In December 2020, it became apparent that SolarWinds, a major US information technology firm, had been the subject of a cyber attack that spread to its clients. The attack went undetected for months and it has had a huge impact across the entire technology ecosystem as it continues to unfold.
Nasser Bostan, head of security sales: Middle East and Africa at BT, shares BT’s insights gleaned from the SolarWinds incident, and recommendations for organisations to step up their cybersecurity strategies
One immediate effect is that the whole security community is now questioning some of its fundamental practices and assumptions around how to implement a successful security environment. The attack is forcing a rethink of how to assess and manage supplier risk.
All security professionals know that you’re only ever as strong as the weakest link in your defences. And to complicate the matter further, most organisations don’t grow organically over time. They grow through a series of mergers, acquisitions and divestments which each play a part in changing their IT landscape. As their infrastructure evolves, it becomes a mixture of new, established and legacy systems from a range of different suppliers.
Despite this, users expect IT to be frictionless, leading many organisations to become increasingly borderless. In this complex, blurred environment, finding ‘bad’ – or even sub-optimal – elements can be challenging.
In BT’s recent whitepaper, Assume breach: Managing a dirty network, we make six recommendations for how organisations can achieve ‘assume breach’, based on policies and solutions we’re following ourselves.
* Know the personas on your estate (identity) – The complexity of managing and understanding personas and identities leaves many organisations blind to the activity of an attacker. In this context, identity and access mechanisms that give you visibility and control of your estate are hugely valuable. Since identity is one of the areas of compromise frequently implicated in high profile and impactful breaches, a firm understanding of the roles and users in your organisation, coupled with high confidence audit, reporting and alerting, is critically important.
* Understand your assets – It comes back to the old adage: If you don’t know what you have, how can you protect it? But understanding what and where your assets are is only one part of the problem. You also need to rigorously assess your asset life cycle strategy. The asset lifecycle is perhaps one of the most difficult aspects of successfully managing IT infrastructure, and it gets more difficult as you move to the cloud, and more corporate assets fall outside your traditional network perimeter. However, if you fail to identify affected versions, they can delay the remediation and patching process, even after fixes are made available, worsening the risks and impacts.
* Prioritise modern endpoint (EDR) tooling – Endpoint Detection and Response (EDR) solutions bring together next-generation antivirus with threat hunting and threat intelligence on the endpoint device, constantly analysing events to identify malicious behaviour. Although an EDR solution gives excellent visibility of adversary behaviour as it occurs, organisations often need prior understanding of this behaviour to detect and prevent it effectively. When this information isn’t available, and prevention and detection fail silently, many EDR solutions monitor and record the chain of execution of activities occurring on the endpoint. This enables SOC teams to look back and verify where the attack happened.
* Make it difficult to move between zones and workloads – Organisations must adopt a Zero Trust model that’s secure by default, and only allows traffic to flow between applications that have been positively verified against policy. This will reduce the opportunity for malware or threat actors to move between network zones, servers or workloads, providing crucial protections during many cyber incidents. Creating boundaries between different zones of your network, using network segmentation and application micro-segmentation can make it more difficult for an attacker to move laterally around your infrastructure.
* Take a systemic approach to detecting threats – Organisations invest in threat detection capabilities such as Security Information and Event Management (SIEM) to make sure they can detect compromises within their estate quickly. To fine-tune your detection, the SOC team operating the SIEM needs to adopt a systematic approach. They need a good understanding of threat actor behaviour and should work closely with their counterparts in threat intelligence to identify the behaviour of known actor groups and map this knowledge to a common classification structure.
* Be curious – The most inquisitive and engaged people in the organisation are the analysts you have defending your estate. So, allow them to focus on using their natural talents to maximum effect by managing their workloads and automating volume activity where possible. Burdening them with repetitive or routine tasks might produce a steady flow of outputs, but it isn’t the most effective use of their time or skills. Consider automating or offloading such items to trusted providers, so your analysts can better spend their time searching things out. Pulling on loose threads takes time, but ultimately, it improves your security baseline and might just uncover the thing no-one was looking for.
Cyber attackers and criminals will never stop trying to invent new ways of gaining a return on their investments. If you can make it expensive, difficult and time-consuming for them to achieve their goal, it will limit the range and motivation of cyber attackers targeting your organisation.