Preventing The Next SolarWinds Attack Requires A Different Approach
By Jim Cook, ANZ Regional Director, Attivo Networks.
When the global SolarWinds cyberattack came to light earlier this year, it sparked grave concerns across private and public-sector organisations. If attackers could use software from a trusted vendor to breach defences, how could security ever be guaranteed again?
In the wake of the attack, both governments and businesses remain focused on hygiene, information sharing, and the like. However, while these are critical, they are not enough to stop a future major breach.
Attackers mounted the SolarWinds breach via a trusted vendor, meaning that even the most diligent cyber hygiene and immediate patching would not have prevented it from occurring. Also, while information sharing is important, it would not have worked in this case as it took some nine months to detect the attack.
Fortunately, the SolarWinds breach occurred at a time when data security is receiving increased attention. In the United States, a new federal Internet of Things cybersecurity bill recently passed into law. Other governments are considering similar moves, giving hope that the SolarWinds breach might finally prompt the right legislative action on a global basis.
Beyond information sharing
For the information-sharing aspect of cybersecurity to be truly effective, several things must happen. The first is to improve current methods because even well-coordinated information sharing won’t be useful without more effective detection and instrumentation to go along with it. Ultimately, organisations cannot share information about something they haven’t detected.
Unfortunately, information sharing includes indicators of compromise (IoCs). These might consist of hashes of files, IPs, and domains of command-and-control systems. While this provides some value, defenders also need data on tactics, techniques, and procedures (TTPs) to help them respond better to attacks as they occur.
Some advisory bodies, such as MITRE, provide helpful guidance in this area, but organisations need more timely data. Without better detection, information sharing will continue to be limited to sharing the aftereffects of an attack rather than its causes.
The need for better detection
Any legislative changes that come about due to the SolarWinds breach must focus on requiring enterprises to adopt recommendations made by bodies such as NIST and MITRE, which are increasingly seeing the value of in-network detection tools. Indeed, recent NIST recommendations have focused on building long-term resilience to attacks and continuously looking for lateral movement and privilege escalation activity.
Meanwhile, MITRE has released MITRE Shield, which is a complement to its highly regarded MITRE ATT&CK matrix. ATT&CK looks at TTPs and shows how attackers break in, what they do, and what tools they use, while Shield looks at those TTPs and focuses on building an active defence structure to combat them.
The SolarWinds attack demonstrates why organisations can no longer inherently trust software providers or third-party tools. Instead, they must adopt an ‘assumed breach’ security posture and more effective detection tools to enable it.
Patching vulnerabilities as they arise is important. However, recommendations like those MITRE and NIST provide can help enterprises stay on top of network security more proactively by cleaning up the network environment, locating exposed credentials, identifying potential attack paths, and identifying lateral movement.
Without improved detection capabilities, attackers will simply find another way into the network. Furthermore, even the most effective firewalls and perimeter tools will never stop 100% of attacks, making detection tools at all levels of the network more critical than ever.
Detection enables better information sharing, including the ability to share TTPs in near-real-time, helping organisations stop attacks more quickly and effectively. This ability ensures that information sharing becomes an incredibly valuable tool rather than something only useful after the fact.
No silver bullets
Although there is no silver bullet that will stop the next SolarWinds attack, governments have an opportunity to prompt change. Current implementations and discussions about expanding information sharing have gone part of the way, but some tools can fully realise information sharing’s enormous potential.
Organisations must adopt the guidelines issued by advisory bodies such as NIST and MITRE, while governments must create meaningful regulations that incentivise organisations to institute more effective detection capabilities.
In the future, organisations of all sizes need to shift from attack response and recovery to attack detection and faster mitigation. By doing this, they can reduce the likelihood of another SolarWinds attack significantly.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise