The recent SolarWinds incident is a stark reminder that we all should re-evaluate the blind trust we put into third-party components inside our networks.
While the SolarWinds incident is fresh in many of our minds, it’s far from the first successful supply chain attack in the annals of cybersecurity. In 2011, another incident occurred which led to the blacklisting and bankruptcy of Dutch certificate authority DigiNotar after a security breach enabled a malicious actor to issue more than 500 certificates fraudulently.
Modern supply chain attacks are among the most intricate and effective cybersecurity threats enterprises face today – what can organizations do to improve their defenses?
Wikipedia describes this type of threat as follows, “a supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector.”
To properly assess our ability to handle an incident, like the recent SolarWinds attack, it’s important to be aware of our preventative and responsive security capabilities. Unfortunately, we know the odds of preventing complex zero-day and supply chain attacks with perimeter security alone are slim. We, instead, should also focus our attention on how far and wide attackers can reach once they breach the walls of our digital fortresses.
Prevention Best Practices
To ensure prevention, you should leverage microsegmentation and the Zero Trust framework in your security strategy. If we look at the SolarWinds incident as a case study, we can identify how applying these concepts to application behavior could prevent or disrupt the attack flow.
In the recent supply chain attack, the SolarWinds client was deployed across various systems inside the network (as intended) and had no restrictions on what it could access inside or outside the network, regardless of host.
Two simple actions could have potentially helped organizations:
- The first stage of the attack involved pulling the secondary binary from the attack server. If the SolarWinds binary had only been able to access known SolarWinds addresses instead of the ones leveraged by the malicious actors, organizations could have broken the attack chain earlier.
- Even if first chain prevention failed and the Sunburst malware successfully deployed the binary, it would still need to communicate with its command-and-control and run commands on the targeted network. If an organization had effective segmentation policies applied to its SolarWinds application, this activity could have been blocked or a non-compliance alert generated for security teams to investigate.
Response Best Practices
From a response perspective, it’s not only about the speed of the response to a given incident. It’s also about having the right tools to surgically stop the attack without disrupting the business and to have data in place to actually assess the breadth and depth of the attack. Dwell time can be days or months, which can mean a far deeper attack footprint than originally assumed.
In ‘simpler’ cybersecurity incidents, such as ransomware attacks, attackers may encrypt files, making their impact and presence on a network obvious. However, in more advanced scenarios, such as supply chain attacks, it may be some time before a previously unknown breach is discovered. Since time will have passed, it’s essential to have the proper tools to mitigate the attack and chronologically investigate the attacker’s actions around your network.
How can Guardicore help?
Preventing the Attack
- Realize a Zero Trust network – When onboarding a new application or reviewing an existing one, Guardicore segmentation policies can be configured to allow only the required access to a predefined or learned list of assets, domains and ports.
- Crown jewel protection – Reduce risk by protecting your critical assets with granular segmentation policies instead of focusing on each potential third-party application.
- Guardicore dynamic deception technology – Guardicore’s dynamic deception technology allows organizations to detect unknown malicious behavior by simulating a live system on the network to detect lateral movement of malicious actors.
- Guardicore Threat Intelligence Feed – Apply a built-in list of rules as protection against a curated, constantly updating list of threats.
Responding to the attack
- Guardicore Reveal – The Reveal map is a powerful tool that allows you to filter and view specific assets (Windows, Linux) and process behavior across time. For example, you can use it to explore the past behavior of a newly discovered malicious binary.
- Rapid policy enforcement – Apply segmentation policies on both Windows and Linux within minutes of discovering a threat— opposed to days and sometimes weeks due to infrastructure and routing limitations.
- Guardicore Insight – Proactively query each system (Windows or Linux) on your network for any property about it and respond based on the result. For example,
- Query for specific software installed or the presence of specific files for a given path
- Quarantine systems with forbidden or vulnerable software.
- Detect and block known indicators of compromise (IoC).
Want to improve your security posture against supply chain attacks? Request a demo today to learn more about effective prevention and response with Guardicore Centra.