Nothing New Under the Sun: Wait Until it Bursts or Re-think the Approach?
Over the last four weeks we have learned a lot regarding Sunburst/Solorigate, the cyberattack against U.S. government agencies and global enterprises. Like our peers we have pushed out protection updates to help mitigate the attack and protect our customers as soon as details emerged. While there is still much that potentially remains unknown, one thing is clear: fighting these cyber adversaries requires a re-thinking of security approach: in most cases, our adversaries’ goal is more than monetary - it’s to infiltrate, learn by staying under the radar and finally to exfiltrate sensitive data. Sometimes it’s to prepare for future disruption or cause direct havoc.
Nation-state adversaries, in particular, are well funded and able to mount complex operations to circumvent multiple layers of protection. Further compounding this challenge, they are also evolving their tactics more quickly than most organizations can fortify their security, detection and response posture for these modern day threats. (On a side note, often the attackers fail to protect themselves with good OPSEC and it’s not uncommon to see multiple actors ride on each other’s compromise or failing to notice that they are themselves being watched.) When we look at the last 10 years and the many headline-making breaches that have been reported, the common denominator in all of them is the exfiltration of data for direct or indirect financial gain.
The reality is breaches often follow the same modus operandi. But first let’s take a trip down memory lane: while not exactly the same, Ken Thompson already addressed this in 1984 in “Reflections on Trusting Trust” or Elias Levy in the 2003 IEEE Security & Privacy paper on “Poisoning the software supply chain”. What has changed is the level of sophistication in how the attackers come through the door, be it yours or the cloud services’, become persistent or have a way to return in the environment, and the tricks they employ to exfiltrate critical data “under the radar”. And, as we saw in the Sunburst attack, sophisticated attackers have the patience to lie in wait for months or even years before they execute their plan. Using that time to learn about your network, your users, and, more importantly, where all the digital crown jewels are stored. We want to thank FireEye, Microsoft and many others for sharing details on this widespread attack, as only through knowledge sharing can the industry work together to stop adversaries from further expanding their campaign.
Given the attackers were discovered months after they first gained access to target government and enterprise networks via a supply chain attack in March 2020, we’ll likely never know the full extent of the Sunburst attack. However, it’s clear the scope is large and the victims represent important pillars of global governments, the economy and critical infrastructure. With the information stolen from those systems, or malware these criminals have likely left behind, we can expect it to be used for follow-on attacks in the years to come both in the digital and in the physical world.
So, what is the modern security path forward when infrastructure security isn’t enough? Is a wholesale shift needed in how the industry, government agencies and enterprises approach security today? If so, then a holistic approach to security is required in today’s modern threat landscape and cloud era – one that understands network, cloud, and in particular users and the critical data they create, interact with, share and store.
Key to embarking on change is education and discussion to understand how to move forward in this new world. Below are some helpful resources to learn more about reshaping the modern security path forward:
- To The Point Podcast “Sunburst Breach, With Dmitri Alperovitch, Former CTO of CrowdStrike”
- Forcepoint 2021 Future Insight “Where is Your Data? You’ll Find out in 2021”
- Wall Street Journal “Personalizing Cybersecurity Helps Protect Data”
- Forbes “In the Modern Security Landscape, People Are the New Perimeter”
- Fedscoop “For Cybersecurity, People Are The New Perimeter”
- Defense Systems “Securing the Federal Supply Chain”
- MeriTalk “Cyber Resiliency Means Securing The User”
- GCN “How Agencies Can Ensure Continuity of Operations”
- FedTech “3 Ways to Take a Human-Centric Approach to Data Protection”
- Fifth Domain “The Key to the Nation’s Cyber Defense? Behavioral Analysis
Additional Sunburst Attack Resources:
- Recommendations from CISA: https://cyber.dhs.gov/ed/21-01/
- FireEye: https://github.com/fireeye/sunburst_countermeasures.