CISA broke into a US federal agency, and no one noticed for a full 5 months

Until the US federal government pays civilian tech talent competitively, this is always going to be an issue.

Your typical hands-on-keyboard blue team engineer in federal government is a GS-12 getting paid around $68,000 per year (or $99k in very high cost of living areas like DC). They have expensive health benefits, 13 days of PTO a year, put a huge chunk of their paycheck (almost 5%) into a mandatory pension plan that consistently underperforms the market, and can literally go to jail for making mistakes at work depending on the statutory context they work in.

The best people in these jobs burn out fast and quit or they end up having to abandon IC work for GS-14/15 jobs (max pay is around $190 for those) in order to keep up with cost-of-living and justify their careers.

As a result, you have almost zero genuinely capable principal/senior engineers in government who have the authority to architect complex IT systems for security. Instead you get contractors who charge the taxpayers enormous overhead costs and cut corners wherever possible.

If there's one letter to write your congress person to improve government - my vote would be for civil service reform to attract and retain actual top tech talent. They've done it for doctors and lawyers (both of whom can get paid well above the $190k GS pay ceiling), but engineering is still not treated as a comparably skilled professional trade.

The only reason they noticed is because they were told, so it really it should have been "..and no one noticed."

Nice they are doing their job and glad they exist.

But how to fix ? Most US Gov agencies are underfunded, it is either beef up security or provide services. Really a tough choice, and the outlook looks like they may lose even more funding.

I loved security training at Microsoft.

I remember one time Satya said the red teams reported to him which Microsoft services they were currently in. He would then ask the heads of those services if they had detected any breaches. Sometimes there would be services that had been breached for years, undetected. Must have been hard for Satya to keep a straight face.

One phrase that struck with me from their security training: "Assume Breach".

I work with a security officer who joined our company after a career in the DoD and other similar places, always in computer security.

He is so incompetent that I initially thought that we have communication problems (I am French). But no - he simply has absolutely no idea about cybersecurity and the teams he "oversees" from that perspective are losing their minds.

I had no idea that you could work for years in such sensitive US environments and have completely no knowledge.

He is good at saying generalities, though, with complicated words.

The exploited vulnerability (CVE-2022-21587) is some Oracle E-Business web thing, nothing Solaris-specific like it sounded from the article.

I'm not a huge fan of how red teaming is generally conducted. It's sometimes necessary, but the CISA report seems to indicate that the organization wasn't responding to their requests the way they wanted, leading to a communication breakdown right from the start. The vulnerability was patched and the red team's initial compromise was contained, so they targeted them with phishing, owned their domain controllers, then maintained access for months while pivoting to partner organizations, then published a public report.

It's hard to establish constructive dialogue after that, allot of bad feelings and burnt bridges - and sometimes HR. It's tough because there's generally allot of dynamics at play, but I'm sure the impact of this testing was felt by people within the targeted org.

"It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage"

Did the author mistype Password-Spraying or is there a seperate type of attack known as Password-Praying? Googling doesn't reveal any other hits on this term.

I really really want to root for CISA, but just a few months ago they leaked a trove of critical infrastructure documents that they had collected from partners, that if they hadn’t collected wouldn’t be in the wrong hands currently.

I don’t see how this is that newsworthy.

There are many federal agencies. One of them will fuck up.

Same with private companies.

If you have 100 people doing the same thing, at least one of them is going to fuck it up.

Long ago I worked on a government contract at a civil agency, which ran WordPerfect Office on DG minis. The main contractor won a contract with another division in that agency, setting up a slightly spiffier version. Somebody at the COTR's office at the other division encouraged or perhaps dared us to break in. It took about two hours. We let them know at once, but I think that with a bit of discretion we could have maintained our presence for a long time.

Who on earth is still using solaris in this 2024th year of our Lord Jesus Christ!?!?!? I legitimately thought it had been EOL'd at least half a decade ago, guess I was wrong about that.