19
Berulis described some shortcomings in the NLRB's ability to detect attacks.
"During one of these meetings, it was confirmed that our team did not have the technical capability to detect or respond in real time to internal threat actors, and that we likely did not have the ability to obtain more details about the past events," he wrote.
The department subsequently "shifted budget to allow for better tooling going forward," which "has vastly improved our detection and logging so we can provide more concrete evidence if covert exfiltration occurs by an insider threat again," Berulis wrote.
"We also shut down a public endpoint and corrected rogue policies that had been altered to allow much broader traffic in/out of our network."On March 10, Berulis found that controls in Microsoft Purview to prevent insecure or unauthorized access from mobile devices had been disabled, he wrote.
"In addition, outside of expected baselines and with no corresponding approvals or records I could find I noted the following: an interface exposed to the public Internet, a few internal alerting and monitoring systems in the off state, and multi-factor authentication changed," he wrote.The team observed more odd activity in the ensuing weeks, Berulis wrote.
Data was sent to "an unknown external endpoint," but the network team was unable to obtain connection logs or determine what data was removed, he wrote.
There were also "spikes in billing in Mission Systems related to storage input/output" associated with projects that could no longer be found in the NLRB system, indicating that "resources may have been deleted or short-lived," he wrote.During the week of March 24, an assistant CIO for security at the NLRB "concluded that following a review of data, we should report it" to US-CERT, the US Computer Emergency Readiness Team at the Cybersecurity and Infrastructure Security Agency (CISA), according to Berulis."Accordingly, we launched a formal review and I provided all evidence of what we deemed to be a serious, ongoing security breach or potentially illegal removal of personally identifiable information," he wrote.But on April 3 or 4, the assistant CIO "and I were informed that instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report," Berulis wrote.
