Biden's Cybersecurity Order: The Need for Behavior Transparency

Strengthening Cybersecurity Defenses: A New Executive Order

In response to a series of significant cybersecurity breaches – notably the incidents affecting SolarWinds, Microsoft Exchange Server, and Pulse Secure – the Biden administration unveiled an executive order this spring. These attacks had widespread consequences, impacting both federal agencies and numerous private sector companies.

The Colonial Pipeline ransomware attack, occurring shortly after the order’s announcement, further highlighted the critical need for enhanced cybersecurity measures.

The Role of the Software Bill of Materials (SBOM)

A central component of the executive order is the requirement for vendors to provide a software bill of materials (SBOM) during the federal procurement process.

This SBOM will meticulously detail all software components within a product, including those utilizing open-source code. This detailed inventory will enable federal agencies to rapidly assess their vulnerability status when flaws are discovered in specific components.

Limitations of the SBOM Approach

While the SBOM represents a valuable advancement in federal cybersecurity, it isn’t a complete solution. It will facilitate quicker responses to known vulnerabilities.

However, its effectiveness is limited in scenarios like the SolarWinds supply-chain attack, where malicious components are covertly introduced into the software.

Introducing Behavior Transparency

To address these limitations, the Biden administration should broaden the scope of the cyber executive order to incorporate behavior transparency, alongside the SBOM requirement.

Building on Existing Transparency Models

The concept of transparency isn’t novel within the technology sector. Certificate transparency (CT) provides a public record of all certificates issued by certificate authorities (CAs), enabling monitoring and auditing of CA operations.

Similarly, Apple’s App Tracking Transparency feature empowers users to control and view the tracking activities of applications.

Behavior transparency proposes extending this principle to encompass predictable software behaviors.

How Behavior Transparency Works

A behavior transparency framework would define the anticipated actions a software application will perform on a device or network. This allows security analysts to differentiate between normal activity and potential security breaches.

Consequently, security teams gain a significant advantage in detecting the exploitation of vulnerabilities, whether they exist in proprietary or open-source software.

Industry Practices and Existing Documentation

Fortunately, documenting common software behaviors is already a standard practice within the industry for external network activity. Many leading software vendors, including Meraki, McAfee, Tenable, LogMeIn/GoToMeeting, and ExtraHop, publish lists detailing typical product behaviors.

Even SolarWinds provides documentation outlining its expected network behaviors.

The Path Forward

The Biden administration has the opportunity to catalyze improvements to this existing industry practice. This would significantly enhance the security posture of both public and private organizations.

Enhancing Behavioral Transparency Through Standardized Practices

The initial step outlined by the cyber executive order involves the formation of a collaborative working group. This group should consist of key software and security vendors, alongside organizations like MITRE, to develop comprehensive standards for network activity logging.

These standards are intended to ensure complete behavior transparency. A foundational element of this transparency will be the inclusion of detailed information regarding network interactions.

Essential Components of Behavior Transparency

At a minimum, the established framework must document external network destinations reached by software. It should also record internal network connection patterns between different software components.

Furthermore, where relevant, a clear listing of associated network ports and their designated functions is crucial. This detailed record-keeping will facilitate a deeper understanding of software behavior.

Addressing Suspicious Network Activities

The behavior transparency framework should extend beyond standard network communication. It must also encompass other network-related actions, with particular attention given to potentially malicious activities.

Specifically, any behavior resembling network scanning or reconnaissance should be meticulously logged and flagged for review. This proactive approach is vital for identifying and mitigating potential threats.

Leveraging Behavioral Data for Enhanced Security

A key recommendation stemming from the recent cyber executive order is the requirement for making behavioral data readily accessible to standard security solutions.

Specifically, the order calls for the publication of documented software behaviors in a format easily processed by machines, such as JSON or CSV.

Integration with Existing Security Infrastructure

This data should be ingestible by widely used security products, including SIEM systems, firewalls, endpoint protection platforms, network detection and response tools, and change management applications.

Currently, much of this behavioral information is presented in non-machine-readable formats like webpages or PDFs.

Improving Threat Detection Capabilities

Transitioning to machine-readable formats will empower security tools to establish operational baselines.

These baselines will facilitate the swift and precise identification of anomalous activities that may signify a security breach.

For example, deviations from established norms can be flagged as potential compromises.

Industry Leadership

Meraki currently exemplifies this proactive approach by providing its behavioral data in the CSV format.

This demonstrates the feasibility and benefits of adopting a standardized, machine-readable approach to behavioral data sharing.

Establishing a Centralized Repository for Behavioral Data

A key component of enhanced cybersecurity involves creating a central point of access for behavioral information. This initiative should be overseen by the Cybersecurity and Infrastructure Security Agency, or a similarly designated federal body.

Currently, obtaining details regarding network behavior necessitates a fragmented process. Users must navigate vendor websites, review product documentation, or submit support requests.

Inaccuracies in the provided information further complicate matters, often requiring additional support interactions.

The Problems with a Decentralized System

The existing decentralized method presents significant challenges. Granting unrestricted network access to enterprise software inherently poses security risks.

Zero Trust architectures are designed to mitigate these risks, but their effectiveness is hampered by the difficulty of tracking the expected behavior of each software component.

Without a unified source of behavior transparency data, even robust Zero Trust implementations will inevitably contain vulnerabilities related to enterprise software.

Proposed Solution: A Behavior Transparency Clearinghouse

To address these issues, a clearinghouse should be established as a centralized repository for behavior transparency data.

This repository would be structured by company, product name, and specific product version.

A platform similar to GitHub offers an ideal model for this clearinghouse, leveraging its established infrastructure as a widely accessible, centralized resource.

Such a system would streamline the process of understanding and validating the network behavior of enterprise software, bolstering overall security posture.

Facilitating Communication Between Users and Vendors

A crucial function of the clearinghouse should be to establish a straightforward channel for users to submit feedback directly to software vendors. This feedback can take various forms, including bug reports or even proposed code contributions via pull requests.

However, vendor involvement in approving any suggested changes is essential. This approach allows for the public identification of shortcomings in software functionality.

Addressing Discrepancies and Identifying Issues

Initially, many reported issues will likely stem from inconsistencies between product updates and the corresponding behavior transparency data. Ideally, vendors will proactively maintain the accuracy of this data over time.

Nevertheless, the system will also uncover genuine, previously unknown deficiencies in the software's operation. Transparency and open communication are key to resolving these.

• User feedback provides valuable insights.
• Vendors maintain control over changes.
• Public forums encourage accountability.

The clearinghouse will therefore serve as a central point for identifying and addressing software vulnerabilities and ensuring product quality.

Securing the Software Supply Chain Through Behavioral Visibility

The software supply chain attack targeting SolarWinds, revealed in December 2020, serves as a stark reminder of the critical need for behavior transparency. Before December 11th, when FireEye initially detected the flaw within the SolarWinds Orion software, at least two other cybersecurity firms – Palo Alto Networks and Fidelis – had noted their SolarWinds systems communicating with the attacker-controlled domain, avsvmcloud[.]com.

Palo Alto Networks successfully identified and blocked further malicious activities; however, neither organization initially recognized the communication with avsvmcloud[.]com as inherently suspicious. This difficulty stemmed largely from the substantial amount of “noise” typically present when analyzing network data.

Had a greater number of organizations possessed readily available access to SolarWinds’ behavior transparency data, coupled with a platform for comparing deviations from established baselines, the outcome could have been significantly different.

Given that SolarWinds Orion typically connects to a limited number of external destinations, the initial stage of the supply chain attack – targeting subdomains of “appsync-api.eu-west-1.avsvmcloud[.]com” – might have been flagged more rapidly.

An analyst conducting a threat hunt with a SIEM query, or an EDR or NDR product leveraging machine learning and equipped with this information, could have more quickly identified the anomaly.

Furthermore, a streamlined public feedback channel could have alerted both SolarWinds and the broader industry to the fact that what appeared as insignificant noise in isolation (“appsync-api, appears legitimate?”) was, in reality, a serious threat.

Government Initiatives and Private Sector Collaboration

The recent cyber executive order, alongside the imposed sanctions on Russia, clearly demonstrates the Biden administration’s commitment to a more assertive cybersecurity strategy.

The success of these initiatives will heavily rely on the collaborative partnerships the administration cultivates with private-sector technology providers.

Implementing federal standards for software product disclosures will enhance cybersecurity across the private sector and strengthen the overall resilience of the software supply chain.

• Behavior transparency is crucial for early threat detection.
• Public feedback mechanisms can accelerate the identification of malicious activity.
• Government and private sector collaboration is essential for a robust cybersecurity posture.

Establishing clear standards for disclosures regarding software products will be a key component in bolstering defenses against future attacks.