Today we got news that a deal has been reached to reopen the government with a short term funding bill that will allow lawmakers to negotiate while the government is open. But there’s only three weeks of funding in the short term bill and it’s completely reasonable to think that another shutdown is imminent (e.g. three weeks later). Cybersecurity and IT professionals (government employees and contractors) will return to work, but must plan as if they will shut back down in three weeks.
In this video Jonathan Ham and Jake Williams from Rendition Infosec talk through some of the challenges they will face. We also discuss how to most appropriately devote their limited time and resources (assuming that another shutdown is imminent).
One of the biggest topics that Jake and Jonathan talked about on the webcast was the increased risk of insider threats. Contractors who were furloughed are excellent targets for foreign HUMINT agents. They note that as people come back to work, there will be an unprecedented flurry of activity, including many shifting roles for those who may not return (as well as government contractors who may not return immediately). This will make it difficult to use our best tool for detecting insiders – user behavior analytics. We simply lack baselines for this sort of behavior.
Jake and Jonathan closed by offering suggestions for cybersecurity and IT professionals to take while restarting government IT and simultaneously recognizing that another shutdown might be only three weeks away.
Steps for success:
Patch, especially for network accessible third party services. We assume that regular OS patches were already taken care of during the shutdown. If not, do those too (obviously).
Get new baselines for the government restart. This event is unprecedented in scope. When employees return to work after 30+ days away from the office, our existing baselines will be useless for detecting anomalies. But there’s a real possibility that another shutdown is coming in three weeks. Use this opportunity to get a “return to work” baseline to use for the next restart (if another shutdown should occur).
Renew TLS certificates and look at those expiring soon (within 90 days of restart).
Prepare to disable accounts of non-essential personnel – these should be disabled using PowerShell or other tools as the next shutdown starts.
Extend storage of logs – we don’t know what we don’t know and three weeks isn’t enough time to hunt for threats. We’re going to see logging patterns like never before and it may take time to find badness in the logs. Ensure you have the logs you’ll eventually need.
Threat models have changed. Be ready for an amplified insider threat. Know that any handlers are likely directing their recruits to move quickly under the noise of the restart.
Of course these recommendations are not all inclusive, but they should offer those who are restarting cybersecurity for the government (perhaps temporarily) a good checklist to work with.