The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) says the 2020 SolarWinds supply chain cybersecurity compromise could have been prevented with a decade-old security recommendation.
In a letter to Senator Ron Wyden, CISA says a firewall blocking all outgoing connections to the internet would have neutralized the SolarWinds malware. "While CISA did observe victim networks with this configuration that successfully blocked connection attempts and had no follow-on exploitation, the effectiveness of this preventative measure is not applicable to all types of intrusions and may not be feasible given operational requirements for some agencies," Brandon Wales, Acting Director, says.
Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company, explains, "While the lack of simple cyber hygiene can often be blamed for a crucial stage of an attack succeeding, hindsight is almost always 20/20. The sprawl of individual firewall policies required at the network perimeter – imagine a custom policy for each server in the network – require an substantial investment in human and technical capital to create and maintain. Such an investment needs to be considered in the context of the overall investments in cybersecurity that an organization makes and CISA’s response makes this point clear. So sure – lock down your internet-facing firewall policies, implement better network segmentation and, most importantly, move your detection and response capabilities to the interior of the network where most of the actions performed by attackers are actually visible and more difficult to hide."
This acknowledgement from CISA highlights how basic digital security measures can help mitigate the impact of similar security breaches. Erkang Zheng, Founder and CEO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, explains that this surfaces two key things in cybersecurity operations.
He says, "First, keep it simple. Don't overinvest in the fancy next-gen tech hyped up by marketing buzzwords. Focus on the basics like understanding your cyber assets, users, and vendors. Second, it's easy to look back after a breach and see what should've been done. It's "what you don't know" while everything's working just fine that is tricky. Every organization needs more visibility, more context, more "knowledge", more executive support before [chaos ensues]."
According to Whales, "CISA estimates a much smaller number were compromised when the threat actor activated the malicious backdoor they had installed in the SolarWinds product and moved into the exposed network. Once inside the network, the actor was able to use their privileged access to abuse the authentication mechanisms – the systems that control trust and manage identities – ultimately allowing them to access and exfiltrate email and other data from compromised networks and Microsoft Office 365 cloud environments."
Threat actors are constantly finding ways to stay a step ahead of even the most advanced defense systems, says Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions.
"Not only are their tactics constantly evolving, but advanced persistent threat (APT) and other cybercrime groups are becoming more organized in how they carry out their attacks. Advanced cyberattacks are no longer reserved for nation-state actors. Advanced phishing campaigns and ransomware attacks are offered up on the Dark Web as ready-made kits that can be purchased for a fairly cheap price," Schless says.
He suggests that in order to keep up with this rapidly evolving threat landscape, every security team needs to be thinking about what’s next.
"This applies to anyone from the Federal government down to small and medium businesses," Schless adds. "What may be noted as simple cyber hygiene now may have been considered advanced at the time older security systems were implemented. In just the last couple of years, the devices and software we use to be productive have evolved at highly accelerated rates. In modernizing security infrastructure, organizations are able to pull every device in their endpoint ecosystem into their threat hunting and endpoint detection and response (EDR) workflows. Visibility into everything from mobile devices all the way up to cloud and on-prem infrastructure enables security teams to understand the relationship between users, their devices, the data they access, and the potential risk posed to the greater organization."