As the SolarWinds hack continues to unfold and expand in both its scope and impact, we know that the real jigsaw picture is much bigger than the pieces we currently know about. And as we still try and complete the SolarWinds jigsaw puzzle, the question that stares at us is, “What did we learn to be better prepared for the inevitable next time?”
SUNBURST was neither the first such hack, nor last. Let’s explore the learnings here, and start with the common elements of such events:
- Flies under the radar for a very long time: So, we can assume more such attacks are underway right now and no one has a clue. The attacks are using zero-days and blending the activity into background noise to stay hidden. Hence it is critical for us to:
- Assume for now that other attacks are underway and implement a full prevent, detect, predict and respond security posture
- Be able to go back in time for retrospective analysis and forensics when we need to start putting the next jigsaw puzzle together
- Abuses established trust chains: Abuse of trust chains casts doubt on all connections and requires visibility across all activity to monitor for anomalous activity and unusual access patterns. Even the ‘Zero Trust Architecture’ that is founded on granular segregated trust chains requires monitoring and verification as part of the architecture.
- Requires extensive forensics to uncover and recover: When the next attack happens, and happen it will, the task of understanding the scope and impact to your organization, if any, is long and arduous. Its orders of magnitude is easier if your organization is prepared with the visibility, retrospective analysis, and forensics capabilities necessary to conduct such an investigation.
It is extremely important for an organization to enable prevention, segmentation, and zero trust authorizations for assets, users and data to implement a “shift left” security posture. But as we learnt above, these are necessary but not sufficient for modern attacks and hence an ‘Active Defense based Detect and Respond’ security posture that operationalizes deception as well as anomaly and kill-chain detections on pervasive visibility by algorithms, hunting and investigating are the only few opportunities to detect such a hack in early stages.
Once the information about IOCs, tactics and techniques used becomes available, and these are also the tools in place to operationalize new intelligence retroactively and hunt back in time, going back through months of data looking for pieces of the jigsaw. Fidelis Elevate is an Active XDR solution that enables both of these facets – detect and respond:
- Through use of anomaly detection algorithms that flag anomalous user, network, and endpoint behaviors and/or use of specific protocols in malicious ways
- Enabling the investigation, forensics and hunting using rich metadata about endpoints and network to find the unknowns
- By applying newly acquired threat intelligence backwards in time to automate the hunt for known IOCs in past communications.
- By deploying deception in the network and Active Directory and spreading breadcrumbs across assets to lure attackers into the deception networks where their techniques can be gathered and their intentions uncovered.
To summarize: to prepare for the next storm, create security operations processes that are founded on sound cyber-hygiene, prevention, segmentation, zero-trust as well as deception, visibility, threat hunting, investigation and response enabled by an Active XDR suite like Fidelis Elevate.