China Getting Inside Our Vulnerability OODA Loop

This week, the Cybersecurity and Infrastructure Security Agency (CISA), a component of the Department of Homeland Security, released an advisory that threat actors from the Chinese Ministry of State Security (MSS) have been observed executing cyber operations against U.S. Federal Agencies. While this is nothing new, their tactics, techniques, and procedures (TTPs) are somewhat novel and demonstrate how easy it is to hack: simply exploit publicly known vulnerabilities and misconfigurations before the defenders are able to load their patches and fix their configurations.

China gets its information from the same public sources as the defenders – the Common Vulnerabilities and Exposure (CVE) database and the National Vulnerabilities Database (NVD). Combining this information with the Shodan search engine that can be used to identify vulnerable devices connected to the Internet, CISA says “these information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.” I’ll say. They don’t even have to develop APT code to get in.

Many in cybersecurity know about the OODA Loop: Observe Orient Decide Act. This process was developed by US Air Force fighter pilot and military strategist Colonel John Boyd and was originally applied to aerial dogfighting. Boyd observed in the Korean war that the Communists had better fighter jets – but we could defeat them with better pilots who trained to get through the OODA Loop faster. It’s clear from the CISA advisory that the Chinese OODA Loop for exploiting our vulnerabilities is faster than the OODA Loop of our defenders – “organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them.” CISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. In other words, speed up your patching OODA Loop. But, how?

The great management expert Peter Drucker once wrote “efficiency is doing things right, effectiveness is doing the right things.” At Caveonix, we help our customers be both more efficient and more effective. We believe that all vulnerabilities with the same Common Vulnerability Scoring System (CVSS) rating are not created equal and do not represent the same risk to the enterprise. We believe in the NIST Risk Management Framework, which advocates the enhancement of a “raw” or “base score” by considering both system criticality and exploitability to develop an actionable “temporal score.” So, while we agree with CISA on the need to speed up your patching OODA Loop, we believe enhanced risk mitigation modeling is the key to making patch management more effective.

Better risk mitigation modeling would certainly have helped in the case of the Equifax hack. The vulnerability there involving Apache Struts was of exactly the type China is trying to exploit today. Apache Struts is a framework for developing Java-based apps that run both front-end and back-end Web servers and is relied on heavily by banks, government agencies, large Internet companies, and Fortune 500 companies. In March 2017, the NVD published a critical vulnerability in Apache Struts. As is usually the case, a patch was published at the same time. Within days, the bug was under mass attack by hackers who were exploiting the vulnerability to install rogue applications on web servers. The challenge for Equifax was that Apache Struts was running everywhere – so which servers did they need to patch first? How about the server connected to their Personally Identifiable Information (PII) that was also talking to the Internet? The Equifax OODA Loop for finding and patching that server was two months. Evidently, the hackers had a shorter OODA Loop, as they were able to steal PII on 143 million U.S. consumers.

Seeing how these attacks target widespread vulnerabilities makes risk mitigation modeling more critical than ever before. Caveonix Cloud Suite is architected with risk mitigation modeling to prioritize your patches and thus shorten your patch management OODA Loop.