The Biden administration this spring announced an executive order designed to strengthen government cybersecurity defenses in the wake of several major recent hacks, including the SolarWinds, Microsoft Exchange Server and Pulse Secure incidents, which impacted numerous federal agencies and private companies. The order’s importance was underscored by the DarkSide ransomware attack on Colonial Pipeline just a few weeks later.
One key element of the cyber executive order is a “software bill of materials” (SBOM) that vendors would be required to provide as part of the federal procurement process. The SBOM would detail the exact software components utilized in a given product, including any open-source components, making it much easier and faster for federal agencies to determine whether they are subject to a vulnerability uncovered in one of these components.
The SBOM is an important step in shoring up federal cybersecurity, but it’s not enough. Understanding the software components included in various products will help agency security teams react more quickly when vulnerabilities come to light, but in other scenarios, like SolarWinds-style supply-chain attacks that surreptitiously insert software components, its impact is limited.
Establishing standards at the federal level for disclosures about software products will benefit cybersecurity in the private sector, as well as improve the overall security of the software supply chain.
That’s why the Biden administration should extend the cyber executive order to include not only an SBOM, but also “behavior transparency.”
Transparency requirements are not a new concept in technology. Certificate transparency (CT) is a public ledger of all certificates issued by any public certificate authority (CA) that provides a framework for monitoring and auditing CA activity, while Apple’s recently announced App Tracking Transparency allows users to see what activity apps are tracking and opt out. Behavior transparency is a proposed application of this concept to known software behaviors.
The purpose of a behavior transparency framework is to enumerate the expected actions of interest that a given piece of software will take on a device or on the network. This helps security analysts distinguish between expected noise and indications of compromise. This, in turn, can give security teams an advantage in identifying the exploitation of unknown vulnerabilities in any proprietary or open-source software.
The good news is that the enumeration of common software behaviors is already a standard industry practice for external network activity. Most major software vendors, including Meraki, McAfee, Tenable, LogMeIn/GoToMeeting, and my own company, ExtraHop, already publish lists of common product behaviors. Even SolarWinds has documentation describing its network behaviors.
But the Biden administration can help effect critical changes that improve upon this industry practice and improve the overall security posture for public and private organizations alike.
Establish standards for behavior transparency
First, the cyber executive order should form a working group in partnership with representative software and security software vendors, as well as organizations such as MITRE, to create standards for the types of network activity that must be included for full behavior transparency.
At a minimum, this should include things like external network destinations, internal network connection behavior with other software components, and, where applicable, a list of associated network ports and the purposes for which those ports are used. The behavior transparency framework should also include other network behavior, especially (but not limited to) anything that looks like scanning or reconnaissance behavior.
Make behavioral data available to common security tools
Second, the cyber executive order should mandate that known software behaviors be published in a machine-readable format such as JSON or CSV that could be ingested into common security products like security information and event management (SIEM), firewalls, endpoint protection platforms, network detection and response, and change management tools.
This is a crucial distinction from the current model, in which most behaviors are listed on a webpage or in a PDF that isn’t machine-readable. With this change, common security tools could use that machine-readable behavioral data to help build baselines for activity within an organization to more quickly and accurately detect deviations that indicate compromise. Meraki is already doing this by providing its list in CSV format.
Centralize access to behavioral information
Third, the cyber executive order should establish a clearinghouse for behavior transparency data, administered by the Cybersecurity and Infrastructure Security Agency or another appropriate federal agency. The status quo is to hunt around on a vendor’s website, consult their in-product documentation or open a support case to find out about network behavior. If the information provided is incorrect, that’s also a support case.
The current decentralized approach is deeply problematic. Unfettered network access for enterprise software products introduces substantial security risk — Zero Trust frameworks have been established to prevent precisely this — but typical practitioners do not have the time or expertise to individually track down the expected behaviors of each piece of enterprise software they have in the environment. Without centralized access to behavior transparency data, even the best Zero Trust implementations will have major gaps surrounding enterprise software.
A clearinghouse would provide a centralized repository for behavior transparency data, organized by company, product and product version. A forum like GitHub is an ideal mechanism for such a clearinghouse, providing a widely used, centralized repository for this information.
Streamline feedback between users and vendors
Fourth, the clearinghouse should include a mechanism by which product users can easily provide feedback to software vendors. Feedback can be in the form of issues or even pull requests, though the companies should be involved in approving changes. This way, deficiencies in the behaviors can be pointed out in a public forum. Most deficiencies will be for reasons like a product update that wasn’t reflected in the behavior transparency data, though as time goes on, companies will ideally make it a practice to make sure these are kept up to date. But there will also be true positives found.
Protecting the software supply chain with behavior transparency
The SolarWinds software supply chain attack, first disclosed in December 2020, illustrates and underscores the importance of behavior transparency. Prior to December 11, when FireEye first identified the vulnerability in the SolarWinds Orion software, at least two other cybersecurity companies, Palo Alto and Fidelis, identified that their SolarWinds installations communicating with the attacker-controlled “stage 1” avsvmcloud[.]com domain. Palo Alto observed and blocked additional malicious behavior, but at the time neither company determined that the communication with avsvmcloud[.]com itself was suspect. That’s due in large part to the notorious amount of “noise” involved in looking at network data.
But if more organizations had ready access to SolarWinds’ behavior transparency data, as well as a forum in which to compare deviations from the baseline, things might have played out differently.
SolarWinds Orion doesn’t reach out to a lot of external destinations, so when the first stage of the supply chain attack started hitting subdomains off of “appsync-api.eu-west-1.avsvmcloud[.]com,” an analyst on a threat hunt running a SIEM query, or a machine-learning-based EDR or NDR product armed with that information, might have more quickly determined that something was amiss.
Likewise, a low-friction public feedback mechanism could have tipped off SolarWinds and the industry that what seemed like noise in isolation (“appsync-api, seems legit?”) was actually something far more nefarious.
The cyber executive order, alongside the sanctions on Russia, are strong early indications that the Biden administration intends to take a far more proactive approach to cybersecurity. Critical to the success of these efforts will be the partnership the administration forges with private-sector technology providers. Establishing standards at the federal level for disclosures about software products will benefit cybersecurity in the private sector, as well as improve the overall security of the software supply chain.