CISA’s Emergency Ivanti Directive and the Growing Federal Attack Surface

Last Wednesday, CISA issued an emergency directive, ED 24-01, that perfectly encapsulates the accelerating growth of the federal attack surface. Agencies were given 48 hours (February  2nd at 11:59PM) to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solutions from government networks due to zero-day flaws and exploits.

By Noon on February 5th, agencies must report to CISA on the status of removing the affected Ivanti products and provide details on the remediation actions the directive also requires of agencies:

• Continue threat-hunting on any systems connected to—or recently connected to—the affected Ivanti device.
• Monitor the authentication or identity management services that could be exposed.
• Revoke and reissue any connected or exposed certificates, keys, and passwords.
• Isolate the systems from any enterprise resources to the greatest degree possible.
• Continue to audit privilege-level access accounts.

Register for the Webinar

The Government understands how important foundational cybersecurity practices like inventory and vulnerability management are to maintaining secure and resilient networks. Through binding operational directives such as BOD 23-01 and BOD 23-02, CISA has made maturing asset visibility and vulnerability mitigation priorities for all federal agencies. This emergency directive underscores their commitment to risk-based approaches, and the 48-hour deadline underscores the impact of this actively exploited vulnerability. Armis Labs has been and continues to track this and other developing threats, and we are already providing additional resources that align with the threat-hunting requirements recommended by the emergency Ivanti directive.

Armis was able to proactively start addressing this vulnerability in part because of the Armis Asset Intelligence Engine, a collective AI-powered knowledge base that monitors billions of assets worldwide. It is critical in empowering agencies and other organizations to proactively identify cyber risk patterns and behaviors across their entire environment. It feeds the Armis Centrix™ platform with actionable intelligence to detect and address real-time threats across an agency’s entire attack surface.

In today’s interconnected world, supporting a mission means managing IT risk. Zero-day exploits and emergency directives are an unfortunate part of delivering services for federal agencies. Having a complete understanding of what assets are on your network and how they support your mission can turn a fire alarm into a managed exercise. Armis Centrix™ helps agencies obtain and maintain this awareness across the range of technologies on federal networks such as IT, OT, IoT, IoMT, and more. They can be managed or unmanaged. Unmanaged assets, such as security cameras and HVAC systems, have Internet connectivity and operate on agency networks but do not have a managed security agent.

These unmanaged assets also have unique profiles and behaviors that need to be monitored in real-time in order to manage vulnerabilities and limit fragile dependencies. As mentioned above, recent Federal BODs have begun to address this issue, while OMB’s most recent memorandum M-24-04 accelerates the path toward having more complete visibility and situational awareness.

Given the expanding attack surface created by the explosion of unmanaged assets on federal networks, security teams must gain complete, 100 percent asset visibility into all kinds of assets. And visibility isn’t enough – you need real-time, deep situational awareness which includes asset make, model, operating system, patch level, baseline behaviors, and much more. The Ivanti exploits are prime examples of how important it is to have a comprehensive inventory of assets within your environment and how critical it is to know how each asset behaves. With both those pieces in place, agencies can take corrective action and stop “chasing the train.”

Some agencies are still working towards the visibility and the asset intelligence required to meet the threat-hunting requirements of the Ivanti directive. However, any agency could suffer a breach at any time. In fact, in 2023 there were more than 28,000 vulnerabilities published in the National Vulnerability Database. Each passing year brings weaponized attacks on our government’s IT networks and critical infrastructure from those who wish our country ill. We recently released a 2023 Attack Landscape report that shows cybersecurity attacks more than doubled globally last year.

Armis is here to help. We’ve made it our mission to help government agencies achieve one hundred percent visibility into assets and their network behaviors, which are now baseline requirements for effective cybersecurity. Contact us now for a no-risk evaluation of your environment, as having a strong baseline will put your security teams in a less reactive and more forward-leaning security posture. Also, you won’t want to miss our webinar, “6 Steps to fixing your Ivanti Vulnerabilities”- make sure to register today!

To learn more about Armis Centrix™, please visit: https://www.armis.com/platform/armis-centrix/

For additional information about the Armis Asset Intelligence Engine, go to: https://www.armis.com/platform/armis-asset-intelligence-engine/