The parallels between the Capitol assault of January 6th and the SolarWinds breach announced in late December are uncanny.
Both require a complete rebuild of networks.
Not because they are infected with controlling threat vectors, but because they might be.
Pandora’s Box Unleashed
In the Capitol assault, rioters stormed the building and stole devices belonging to government officials, which opened a Pandora’s Box of privacy and security issues that must now be addressed.
The assault, whether evidencing proof of tampering or network entry, must be treated with the assumption that someone did in fact gain entry to the U.S. Capitol network and as such drives the necessity for a complete rebuild from the ground up. Similarly, CISA advised all agencies to either apply the SolarWinds update or remove the networks and rebuild with 5 days’ notice.
Presumably, Congressional IR plans will insist upon sweeping all devices that were exposed to protesters, activation of surveillance countermeasures, and activation of continuous network monitoring if it isn’t already.
Anytime one loses physical control, best practices insist on the assumption that every device is compromised and will need to be sanitized during a rebuild. Given that the entire operation is funded by U.S. tax dollars, the logical reaction from government staffers will be to replace everything with brand-new equipment and software. This is the right response, though, in private industry, real un-appropriated funding is not so easily deployed.
A Rare Bird Very Much Like a Black Swan
Both incidents serve as classic examples of cyber risk at scale driven by Black Swan events for which we are not adequately prepared.
In the case of the Capitol assault, desktops were left open to reveal whatever their owners were working on at the time, email and sensitive documents could have been easily captured via mobile screenshots, a simple USB memory stick loaded with malware and inserted into any desktop device connected to the network could easily have inserted attack vectors that would be difficult to detect and ransomware of the Clop variety.
Clop is now the deadliest ransomware strain as it blocks over 600 Windows processes and disables multiple Windows apps, including Defender and Security Essentials before it begins encryption, effectively leaving users with zero chance of protecting their data.
We also know that Congressional IT works on an ancient 2-3 year refresh cycle, so whatever protection and detection systems they would have had in place are ancient history relative to today’s advanced threats. In addition, we know that best practice protocols like two-factor authentication and timed inactivity auto-locks are not mandatory on Capitol Hill and congressional staff must make direct requests for such protocols to be implemented. As a result, no one does.
All 100 senators share the same email server and network infrastructure, dramatically expanding the threat landscape and making damage assessments more complicated and much more difficult. As in the case of the SolarWinds attack, evidence points to a complete rebuild.
To compound the complexity, it seems rioters were able to steal laptops from both House Speaker Pelosi and Sen. Merkley, of Oregon. If they had device management or LoJack capabilities on their mobile devices, they could easily wipe them clean and/or track the location and alert investigators appropriately.
A better response might have been a push notification from the SOC that forces a restart and/or a network isolation. Since none of these things happened, we can only conclude that these protocols were not in place.
Beyond near-term efforts to address immediate risk, cyber teams will need to consider the type of information exposed, and who might gain access.
Potential Nation-State Interference?
For all intents, it appeared that the crowd from the rally were sort of normal Trump supporters, but there is a substantial risk that cyber actors from one of our nation-state adversaries could have been part of that crowd and part of the assault crew as well. One thumb drive inserted into any machine on the network results in similar exposure as we see with the SolarWinds attack.
Intelligence reporting may be revealing in capturing rioters’ plans and communiques, and much work needs to be done before we have any sort of inkling about whether a cyber compromise was an active part of the assault or just a coincidental by-product.
That scenario might be more likely if rioters shared their plans online.
Beyond the immediate threat of classified data leaks, a threat actor from say Russia or China might be interested in gaining insights into ongoing policy disputes, influence leveraging, and other pressure points that might resolve into blackmail potential. Email in particular is a potent source for the discovery of disenfranchised employees who may be valuable in a counterintelligence context, or at the very least a reveal of Congressional dysfunction.
Lots of Work Ahead of Us
Beginning with log retention policies and review, the work ahead must result in changes to data security protection protocols, least privilege account access, shortening the time period before systems automatically lockdown, and a restart based on zero trust policies. Retaining log data for a year versus 90 days should become a priority data retention requirement, and implementing software that reduces trivial alerts and focuses only on critical levels of IOCs should be a given.
While the SolarWinds attack was historic, the results from a single physical break-in could be just as catastrophic and our physical security protocols must become far more secure than they are now.