In April 2021, as organisations around the world reeled from the impact of a series of cyber attacks conducted through compromised on-premise Microsoft Exchange servers, the US Department of Justice (DoJ) revealed it had obtained a court order enabling the FBI to access vulnerable systems and remove any malicious web shells it found had been placed on them.
To begin with, the Microsoft Exchange attacks were most likely orchestrated by Hafnium, a Chinese state-backed actor – similar to the SolarWinds Orion incident, which probably originated with a Russian group. However, following their disclosure in March, other malicious actors quickly piled in, with reports of ransomware attacks following quickly.
As you would hope, Microsoft rushed an out-of-band patch to address the zero-days, but with Hafnium having taken advantage of them for some time before public disclosure, a great deal of damage had already been done.
For Huntress founder Kyle Hanslovan, the April move by the US authorities represented a concerted, proactive and, above all, welcome intervention on behalf of the cyber-savvy Biden administration, helping to assist organisations that, in his words, “fall below the enterprise security poverty line”.
Why should he care? Hanslovan began his career in intelligence at the US National Security Agency (NSA) in the early 2000s, and spent a lengthy period in the UK working alongside GCHQ, where he supported both defensive and offensive cyber operations on behalf of the western allies.
He has since turned his attention to civilian security, founding defence consultancy StrategicIO prior to Huntress, and playing an active role in the ethical hacking community as a Black Hat conference trainer, STEM (science, technology, engineering and maths) mentor, and DefCon Capture the Flag champion.
In fact, Huntress was born out of a desire to give something back to those organisations that, through no fault of their own, cannot necessarily help themselves. During his time at the NSA, Hanslovan had become a huge privacy advocate – which he concedes is quite funny if you think too much about the NSA – and at about the time of the Edward Snowden revelations, started to think that having spent the best part of 15 years hacking and breaking things, it was time to fix them instead.
The cyber security poverty line
“That was a good foundation and made for a great story to start a company since we were leaving our offensive hats behind, but using that offensive mentality to secure the companies that fall below the enterprise poverty line,” he says. “Huntress is solely focused on 1,000-employee companies and below, rather than most others who are in the Fortune 100, 500 or 1,000.”
It is these smaller companies – collateral damage in many regards – that the US action was designed to help and, according to Hanslovan, such organisations were in dire need of assistance.
“We had a very rough six weeks from the time of 27 February to probably the second week in April,” he says, describing how Huntress for a time took its sales people off their regular calling schedule and redeployed them to notify customers that they were compromised.
“But two weeks later we would validate and the web shells were still there, so it was crystal clear they were not in a position to do anything about it. And it’s not negligence – sometimes they literally don’t have the server because they outsourced it to somebody, or they might have migrated to [Microsoft] Office 365 and forgotten they had this old server in their network – an old mail server that was decommissioned but never fully turned off,” he says.
“So I was really happy when I saw the federal government taking some action to secure these people that are often negated.”
Successful proof of concept
At the same time, says Hanslovan, he was mindful of justifiable concerns that this action might be seen as the US government over-reaching by delving into private networks without consent.
For this reason, he thinks it highly noteworthy that the action was performed by the DoJ and the FBI, and argues that while the DoJ may not be the most exciting of federal agencies, it shows commitment to using proper legal authorities and law enforcement, rather than turning to the intelligence community.
“I think it’s very important to keep US intelligence agencies like the NSA focused on their foreign targets and away from infringing on civil liberties,” says Hanslovan.
“The use of courts to authorise the FBI’s disruption effort is a solid initial framework to ensure these actions stay focused on increasing security and are restricted from indirect intelligence targeting.”
“It’s very important to keep US intelligence agencies like the NSA focused on their foreign targets and away from infringing on civil liberties”
Kyle Hanslovan, Huntress
Hanslovan argues that given the apparent success of the initial operation, it should be treated as an exciting proof of concept and used to establish rules of engagement for future remedial cyber operations of a similar nature.
“I do think it needs to be tempered – it probably won’t always be the fastest response if it’s the government because they need to be extra sure that they’ve tested whatever they plan to do,” he says. “But I do think it will help all of us to improve business security.
“I would prefer a conservative approach instead of over-reaching, meaning maybe the initial definitions – I do think that’s where we’re at, it’s time to start defining some things based on what we learned.”
Some of these definitions that will need to be worked out include the question of just what warrants a government-level response? Nation state-backed attacks, such as Microsoft Exchange or the SolarWinds incident are one matter, but where does something like the recent takedown of Emotet by European authorities sit on this framework?
Hanslovan suggests using a kind of menu to “diagnose” an actionable incident, maybe if a security event meets seven out of 10 listed criteria, it might warrant government intervention.
Then, if the authorities do continue to go down this more proactive route, there will need to be a model for transparency and disclosure following a successful operation, a model for what happens when something goes wrong and a commercial organisation is disrupted by friendly government intervention, and a model for the protection of any proprietary or confidential data that might be seen in the course of a legal intervention. For example, does that data then become subject to freedom of information legislation?
“I don’t know if anybody is even thinking of that right now,” says Hanslovan. But he hopes that, on the evidence of Biden’s appointment of multiple former NSA people with bountiful experience of privacy and legal issues – such as cyber lead Anne Neuberger – with experience of privacy and legal issues, that there are people in the right place to push to establish ground rules for how data can and cannot be used.
“Sometimes it’s way too easy to say what you can do, but nobody thinks about what you should never do with this data,” he says. “But I hope those are public conversations and public dialogues.”
A business owner may also have legitimate worries about being hauled over the coals for an infringement of data protection regulations – such as California’s Consumer Privacy Act or Europe’s General Data Protection Regulation – during a government-backed intervention.
Hanslovan agrees this may become an issue, and suggests there will need to be some kind of double jeopardy-like safeguard built in. He draws an analogy with policing, noting how some agencies will not push to prosecute for possession of drug paraphernalia found on someone suffering an overdose.
“Often, when somebody overdoses in the US, even if they have drug paraphernalia on them at that time and police are responding, there is a framework to say you are there to protect and serve, meaning you’re there to get this community member back on their feet, and get them medical attention,” he says.
The flipside of this argument is that while maybe a police department wouldn’t prosecute for drug possession, if they saw the user was involved in serious crimes such as people trafficking or child sex abuse, a reasonable person would be very upset if the police did not pursue a prosecution on those grounds. This is another reason why it is important for policy on cyber interventions to be developed transparently and in the public domain.
Iterate and iterate again
Governments being governments, Hanslovan tends to feel it is inevitable that something will go wrong if enforcement actions of this nature do indeed become routine, but he is also inclined to look on such actions as iterations moving towards a final “product”.
“I personally think we will get it wrong – like a product, sometimes you ship a product and it sucks, it sucks so bad it’s embarrassing, but you iterate on the product to the point it’s awesome,” he says. “I would hope this will be the same – get something out there for a best effort, and then iterate on it.”