Colonial Pipeline, Darkside and Models

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can’t delve into all of it.

I did want to talk about one small aspect, which is the way responders talk about Darkside. Blog posts from Sophos and Mandiant seem really useful! Information sharing is working, and what the heck does a Cyber Review Board have left to do? I want to comment first on the models that they’re using, second on the data within them, and thirdly on a few of the things that the new Cyber Safety Review Board might do if they were charged with looking at this.

The first thing I did was to compare the kill chain models. Sophos is categorizing their chain with at least two steps that Mandiant leaves out. Most of the mapping is pretty minor differences in titles, but I can’t tell if Mandiant’s establish foothold stage is the same as Sophos’ execution stage, and would need to dig in deeper.

Sophos Darkside May15 2021

Mandiant Sophos
Initial Compromise Initial access
Establish Foothold Execution(?)
Escalate Privileges Defense evasion
Maintain Presence Persistence
Move Laterally Lateral Movement
Internal Recon Discovery
Complete Mission Impact
Command & Control

The second thing to note is far more important: the contents of the columns differ a lot. For move laterally, Mandiant lists: Beacon, RDP, plink, F-Secure C3, while Sophos lists PSExec, RDP, SSH. The only element in common is RDP. So, who to believe? Is the accurate information the union of the two, in which case, both are seriously off? Is one better than the other? I think that both are basing their data on five investigations (“Mandiant currently tracks five clusters of threat activity that have involved the deployment of DARKSIDE,” “The Sophos Rapid Response team has been called in for incident response or to intervene during an attack involving DarkSide on at least five different instances in the past year.”)

Let me be clear: I am not saying this to pick on either team or their members. I have every reason to believe that both companies employ smart, hardworking people, and are sincerely trying to share information to help defenders as best they can. Further, I appreciate that both have taken cycles from their response teams to assemble the information to help defenders.

Rather, and this is my third point: we exist in a world apparently awash in data about threat actors, and there are plenty of opportunities to dig deeper. The Mandiant and Sophos posts came to my attention in a conversation, and I didn’t attempt to find others. I haven’t done a element by element comparison of the chains, but I do see that Mandiant lists “suspected password attacks on perimeter”, CVE-2021-20016 and malicious emails with links to Sophos’ external remote access and credential phishing. (I very much appreciate that both companies are being more specific than “phishing.”)

Today, each defender has to do this work for themselves, and there’s not enough hours in the day. Tales of under-staffed, overworked, and burnt-out defense operations teams are not just common, they’re the norm, much like under-staffed and overworked air traffic control was the norm, and there was 8 minutes of work for each takeoff or landing, and each controller had 30 takeoffs or landings to manage in an hour, meaning the work as imagined was 8 minutes, and the work as performed had to fit into 2 minutes. (Numbers are approximate, but the ATC situation is a major focus of work in human factors engineering, after a series of NTSB reports drew attention to the discrepancies.)

It would be fascinating to know if Colonial was focused on a threat informed defense, a NIST CSF informed defense, or something else, and more, over a set of investigations, is one working better than the other? A Cyber Safety Review Board could also ask more focused questions: Does one prevent better, but detect worse? Does chasing these indicators help defenders get to effectiveness, or run them ragged, drinking from a firehose? A Board could help us find empirical answers.

A Board could also delve into specifics: do investigating one or another type of indicator result in faster detection? How many new indicators does a typical investigation find? What’s the rate of change of indicators found? (That is, “is the world of cyber really fast moving or molasses?”)

The new Board will need to demonstrate its value and there’s a plethora of ways it could do so. We all hope it chooses thoughtfully, and should give it the space and support it will need to do so.

[Update: the first version of the table aligned exflitration and C&C with internal recon, I am grateful to Steve Bellovin for pointing out the error. Additionally, I am aligning defense evasion and escalate privilege because least privilege is a defense, being evaded, and an argument can be made it’s a presence maintenance technique.]

4 Comments on "Colonial Pipeline, Darkside and Models"

  1. Great point. I agree that defenders are awash in data. To carry your transportation analogy forward, I would like to think Board could publish findings with some clarity that we can use to message to the board room e.g The Pilot was sleepy, there was a mechanical failure.

    I don’t expect the recommendations to be new or novel but if we can show clear evidence that X contributed to the outcome then maybe, just maybe, that helps us move the needle in some organizations.

    Also as empirical data becomes a pattern or trend, then perhaps our compliance bodies can begin to evolve their standards in that area. Again for boardroom leverage.

  2. Great posts! With all the news cycles, there are confusions about the attackers, and the tools they are using. As ransomware becomes a service, different groups may use different methods to achieve the initial compromises, and then deliver the same payload (Darkside, etc.) Both Mandiant or Sophos might be right, because they were investigating different incidents.

  3. There hasn’t been to Darkside events alike. Their initial access varies quite a bit depending on which affiliate they have secured it through. Once they take over at the keyboard, it’s all adaptation based on where their initial point of presence is and where critical assets / OT is related to the victim’s business. These guys were far less scripted / SOP’d than some of the larger operations.

Comments are closed.