2021 was a bummer for the cybersecurity community. We witnessed multiple large-scale cyber attacks, each of which did a number on the industry’s collective psyche. But it also raised new questions. These questions can guide us to learn new lessons about the ever-changing cybersecurity landscape and better prepare us to be resilient to these sorts of attacks in 2022 and beyond.
SOLARWINDS: How Did This Happen?
This attack actually happened in 2020, but the effects were still being felt in 2021. Attackers — who had inside access for the better part of a year before it was publicly disclosed. Within days of its announcement, organizations including the US Treasury, NATO, the U.K. government, the European Parliament, Microsoft and VMWare were presumed to have been hit.
Question: So How Could This Happen?
With the brightest minds and most resources on earth devoted to protecting establishments like Parliament and the Treasury, many were curious how such an event could possibly go undetected for so long. At Randori, we were asking the same thing.
Insight: Everyone struggles with the fundamentals
While “basic”, doing the hard work of security fundamentals is one of the biggest challenges holding security back.
- Least Privilege
- Shutting off unused services
- Scanning internet for exposed credentials
- Testing your own program
Fundamentals often don’t require all that much to set up, but just getting institutional buy-in, even at some of the world’s most powerful organizations can still be a challenge. You have to be realistic about your goals but some basic steps, such as default-deny firewall rules, can make my life as an attacker a lot harder while also improving your odds of detecting something like Solarwinds next time.
COLONIAL PIPELINE: What Really Are Your Crown Jewels?
In May of 2021, the Colonial Pipeline shuttered its doors and cut off the east coast’s oil supply for several days after a compromise to its billing system made it impossible to know who to charge. Although attackers never gained access to any operational systems, they were still able to hold the pipeline for ransom simply by cutting off the company’s access to billing information.
Question: What Really Are Your Crown Jewels?
The Colonial Pipeline Ransomware attack illustrates that there is more than one way to skin a cat when it comes to disrupting ops for the purposes of ransom. While everyone initially assumed attackers must have compromised the OT network, shutting off the pipeline – the reality was far different. Turns out all you need to do to shut down a pipeline is cut off the accountant’s access to quickbooks. Security programs are built around prioritization: focusing resources where they are most needed. However, understanding what is really important to your business isn’t always easy. If billing can shut down the whole organization, billing clearly must fall under the “most needed” category.
Insight: Do you know what really matters to the business?
Ransoms can be expensive, but for most companies the true cost of a ransomware attack is downtime and reputational harm. Staying online is always the priority. If security can prove itself resilient enough to keep your business online, you’ll be a hero. To do so, you need to know what can really take you down.
Colonial Pipeline offers security teams a real opportunity to better understand the businesses they support and build bridges, by engaging business leaders and executives outside technology in discussions around what truly is critical. Colonial Pipeline gives teams the opportunity (cough: excuse) to go back to the drawing board and reimagine what important means from a risk-based security approach.
Cyber Insurance : Are Your Fail Safes Safe?
AXA is one of the largest providers of cyber insurance in the world. So when they announced in May 2021 that they would stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals, it was a major wakeup call to the industry. Worse still, AXA itself found itself the victim of a ransomware attack just a month later.
Question: Are your fail safes safe?
Insurance companies make their money by calculating risk and spreading it out over their customer base. If their models were telling them to get out of the cyber insurance game, it’s likely others are seeing similar signals as well. If your resilience strategy depends on the safety-net of cyber insurance, it may be time for a new plan B. More troubling still, it means the industry is worse off than they thought it was – which is something we should put us all on notice.
Insight: We’re far less resilient than we think we are.
If even insurance companies can’t make money in cybersecurity, we’ve got some serious problems. Many companies have calculated (not inaccurately) that the most cost effective way to reduce their risk from ransomware attacks is to simply immediately pay the ransom, avoid downtime, keep it out of the headlines, and allow their insurance reimbursement to cover the cost. This strategy is on the outs. In lieu of being able to trust that our insurer will come to the rescue when attackers successfully exfiltrate data, how can we prevent the exfiltration in the first place? Default-deny is a good first step, but ultimately, security teams need more visibility. For this, they will need to turn to Threat Exposure Management tools.
KASEYA ATTACK: Who Can We Trust?
In July of 2021, Kaseya, an IT solutions developer for MSPs and enterprise clients, made public that it had been compromised. As a partner to MSPs and many enterprises, Kaseya had trusted access to thousands of organizations. Once compromised, attacker’s had direct access and permission to begin distributing ransomware throughout corporate networks. Estimates suggest that as many as 1500 mid-cap companies may have experienced ransomware attacks as a result.
Question: Who can we trust? Where else do we need to be looking?
Much like the Colonial attack, this incident shows us that our current security philosophies do not adequately encompass the true risk areas on our networks. We need to question our assumptions around trust and broaden our definition of what is worth protecting. We need checks for when trust breaks down so we can devote resources there to catch unusual behavior. In this case, that means taking a second look at our third party tools and who we’re really “trusting” in our environments.
Insight: Programs Need Ways to limit 3rd Party Risk
Many folks, even in the security industry, think of their third party security appliances as above reproach. Security is not a set-it-and-forget-it solution, no matter what vendors may try and sell you. Good security is a practice that takes ongoing work and maintenance to keep up. When you put a third party solution on your network, you have no way of breaking it open and seeing what’s under the hood. You know only what your vendor chooses to disclose, and they have a responsibility to protect their IP. Every company today has third party tools on their network that they are trusting – but few companies have practices in-place to verify that trust is warranted. Randori was founded because of a supply-chain attack and it’s our mission to solve exactly this problem – even in zero-trust architectures, security teams are always making trust-based decisions but few have any way to prove they can contain the risk when a trusted application can no longer be trusted.
LOG4j 2 MELTDOWN: Do You Know What You’re Running?
I probably don’t need to spend too much time refreshing your memory about this one. In December of 2021, a Chinese twitter user leaked the existence of a massive flaw in the java logging tool Log4j. This vulnerability was easy to exploit, offered full control of a system to an attacker, and could be found on just about every major private network in the world. It was easily the largest vulnerability of 2021 and frankly one of the biggest I’ve ever seen. It was and is a true 10 out of 10.
Question: Do I know what’s running?
The most astonishing takeaway from this exposure was that most organizations do not know what’s on their networks. This is not because they are bad at their jobs; it’s because answering that question is actually really hard and most folks are using spreadsheets to do it. It’s no wonder then that it takes the average organization more than a week to get an updated view of their attack surface – they have to touch dozens of teams and then compile all that information by hand. In a world where cloud instances change up daily, that’s not a sustainable solution.
Insight: Compromise is inevitable — you have to be ready.
You can’t patch a problem you don’t know about. As organizations become more reliant upon third party software, being able to quickly know what’s exposed is a critical first step. It took attackers less than two days to begin mass exploitation, at that time – most companies were still trying to figure out what they owned and had not even begun patching. 3rd party vulnerabilities will happen, the key is to be able to respond quickly and contain the damage. I’m proud to say, on this our customers really stepped up. We were able to alert them to their exposures within hours of disclosure and 2/3rds were already resilient enough to contain and prevent lateral movement from impacted applications. I’m looking forward to working with our customers, so that when the next Log4j hits – that number is 100%.
What You Need to Know
So what’s the answer to all these questions? Resilience is more important than prevention.
2021 proved that the types of attacks are too varied and attackers too advanced to prevent compromises from occurring, but that doesn’t mean we have to let the attackers win.. Compromise is just the beginning. For us defenders, winning is being resilient enough to stop them before they reach our crown jewels.
Recommendation: Implement Default-Deny Firewall Rules
Default-deny (blocking outbound traffic from your server by default) is a really quick win. While it scares some people because it is only effective after initial compromise, the reality is attackers are going to get in but they don’t have to get out.a scenario in which attackers have already gained access to your servers. But if an attacker like me cannot exfiltrate any data, camping out on your servers is just a waste of time and unnecessary risk. Nothing ticks off our team at the Randori Hacker Operations Center more than busting onto a system only to find yourself trapped or worse, unclear if you ever even got in. Even at the level of sophistication used by the of Solarwinds attackers, this attack and the amount of time the attackers had in the network, they would have been effectively powerless consequences still would have been almost nonexistent if the networks that got targeted had more organizations implemented default-deny as a policy.
If you want to read more about the lessons you can take from 2021 into 2022, stay tuned for our next article, 5 Tips for Taking the Offensive in 2022.