Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/3/2021
10:00 AM
Tony Cole
Tony Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Stopping the Next SolarWinds Requires Doing Something Different

Will the SolarWinds breach finally prompt the right legislative and regulatory actions on a broader, more effective scale?

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. Both governments and businesses remain focused on things like cyber hygiene and information sharing, which — while critical — are not enough to stop the next major breach. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

IT leaders have been talking about cyber hygiene and information sharing since the late 1990s, and they will continue to be ineffective until better detection capabilities are implemented. Simply put, all three pieces of the puzzle need to fall into place before real, positive change can happen. Luckily, the SolarWinds breach came at a time when data security is receiving increased attention: a new federal Internet of Things cybersecurity bill recently became law, and Virginia passed a privacy law inspired by the European Union's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA). This increased focus gives hope that the SolarWinds breach might finally prompt the right legislative or regulatory action on a broader, more effective scale for the entire nation.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Tell Us the Truth: Why Do You LOVE Passwords?

Information Sharing Is Critical but Not Enough
For information sharing to be truly effective, several things need to happen. First, the current methods for information sharing must be improved. The SolarWinds breach provides the perfect justification to devote resources to this, and there has been some recent movement in the right direction via the Cybersecurity and Infrastructure Security Agency's information-sharing plan that organizations can opt into. Unfortunately, even well-coordinated information sharing won't be useful without more effective detection and instrumentation to go along with it. Ultimately, organizations cannot share information on something they have not detected.

Today, information sharing is too often just indicators of compromise (IoCs), which might include hashes of files, IPs, domains of command-and-control systems, and other things. While there is some value there, defenders need data on tactics, techniques, and procedures (TTPs) that can better help defenders respond to attacks as they occur. Some advisory bodies like MITRE provide helpful guidance in this area, but more timely data is needed. Without better detection, information sharing will continue to be limited to sharing the aftereffects of an attack, rather than its causes. 

Better Detection Is the Final Piece of the Puzzle
If legislative action does come out of the SolarWinds breach, it should focus on prompting enterprises to adopt the recommendations of bodies like NIST and MITRE. These organizations are increasingly seeing the value of in-network detection tools. Recent NIST recommendations have focused on building long-term resilience to attacks and continuously looking for lateral movement and privilege escalation activity.

MITRE recently released MITRE Shield, a complement to its highly regarded MITRE ATT&CK matrix. These two frameworks are the yin and yang of network security: ATT&CK looks at TTPs and shows how attackers break in, what they do, and what tools they use, while Shield looks at those TTPs and focuses on how to build an active defense structure to combat them. By adopting the recommendations in these guidelines, organizations can dramatically enhance their ability to quickly detect lateral movement and other attack activity within their network.

SolarWinds demonstrated why organizations can no longer inherently trust software providers or third-party tools. Organizations need to adopt an "assumption of breach" security posture enabled by more effective detection tools. Patching vulnerabilities as they arise is great, but recommendations like those provided by MITRE and NIST can help enterprises stay on top of network security in a more proactive way by cleaning up the network environment, locating exposed credentials, identifying potential attack paths, identifying lateral movement, and more — thereby minimizing breach impact.

Without improved detection capabilities, attackers will simply find another way into the network. Even the most effective firewalls and perimeter tools will never stop 100% of attacks, which makes detection tools at all levels of the network more critical than ever. Detection enables better information sharing, including the ability to share TTPs in near-real time, helping organizations stop attacks more quickly and effectively. This will ensure that information sharing becomes an incredibly valuable tool for organizations, rather than something that is only useful after the fact.

Putting It All Together
There is no silver bullet that will stop the next SolarWinds, but the government has an opportunity to prompt change at a national level. Current implementations and discussions about expanding information sharing have gotten us nowhere, but tools exist to fully realize information sharing's enormous potential. Enterprises should embrace the guidelines put forth by advisory bodies like NIST and MITRE, and the government can step in with well-thought-out and meaningful regulations incentivizing organizations to institute more effective detection capabilities.

With better detection and reliable information sharing, enterprises can finally shift their focus from attack response and recovery to attack detection and faster mitigation. With these measures in place, there is reason to hope that the impact of the next SolarWinds might be mitigated — or even possibly prevented.

Tony Cole has more than 35 years' experience in cybersecurity and today is the Chief Technology Officer at Attivo Networks, responsible for strategy and vision. Prior to joining Attivo Networks, he served in executive roles at FireEye, McAfee, Symantec, and is a retired cyber ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TCCybers
50%
50%
TCCybers,
User Rank: Author
5/3/2021 | 12:47:38 PM
Re: Good read!
Thank you, I'm glad you enjoyed it.

 

-Tony
etaymaor
50%
50%
etaymaor,
User Rank: Author
5/3/2021 | 10:56:01 AM
Good read!
Good read
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26543
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
CVE-2021-27216
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
CVE-2021-29490
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
CVE-2021-29491
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
CVE-2021-29921
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...