finalize them. I don't know a single program ever in the history of this country that finished on time, and didn't get exemptions, waivers and extensions. And there's even language in here providing for the extensions and the exemptions.

Eric Taylor:

Yeah, I'll try to see if I can find it real quick. But there's been several spots in here where it says if you as a director, you cannot implement to a multi factor authentication not to FA but MFA inside of your organization or your specific department, you just need to send off this letter and things of that nature. And it really is freaking alarming. That is like, you know, the things have been a problem, and why you're already got government officials going down CMMC. You know, you and I are both going self asociation for CMMC, just to be completely out there. We're secure in our own houses and secure in our clients because of this initiative. But it's, I don't see what the frickin big. The big deal is, why do you have to drag your feet except for the whole thing around? Oh, well, you we never really were as compliant as we said we were. So

Shiva Maharaj:

maybe it's due as we say not as we do. But in terms of MFA, it's a very easy solution to put in place. And I think the only limiting factor there is going to be the team that you have to implement it. And the fact that any government not just ours, any government is using systems without MFA. They it's they're just asking to get popped.

Eric Taylor:

The one thing that this is the one part that really alarmed me. All right, and quoted out there for the audio version of this, you know, within 360 days of the date of this order, the director of NIST shall publish additional guidelines that include procedures for periodic review and updating other guidelines described in this subsection where it goes on and on more and more about NIST. Why? If we're at what point is NIST going to be anymore? We're we're already in a transition to CMMC. That is controlled by the DOJ.

Shiva Maharaj:

Now the CMMC is controlled by the DEA,

Eric Taylor:

not the DOJ. But the odd I do sorry. Yeah. But yeah, the god so I, there's so much of the NIST stuff that's in here. I don't understand why they're in here anymore, because that's what they have. And that's what they're hitching their wagon to.

Shiva Maharaj:

I'm a, as I've said, you're rolling out CMMC to the God, let's go ahead with that. And in parallel, let's make it available to the entire civilian base of the government. That would make sense. I mean,

Eric Taylor:

yeah, I mean, I guess working in parallel doesn't make sense. Right. But, you know, I really think there should have been a lot more in here, you know, mentioning the bilateral movement to CMMC.

Shiva Maharaj:

I don't think that's on their radar, quite honestly, I think you and I want to see CMMC in the federal civilian space. CMMC is it looks to be kept to the D o t, and their supply chain. I mean, up, let's be honest, I'm happy. They're talking. They're having that zero trust conversation. I don't recall anything in here really talking about a vendor's inability to see inside of the software, the government's buying from them, which would be zero knowledge in my mind. But it's a step in the right place. But again, I don't think you need three, you need six months for a first round draft. And I don't think you need another six months for a finalization of it when you have CMMC. There. And that's just where I sit with this.

Eric Taylor:

Exactly. So that really brings up a great point of the one thing I was actually having a discussion with some some of our counterparts in some of the private zoom rooms is all right, if if CMMC we have the executive order, we have the transition for CMMC. I really wonder if CMMC will Till now because of the executive order, start replacing GCC high down to the local municipalities. I think so. But what do you think?

Shiva Maharaj:

I think it should. I don't like having these multiple compliances I think, you know, they have the sieges, Sarbanes Oxley, PCI, they're all trash, they're all garbage. I think CMMC is built to secure the nation. And if that truly is a good compliancy, and it has a tiered approach and has the levels, let's apply that across every business out there, with exception to CMMC levels one and two. You know, I was reading an article recently that Darkside our favorite ransomware group of the hour, they do not like infecting systems that have EDR on them. Your incident response, you tell me, what are your thoughts on that?

Eric Taylor:

So EDR is Alright, so here we go down a rabbit hole. The reason most of these folks are not going to mess with EDR is because you can't disable it. Most of the EDR platforms zero, you're not gonna be able to disable that EDR platform, you're not gonna be able to get around it a lot of the traditional AV Semantic Web route, you know, as much as I hate to, quote unquote, throwing shade at people, but is what it is. You're able to obfuscate, you're able to get around those types of solutions, and be able to drop your ransomware payload, the bit defender, they some vert I've heard good and seen some good things about the sofas MTR recently, they're reported from what I hear very good.

Shiva Maharaj:

I left them about a year ago,

Eric Taylor:

the reporting on it I know is complete trash.

Shiva Maharaj:

Now absolute trash,

Eric Taylor:

and with peace of lows, with peace of love. Exactly. We really need to have a meme. I think he actually showed that an idea about private groups with every time you do that, just the whole that whole thing will people have come up Anyway, I digress. The, it's really hard. If you have a EDR set up, that is properly configured, not just installed blindly and let people just run a muck and you can't just install it and expect it

Shiva Maharaj:

to work. You have to configure these things. Tell me more.

Eric Taylor:

You know, I, I learned I got a client right now. On the web, I'll just say the West Coast that doesn't understand just because they have Microsoft 365 through a vendor. They're like, What do you mean, we need to set up a security on this thing? Like, but it's in the they literally set but it's in the cloud? What do I have to do? Oh my god, everything? Let's sit down? No, I don't really drink anymore. But I'll drink my coffee, you drink your beer. And we'll have a chat.

Shiva Maharaj:

I have my daughter's water bottle here. So that'll have to

Eric Taylor:

do what I get in the health pocket. But anyway. But yeah, I mean, they're not going to go after edrs because most of them will stop them in their tracks.

Shiva Maharaj:

So if EDR is a barrier to entry for these ransomware guys, why not just put EDR on everything, and wait for them to figure out a way to circumvent but at least advises time I know you do it, I do it. But when I say we, we as an industry, you know, including the pizzas ax out there, they

Eric Taylor:

so we take it as a minimum, at a minimum, our clients, even my incident response, you know, we work with several companies that use carbon black for their incident response and stuff like that, you know, they have edrs and stuff like that, but at a minimum, you you need to be deploying EDR. Now, like I said, even in my ransomware and incident response cases, we deploy EDR every single time we got to find out what the footholds are we got to find out where they are still add if they're still in the network things that nature, it's here's a question for you. Have you ever gone in post incident for IR and the client had EDR installed before they got popped? Not yet.

Shiva Maharaj:

So why is this not a headline? Why is this an obscure article written? And I came across it by accident. Despite our best practice, and by our I mean yours or mine of putting EDR into our clients.

Eric Taylor:

Because why we are best we are doing what we call best practice. It's not industry best practice. That's why you have Joe Biden and everybody else doing these damn executive orders. Because you know, I've said it before and I'll keep saying it till the day I frickin die. Businesses are gonna do it as cheap and as long as possible until they're forced to make a change. And unfortunately, it's typically a ransomware incident that makes some

Shiva Maharaj:

change. What you're saying is good fast, cheap, pick too cheap has to be one of the options.

Eric Taylor:

Pretty much okay.

Shiva Maharaj:

how cheap was that ransom for colonial you know, the one they said that they were not going to pay

Eric Taylor:

Oh, yeah, well, that's her, that's always a great thing. So, you know, from, you know, the whole stigma to the bad guys, right, you know, colonial comes out and, you know, there's like, we're just going to recover from our backups, we're not going to pay these eight holes, and the proverbial middle finger, right?

Shiva Maharaj:

And this was Wednesday, this article.

Eric Taylor:

Yep. This was Wednesday, they say that, you know, we're not gonna pay it. You know, it was said to be $5 million for the ransomware payment,

Shiva Maharaj:

which in the grand scheme of things is a little bit of money considering the effects the shutdown could have on the country.

Eric Taylor:

And there were just pure revenue that that company I'm sure is generating per day.

Shiva Maharaj:

Well, I believe it was their billing system that got crypto, not the actual ICS system, or the ICS for the pipeline.

Eric Taylor:

But then, you know, we're hearing all we're getting great, you know, we're getting back up. And then this is just one article. Oh, wait, we actually did pay the $5 million ransom last week. Yep. Which is before they said, we're not going to pay the ransom. So it's like, oh, we're gonna pay but we're gonna tell everybody we're not because we're supposedly honorable people, or whatever the case is. But no, there are a bunch of fucking hypocrites. Sorry, I warned you that again, and is going to get explicit, maybe.

Unknown:

I'm good. I'm good. So

Eric Taylor:

it's, I mean, this really bows to quit. So the part that really pisses me off right now, is the fact that Joe Biden issues an executive order on cybersecurity. Right. This is all based around colonial. This is all based off solar winds.

Shiva Maharaj:

I do think it was based off of solar winds, primarily, I think colonial just made it come out a little bit sooner. But as you said, I think they I think that Executive Order was typed up. I think a few changes may have been made recently. But I think it is a direct result of the SolarWinds breach, which let's be honest, according to their CEO is just a minor small breach.

Eric Taylor:

Oh, you bossing me throw on my chair that day,

Shiva Maharaj:

you know, solo and single handedly doing more damage than Benedict Arnold ever did.

Eric Taylor:

But when you take a look at the executive order, like I was getting ready to say you take silver wins, you take colonial this executive order does dig in resolving these two incidences, you could have had all the executive orders in the world, they're not part of the D o t. There, there needs to be a need to there needs to be ramifications for companies like these, like colonial for failing to implement proper cybersecurity policies, systems protocols.

Shiva Maharaj:

Because if a state of emergency in 17 states can be declared for their downtime, then they are of national interest. What I think the President should do is go in and nationalize them.

Eric Taylor:

But is that a little bit of an overreach? I mean, dude, 70, you get into the whole issue of everything right?

Shiva Maharaj:

Everything's an overreach. But my point is basically, it's a shot across the bow of private enterprise here, saying, guys, you're you're raking in billions of dollars every year. I'm not telling you you got to spend billions on cybersecurity because it's not going to cost them billions. something besides a colonial, fd maybe 100 million a year, give or take that much. I mean, if you get the right team, they would have been far better off. On a side

Eric Taylor:

note, if you're looking for a new cybersecurity job, I hear colonials looking for somebody better you than me. I'm not stepping into that.

Shiva Maharaj:

I do not want to go into that dumpster fire. I am. No I'm good. I'm good with that. But here's another question is dark side on the OFAC list?

Eric Taylor:

No. Okay. And here's why. Okay, well, two reasons why so far. I'm sure it will be soon, probably, if not, as of today. I haven't downloaded the latest edition. Oh, fact. But the nobody could tie where Darkseid is it's believed they are in Russia. Okay. Russia, of course makes no claim that as you know, Darkseid is an ATP, which means zero government sponsored government actors. Don't know if that's true or not. I don't know. I'm not here to play that freakin regular role mousehole with anybody. So until they say, or they can confirm where Darkseid is originally originating from. We do have countries that we are not allowed to do business with from an incident response.

Shiva Maharaj:

But it's not just countries. It's also it's also individuals or organizations that go on the foreign asset.

Eric Taylor:

The other side of the coin is the wallet addresses. Okay, that's typically get listed on there. So when you download the JSON file or the XML file, it will have a ton of Bitcoin addresses or Manero. Coyne addresses whatever that they are using and Darkseid uses both of those,

Shiva Maharaj:

actually Darkseid has their hosting in Iran is not automatic OFAC list. Yeah. Now, this is an article and I'll send it over to you so you can put it up from November of last year. So if they've already been operating out of Iran, they should have been on the OFAC list and colonial should not have been able to pay them.

Eric Taylor:

But how true is this? It's a bleeping computer.

Shiva Maharaj:

They're the whole grail of our industry. What are you talking about?

Eric Taylor:

The Holy Grail of definitely putting out a bunch of information? You know, I must say, I'm not throwing shade at bleepingcomputer. They they do a ton of news articles that we get our content from. Right, but absolutely, but it's double extortion for stonework. Yep. Yep. Situation violence. Yeah. Had to look into this a little bit more. But yeah, I mean, there are sanctions against a lot of this stuff. Right. I mean, you're seeing, you know, the largest group that we've seen, you know, Evil Corp. And there's a lot of it. Right. So I don't know. We'll have to see what

Shiva Maharaj:

Well, I think it's too late for

Eric Taylor:

announces that it's an intent to use infrastructure hosted. So yeah, so I remember seeing this now. So it all this is where the greatness comes in. The intent to use infrastructure hosted It doesn't mean it actually is in Iran. They intend to use it so that means did they actually move their servers because Darkside has been known to go down and dark from time to time and they come back. And I guess I kind of really brings us to the really the whole other thing of supposably Darkside ransomware has caught is going quits after servers and Bitcoin stash has been seized. And I will call will shatter all that did

Shiva Maharaj:

they do this in January of this year, when they released their decrypter for free for everyone. I did see that Darkseid will be paying out their affiliates by May 21 of this year, and then shutting down.

Eric Taylor:

So I've been since we had that conversation, I've been doing some digging, there were dark side is a rash, ransomware ransomware as a service, they had one of their operatives, affiliates, subcontractor, whatever the hell you want to call them. They had that they were using, unfortunately, the same key across multiple clients. Right, the vendor was a British vendor picked up on this over the holidays, right around Christmas time when there wasn't much going on. Why? I don't know, that's normally the most times that ransomware incidents happened. But for some reason. It is. But it they were they were going dark. And you know, one of their people were apparently using the same key over and over and over again. So there was about 22% of the affected people who could use the bit defenders version of Darkseid to unencrypt their files for free. They have come out and said oh yeah, we've we fixed this thing. And thanks for bringing it to our attention. You don't ever have to worry about not being able to not decrypt your stuff. But I can tell you, you know, they're saying Darkside gang has lost control of his servers and money. I don't know. But so this is where things are gonna get a little funky. And I can't say a whole lot. I've got four cases right now with Darkseid. In our incident response, that while their name and shame site is down, then you and I talked about the other day because I was looking for some we had a couple clients who said they weren't going to pay. And they were getting ready to post that data. So we kept constantly refreshing and, you know, seeing you know what information, they're actually leaking to find out how much of a notification needs to be made from a legal aspect. And then we just couldn't see their site anymore. Apparently, there's a lot of speculation right now, apparently that they just threw up their hands and say we quit for now, which they've done before. There's rumors saying that their servers got seized? I don't know. But I could tell you with 100% certainty that their payment portal is running. I am on it.

Shiva Maharaj:

That's been confirmed. And some people have said that it's the government that sees everything as just leaving it on for people to get their decrypter keys or what have you. It's not but I think it's just a money grab. I think they want to make they want more revenue.

Eric Taylor:

But so they're not going to get more revenue. Unless you're talking about the US government.

Shiva Maharaj:

Well, I think I think dark who's running if the payment portals up aren't able to collect payment.

Eric Taylor:

They are able to collect payment. Okay, and I'm talking to them in their payment portal for some of our cases, because it was believed originally that the dark side actors were controlled by some government entity. And if you open up a line of communication, you can get your decrypter.

Shiva Maharaj:

I believe the term is called independent contractor. It's it's a different tax bracket. Yeah, I'm sorry. It's a different tax code.

Eric Taylor:

But a GSR reached out, you know, on two cases that they said that we can go ahead start engaging. It's the same folks. Okay. Well, if it's not the same, folks, that is definitely of the same speech, they're talking exactly the same way. So

Shiva Maharaj:

So are we going to see a dark side? Part Two under a new name?

Eric Taylor:

No, yeah, if not dark side, just coming back more fierce than ever? I don't know. This story is far from over. It really, really is.

Shiva Maharaj:

There's a lot of speculation that a lot of the hacker forums are distancing themselves from anything to do with ransomware. Because it has become a dirty word. With the colonial pipeline, there's a lot of attention on them. And you don't you don't punch out your weight class unless you You think you can win that fight. And I think that maybe that's what happened with colonial and that's why they put out their press release of saying, Hey, we are apolitical. We don't want we don't want to hurt society. We just want to make money. And maybe this is a rebranding for most of these ransomware. Guys, maybe,

Eric Taylor:

I mean, if you remember back when everything was going on with COVID and even before COVID re evil, that Walker maze Darkside I don't think Darkside was out then but maybe so but a lot of them took a vow not to attack medical clinics that were providing emergency services. You know, your mom and dad. Well, family practitioner, things of that nature. They're fair game, but the emergency rooms and clinics were the hospital institutions. Yeah. But

Shiva Maharaj:

then some of them turned on that. And they went crypto anyway. So it's an it's a matter of not believing anyone. You know, it's going back to zero trust, right? In a different application.

Eric Taylor:

Yeah, I mean, you're talking about a bunch of people who commit crime, or lead and extort me for a living, and you're gonna believe what they're saying. You know, it's like, you want me to take extreme? Let's just say you, you caught the robber who just came in and cleaned out your house? And you're like, Oh, I'm sorry. I'll put everything back. Just pay me some money. And I'll put everything back and I won't ever I think they call the distortion paste. Yeah, the whole double now, triple triple assertion.

Shiva Maharaj:

Yeah. By the end of the year, I'd be able to quad extortion, don't worry. They'll figure out a new way to do this. Huh?

Eric Taylor:

Yeah. It's I'm really interested to see what the next couple weeks really show? Well, it's,

Shiva Maharaj:

I think we're going into I think we're going into one of those lulls where things are going to quiet down a little bit, they will re gather and figure out what they have to do.

Eric Taylor:

So that was really the time to start talking with your security team, your IT security team and finding out Okay, before the next wave.

Shiva Maharaj:

Install EDR

Eric Taylor:

is all your lockdown your stuff? Because I mean, there's another group I don't it's called Avalon ransomware. Yes, they don't care that their name. Their name and shame site is going massive. I think in the last two weeks, they fit over 500 companies.

Shiva Maharaj:

That is impressive. Like it's nuts.

Eric Taylor:

So yeah, the story is far from over, especially from a ransomware standpoint, it's really interesting to see what Darkside is really doing. I know Darkside is actually still collecting payments. They're not giving out their decryptors on the they're not giving out their decryptors for free all the money according to the articles, those are coming after the 21st after they pay off all of their affiliates.

Shiva Maharaj:

But again, you never know. Yeah, you know, Toshiba just got hit by them. Last week,

Eric Taylor:

supposedly, we'll see.

Shiva Maharaj:

But they were able to get back up with backups. So, guys, there is a way through this. And I implore you to really test your backups. It doesn't make sense if you're backing up every five minutes if you're never testing them.

Eric Taylor:

Yeah, so um, if y'all ever have if you're looking at as you'd like, what do we do?

Unknown:

Call? Call me.

Eric Taylor:

Exactly. Our links are down in the bio. We're happy to have a conversation with you.

Shiva Maharaj:

If it's incident response, don't call me call him. Because I'm just going to call him and charge you 30% for the privilege, so just call him directly.

Eric Taylor:

Exactly. Well, anyway, when I'm getting ready to bow out for the weekend, I'm not sure if anybody actually does Oh, are you gonna smoke anything on the grill this weekend? Yes, actually, tomorrow is National traeger day okay, mate. So I am planning to do some ribs planning on doing whole whole thing I will be on the smoker. There's several people on the new neighborhoods. That is that

Shiva Maharaj:

work. You got the you got the tongs in one hand for the smoker and your cell phone getting all the ransomware alerts on the other.

Unknown:

Now I have my laptop behind me on the stand or whatever the white speakers you're just being like Yes,

Shiva Maharaj:

dear. Yes, dear. Hmm, sounds about right. Sounds about like every man's weekend.

Eric Taylor:

Sounds about right. But it should be a good time. All right. Sounds good.

Shiva Maharaj:

Thank you guys.

Eric Taylor:

Thank you. I'll take care.

Shiva Maharaj:

Thanks again for joining us for the cybersecurity amplified and intensified podcast.