The cybersphere has been abuzz since December 13, when network management software firm SolarWinds acknowledged that malware had been inserted into a service that provides software updates for its Orion platform.
This large-scale breach may have led to the compromise of nearly 18,000 of SolarWinds’ customers – customers that include Fortune 500 firms and many top US federal government agencies, such as the US Treasury and Departments of Commerce and Homeland Security.
What can we learn from this unbelievable story, which many are calling the Pearl Harbor of U.S. cyber security? Here are 7 insights about where we go from here.
1. For Better Risk Mitigation, Focus on Response
This latest campaign is a reminder that every target can be compromised.
There has always been an assumption that the perfect defense exists, i.e., that such a thing is achievable – but in reality, it has never existed. We’ve now seen that multiple high-value US government targets can be compromised. It is possible.
This makes one thing very clear: The focus of cyber security efforts should not be exclusively on prevention. Because prevention only goes so far. In today’s era of sophisticated supply chain attacks and ever-more-complex hacking strategies, cyber security should be more focused on rapid detection and response.
2. Visibility is Key to Protecting Key Assets
Companies and organizations can learn from this attack and re-think their cyber security strategies, attempting to locate blind spots and map out all of the entrances and exits to their networks.
Proper detection may require deployment of additional security layers to cover areas where visibility is lacking. In addition, training and investment in experts who have experience dealing with nation-state cyber attacks are essential to implementing a cyber defense strategy successfully.
3. Our Future Cyber Safety Depends on Collaboration and Knowledge Sharing
The SolarWinds-SUNBURST attack involved an elaborate strategy that granted access by means of an update coming from a trusted, signed third-party software vendor. This type of update is a standard process that usually takes place weekly.
In order to harden our defenses, it is essential that we learn from each other and share information. It is important to invest in organizing more effectively, creating the frameworks necessary to make collaboration really happen. While Financial Services Information Sharing and Analysis Centers (ISACs) already exist, we need to go much further than that, and develop formal information-sharing collectives where participants can, for example, exchange real-time data and response plans.
4. MITRE ATT@CK Supports Effective Threat Detection
We can expect to see cyber security companies offering more advanced services, leveraging cyber frameworks such as the MITRE ATT&CK framework.
The MITRE ATT&CK applies a new way of thinking that can provide improved visibility into an organization’s vulnerabilities. It is an effective means of supporting organizational efforts to develop highly targeted protection against cyber attack.
5. Cyber Security Should Be Proactive, Not Reactive
This may seem obvious, but we all need to hunker down and follow best practices with regard to security monitoring and data hygiene. Some quick and basic pointers for improving an organization’s cyber readiness include:
- Conduct annual audits using penetration testing/red teaming exercises
- Implement Threat Hunting as a proactive measure
- Review your current and future security deployments
- Share and consume trend threat feeds
- Focus on detecting changes in behavior rather than on static data
6. Supply Chain Attacks are Rare and Are Incredibly Hard to Detect
The SolarWinds-SUNBURST attack was conducted by a sophisticated nation-state attacker who got hold of advanced hacking “Red Team” tools belonging to the cyber security company FireEye.
But the attacker did not publish this information in the wild in order to get recognition, as hackers tend to do. Instead, the hacker used these tools to conduct a broad campaign and gain access to highly sensitive information.
It was only after FireEye identified the intrusion made through SolarWinds’ Orion software, that they were able to uncover this campaign.
7. It’s Not Over Yet! The SolarWinds Attack is Ongoing
While this attack already sent shockwaves through the cyber community – we cannot be sure that the final wave has already come. Security researchers are still in the investigation phase and are assessing the full extent of the damage.
At CyberProof, we strongly recommend implementing the relevant Incidents of Compromise (IOCs) to determine whether your organization has been infected, and to block forbidden access and other activities.
If you would like to learn more about how to respond to these types of attacks, contact us today.