Earlier this month news broke of a massive data breach impacting software provider, Citrix. Reportedly, the organization was completely unaware of the compromise until the FBI informed them that up to 10TB of data had been stolen. We still don't know what data was accessed but with a whole host of Fortune 500 and government organizations, among their customers - the ramifications are likely to be painful for the organization.
The FBI believe nation state attackers used a tactic called 'password spraying', a method which uses a list of common passwords to access the network. This particular Iranian-linked group known as IRIDIUM has also hit more than 200 government agencies, oil and gas firms and technology companies and intelligence does suggest a specific interest in data pertaining to FBI contracts. This is an example of how attackers are seeking access to desired targets via suppliers, vendors, and partnerships and we have seen this pattern before and vendor security assessments are increasing in bids for this reason...we are all connected.
The bottom line is this – even the best get breached. It doesn’t matter how prepared your organization is, or how secure your supply-chain is, persistent attackers will get inside your network because identities and access are the new perimeter. The end user is the weakest link and whether it’s an unwitting intern, a seriously sophisticated phishing email or a malicious insider – we can never truly have all bases covered.
So then, following this sobering reminder of our vulnerabilities, what can we truly learn from this breach and others like it? I personally think it’s critical that organizations change their mindset. By all means, invest in preventative measures, but never neglect detection capabilities. I’m pretty sure the Louvre monitors their perimeter, but without a shadow of a doubt, they’ll have sensors and alarms triggered if the Mona Lisa is moved. In security, enterprises need the same approach.
Would you know if someone was accessing data and assets that they shouldn’t be? For many organizations, the answer is no. With today’s sophisticated breaches, enterprises need smart alarm systems that indicate a trespasser – Deception technology.
There are a number of Deception offerings on the market today offering varying capabilities and approaches, but fundamentally, deception defenses provide fake identities, data, and activity lures that guide intruders to decoys rather than real assets. It’s these touch points that detect and alert to insider attacks and lateral movement. The beauty with Deception is that these alerts are low in volume and have high fidelity, so they can be trusted, prioritized and acted upon immediately.
What makes a deception strategy truly successful though, is a deep understanding of the cyber terrain, known risks, and what attackers desire...this allows organizations to then use deception to their own advantage to change the battlefield dynamics in their favor. First, organizations must profile their cyber terrain with a solution that classifies all networks and assets and provides visibility into servers, workstations, enterprise IoT devices, legacy systems and shadow-IT. An organization’s Cyber terrain though is constantly changing and therefore it’s critical that the depiction of the cyber terrain is always-current – with the automatic adaption of the deception layer to ensure that it is continuously realistic and effective.
The Citrix breach is one of many to come in 2019. It’s just an inevitability. It’s also an inevitability that again, organizations will be unaware of the breach until much later – at the end of the day this is an attacker’s priority – get in, and stay undetected. This is why we must now all be striving to identify the breach, and respond to it as quickly as possible, with all the information at hand. Reducing the dwell time, and the risk to data and operations should be a key part of any organization’s cyber security strategy in today’s world of sophisticated, nation-state attacks.