As an enterprise compliance company with a specialty in cyber security, many of our customers, friends, and family are asking us: what was different about this cyber attack and was it really that bad? We heard these questions enough that we thought we would share our high level thoughts to help people understand what happened and to better prepare for the future. Before we get started, a few caveats:
- As former national security officials, there are a lot of details we can't share with the public from our past
- As current commercial executives, we no longer get classified briefs with sensitive details
That being said, there are some general things we can share that we hope help our customers to better understand what happened and what they might do about it. WARNING: you are about to enter the Matrix, once you know the truth, you can no longer ignore it.
First, from a practitioner's perspective, this was the Picasso of cyber attacks. Devastating in its technique and sophistication while being virtually unstoppable. The attack instantly made the world a more dangerous place as it undermines nearly every mechanism put in place to stop such attacks. As a good friend of mine recently said, "if you don't feel compelled to respect, and at time's even admire your enemy, then you don't have a worthy adversary."
What made this attack so beautiful?
- Write once use many - by infecting malware into the supply chain of a major monitoring tool used by over 18k US customers, they were able to cost effectively hit nearly major target on their list. This approach fundamentally changes the economics of cyber attacks in favor of the adversary.
- By infecting a trusted tool used to monitor the network and infrastructure, it undermines trust in the tools you normally use to conduct your operations. While we all know about the Solarwinds attack, the scarier part is what can you now trust if the supply chain of the tools you use has been compromised. How much more malware exists in other tools to perform similar attacks?
- The attack was nearly undetectable bypassing traditional flags with foreign IPs, malware signatures, etc. The only mistake made by the adversary was targeting FireEye where their sophistication allowed them to detect the attack and share the bad news with others. Virtually nobody else on the planet would have detected this attack.
- Because they were able to stay undetected for so long, we will never know the full extent of the attack. Most organizations do not keep logs that long. Due to the sheer breadth of the attack, it is doubtful we have enough cyber forensic capability to look into every organization that was exploited.
The truth of the matter is that this was a near perfectly executed knock out blow. We were unprepared for it, didn't see it coming, and few ever thought this kind of scale could be pulled off. Like other major attacks before it, it forces you to rethink what you know and to plot a different course of action for the future. The fundamental question is: now that we have been knocked down and have picked ourselves back up, what are we going to do about it?
At C2 Labs, we are investing heavily in R&D to combat this type of attack and have some unique insights into how organizations should strategically approach their response. In the short term, here are a few key takeaways on what you can do now to limit your risk:
- Turn off internet connectivity to the extent possible from your servers. If they can't dial out, it is harder to exfiltrate data.
- Leverage machine learning network-based tools to look for anomalies in traffic - Is this server talking to a new external IP it has never talked to before? If so, look into why.
- Invest in Incident Response (IR). You really can't stop an adversary from getting in. What you can do is put up defense in depth and use your IR capabilities to improve detection time.
- Leverage centralized patching services such as Red Hat Satellite, Microsoft System Center Configuration Manager (SCCM), or other tools to get patches locally versus allowing outbound internet connections for servers.
- Go to the Cloud - they have better telemetry and are more likely to help most organizations (especially small and mid-tier) detect security anomalies than a typical on-premise monitoring solution
- Next Generation - if you aren't already, look into Zero Trust Architectures and Multi-Factor Authentication to add increased barriers to lateral movement and privilege escalation
While the above actions are things you can do in the short-term, C2 Labs is focused on developing products that can change the game in the mid to long-term. With our Atlasity product, we are building a platform to enable:
- Continuous Assessment - knowing your security controls are effectively implemented without expensive and manual assessment processes that are at best lagging indicators
- 3rd Party Risk - we are using Artificial Intelligence (AI) and Machine Learning (ML) tools to scour the internet for supply chain risk/threats and to manage performance tests and assessment processes to better under the risk from using 3rd party vendors
- Threat Based Risk Modeling - we provide tooling to react to new threats in real-time, assess your vulnerabilities to that threat, calculate your risk, and take mitigating actions
This isn't a time to sit on your hands and pretend the problem isn't happening or to take knee-jerk reactions to just show you are doing something. It also isn't a time to throw a temper tantrum about the problem, give up, or to spread fear that slows down progress. C2 Labs believes it is time to invest in technologies that give us a better fighting chance, that leverage next generation AI/ML to do what is impossible today, and to make compliance and risk management processes continuous and real-time. It is time to be part of the solution and not just to whine about the problem.
If you are interested in joining us on our journey towards continuous compliance, Contact Us today to get access to our closed BETA to find out how our Atlasity product can help you minimize risk and fight back. We are looking for innovative customers who can demonstrate the art of the possible and help advance the state of the practice in cyber security and compliance for all of us.
Stay safe, patch, fight back, and Contact Us today to get started.
Comments