Shostack + Friends Blog


Colonial Pipeline, Darkside and Models

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.I did want to talk about one small aspect, which is the way responders talk about Darkside. Mandian Darkside May15 2021

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.

I did want to talk about one small aspect, which is the way responders talk about Darkside. Blog posts from Sophos and Mandiant seem really useful! Information sharing is working, and what the heck does a Cyber Review Board have left to do? I want to comment first on the models that they're using, second on the data within them, and thirdly on a few of the things that the new Cyber Safety Review Board might do if they were charged with looking at this.

The first thing I did was to compare the kill chain models. Sophos is categorizing their chain with at least two steps that Mandiant leaves out. Most of the mapping is pretty minor differences in titles, but I can't tell if Mandiant's establish foothold stage is the same as Sophos' execution stage, and would need to dig in deeper.

Sophos Darkside May15 2021
Mandiant Sophos
Initial Compromise Initial access
Establish Foothold Execution(?)
Escalate Privileges Defense evasion
Maintain Presence Persistence
Move Laterally Lateral Movement
Internal Recon Discovery
Complete Mission Impact
Command & Control

The second thing to note is far more important: the contents of the columns differ a lot. For move laterally, Mandiant lists: Beacon, RDP, plink, F-Secure C3, while Sophos lists PSExec, RDP, SSH. The only element in common is RDP. So, who to believe? Is the accurate information the union of the two, in which case, both are seriously off? Is one better than the other? I think that both are basing their data on five investigations ("Mandiant currently tracks five clusters of threat activity that have involved the deployment of DARKSIDE," "The Sophos Rapid Response team has been called in for incident response or to intervene during an attack involving DarkSide on at least five different instances in the past year.")

Let me be clear: I am not saying this to pick on either team or their members. I have every reason to believe that both companies employ smart, hardworking people, and are sincerely trying to share information to help defenders as best they can. Further, I appreciate that both have taken cycles from their response teams to assemble the information to help defenders.

Rather, and this is my third point: we exist in a world apparently awash in data about threat actors, and there are plenty of opportunities to dig deeper. The Mandiant and Sophos posts came to my attention in a conversation, and I didn't attempt to find others. I haven't done a element by element comparison of the chains, but I do see that Mandiant lists "suspected password attacks on perimeter", CVE-2021-20016 and malicious emails with links to Sophos' external remote access and credential phishing. (I very much appreciate that both companies are being more specific than "phishing.")

Today, each defender has to do this work for themselves, and there's not enough hours in the day. Tales of under-staffed, overworked, and burnt-out defense operations teams are not just common, they're the norm, much like under-staffed and overworked air traffic control was the norm, and there was 8 minutes of work for each takeoff or landing, and each controller had 30 takeoffs or landings to manage in an hour, meaning the work as imagined was 8 minutes, and the work as performed had to fit into 2 minutes. (Numbers are approximate, but the ATC situation is a major focus of work in human factors engineering, after a series of NTSB reports drew attention to the discrepancies.)

It would be fascinating to know if Colonial was focused on a threat informed defense, a NIST CSF informed defense, or something else, and more, over a set of investigations, is one working better than the other? A Cyber Safety Review Board could also ask more focused questions: Does one prevent better, but detect worse? Does chasing these indicators help defenders get to effectiveness, or run them ragged, drinking from a firehose? A Board could help us find empirical answers.

A Board could also delve into specifics: do investigating one or another type of indicator result in faster detection? How many new indicators does a typical investigation find? What's the rate of change of indicators found? (That is, "is the world of cyber really fast moving or molasses?")

The new Board will need to demonstrate its value and there's a plethora of ways it could do so. We all hope it chooses thoughtfully, and should give it the space and support it will need to do so.

[Update: the first version of the table aligned exflitration and C&C with internal recon, I am grateful to Steve Bellovin for pointing out the error. Additionally, I am aligning defense evasion and escalate privilege because least privilege is a defense, being evaded, and an argument can be made it's a presence maintenance technique.]