On Monday, January 13th, Brian Krebs reported that Microsoft would be releasing “a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component.” On Tuesday, Microsoft released a patch for “CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability.” The NSA published their own advisory “A Very Important Patch Tuesday” urging everyone to patch their systems as soon as possible. Neal Ziring, Technical Director for NSA Cybersecurity Directorate, wrote: “This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them.”
The Washington Post’s Ellen Nakashima reported: “NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponizing it.” Given the NSA’s proclivity to collect 0-days like they are regulars on the A&E TV show Hoarders, the reporting of this Elliptic Curve Cryptography vulnerability is significant. Still, it doesn’t mean that the NSA is going to stop weaponizing vulnerabilities in the future.
I’m not going to focus this blog on the vulnerability or the Windows 10 patch; you should, of course, apply it. Instead, I want to focus on Intelligence Gain/Loss (IGL) assessments and why you need to consider them for your organization (even if you aren’t a three-letter agency). If you don’t come from the United States Intelligence Community, you might not be familiar with the term. The Department of Defense’s Joint Publication 2-01.1 defines IGL assessments as “an evaluation of the quantity and quality of intelligence lost versus potential gain should a particular target be attacked.” Feel free to call and IGL a cost benefit analysis of a particular decision.
The NSA likely went through an IGL assessment before reporting this vulnerability to Microsoft. Here is an assessment of the costs and benefits of the NSA’s disclosure:
The offensive part of the NSA’s mission is to enable “computer network operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.” The NSA determined that they could still accomplish their mission objectives and disclose the vulnerability. This is important because it highlights that this ECC vulnerability is but one tool in a vast NSA toolbox of vulnerabilities and exploits.
An intelligence organization must have multiple tools to accomplish its mission objectives. If you lose one collection capability through your own volition (e.g.: notifying Microsoft) or because an adversary discovered it, you must have fallback options.
We routinely conduct IGL assessments here at Digital Shadows (now ReliaQuest). Our assessments are typically focused on the cybercriminal threat actors that we track. To accomplish our objectives or customer objectives (objectives = intelligence requirements), our “Closed Sources” team might need to burn one of our online aliases. We discuss the pros and cons of burning an online alias. What access will we lose? How long will it take to establish new access? It is much easier to burn an alias when you have multiple aliases (backed by multiple legends) on the same cybercriminal forum that you can fall back to.
At this point, you might be asking yourself, do IGL assessments apply to us? We aren’t the NSA, and we don’t run a team of intel analysts engaging with threat actors. Here is a scenario from my distant incident responder past that might resonate with you:
- Our team was monitoring a threat actor pivot across our internal network. (Not in a “crown jewels” zone)
- We had visibility into at least one of the custom tools the actor was using. We also had command and control indicators.
- We were eager to move to an eradication response phase, but we weren’t sure if we knew all of the following:
- hosts the attacker had compromised
- tools the attacker was using
- command and control (C2) infrastructure being used
- If we started remediation, we would tip off the attacker that we were aware of their activities, and they might move to tools and C2 that we were unaware of. We would be burning ourselves.
- For this particular incident, we continued our monitoring and collection for a few more days, gathered more intelligence, and then confidently eradicated the actor.
- We didn’t call our decision-making process an “Intel Gain/Loss Assessment”, but that is what we were doing.
When conducting investigations and implementing various response activities, you need to have a plan. It would be best if you thought through the implications of your various courses of action. The more collection (visibility) you have into your environment, the more options you will have. Options are critical for detecting and eradicating adversaries. An Intelligence Gain/Loss assessment can help you make sure that you choose the best option to accomplish your goal.
If you’re interested in learning more about threat intelligence, check out our deep dive, Threat Intelligence: A Deep Dive, or visit our resources center here.