Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/3/2021
10:00 AM
Tony Cole
Tony Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Stopping the Next SolarWinds Requires Doing Something Different

Will the SolarWinds breach finally prompt the right legislative and regulatory actions on a broader, more effective scale?

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. Both governments and businesses remain focused on things like cyber hygiene and information sharing, which — while critical — are not enough to stop the next major breach. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

IT leaders have been talking about cyber hygiene and information sharing since the late 1990s, and they will continue to be ineffective until better detection capabilities are implemented. Simply put, all three pieces of the puzzle need to fall into place before real, positive change can happen. Luckily, the SolarWinds breach came at a time when data security is receiving increased attention: a new federal Internet of Things cybersecurity bill recently became law, and Virginia passed a privacy law inspired by the European Union's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA). This increased focus gives hope that the SolarWinds breach might finally prompt the right legislative or regulatory action on a broader, more effective scale for the entire nation.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Tell Us the Truth: Why Do You LOVE Passwords?

Information Sharing Is Critical but Not Enough
For information sharing to be truly effective, several things need to happen. First, the current methods for information sharing must be improved. The SolarWinds breach provides the perfect justification to devote resources to this, and there has been some recent movement in the right direction via the Cybersecurity and Infrastructure Security Agency's information-sharing plan that organizations can opt into. Unfortunately, even well-coordinated information sharing won't be useful without more effective detection and instrumentation to go along with it. Ultimately, organizations cannot share information on something they have not detected.

Today, information sharing is too often just indicators of compromise (IoCs), which might include hashes of files, IPs, domains of command-and-control systems, and other things. While there is some value there, defenders need data on tactics, techniques, and procedures (TTPs) that can better help defenders respond to attacks as they occur. Some advisory bodies like MITRE provide helpful guidance in this area, but more timely data is needed. Without better detection, information sharing will continue to be limited to sharing the aftereffects of an attack, rather than its causes. 

Better Detection Is the Final Piece of the Puzzle
If legislative action does come out of the SolarWinds breach, it should focus on prompting enterprises to adopt the recommendations of bodies like NIST and MITRE. These organizations are increasingly seeing the value of in-network detection tools. Recent NIST recommendations have focused on building long-term resilience to attacks and continuously looking for lateral movement and privilege escalation activity.

MITRE recently released MITRE Shield, a complement to its highly regarded MITRE ATT&CK matrix. These two frameworks are the yin and yang of network security: ATT&CK looks at TTPs and shows how attackers break in, what they do, and what tools they use, while Shield looks at those TTPs and focuses on how to build an active defense structure to combat them. By adopting the recommendations in these guidelines, organizations can dramatically enhance their ability to quickly detect lateral movement and other attack activity within their network.

SolarWinds demonstrated why organizations can no longer inherently trust software providers or third-party tools. Organizations need to adopt an "assumption of breach" security posture enabled by more effective detection tools. Patching vulnerabilities as they arise is great, but recommendations like those provided by MITRE and NIST can help enterprises stay on top of network security in a more proactive way by cleaning up the network environment, locating exposed credentials, identifying potential attack paths, identifying lateral movement, and more — thereby minimizing breach impact.

Without improved detection capabilities, attackers will simply find another way into the network. Even the most effective firewalls and perimeter tools will never stop 100% of attacks, which makes detection tools at all levels of the network more critical than ever. Detection enables better information sharing, including the ability to share TTPs in near-real time, helping organizations stop attacks more quickly and effectively. This will ensure that information sharing becomes an incredibly valuable tool for organizations, rather than something that is only useful after the fact.

Putting It All Together
There is no silver bullet that will stop the next SolarWinds, but the government has an opportunity to prompt change at a national level. Current implementations and discussions about expanding information sharing have gotten us nowhere, but tools exist to fully realize information sharing's enormous potential. Enterprises should embrace the guidelines put forth by advisory bodies like NIST and MITRE, and the government can step in with well-thought-out and meaningful regulations incentivizing organizations to institute more effective detection capabilities.

With better detection and reliable information sharing, enterprises can finally shift their focus from attack response and recovery to attack detection and faster mitigation. With these measures in place, there is reason to hope that the impact of the next SolarWinds might be mitigated — or even possibly prevented.

Tony Cole has more than 35 years' experience in cybersecurity and today is the Chief Technology Officer at Attivo Networks, responsible for strategy and vision. Prior to joining Attivo Networks, he served in executive roles at FireEye, McAfee, Symantec, and is a retired cyber ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TCCybers
50%
50%
TCCybers,
User Rank: Author
5/3/2021 | 12:47:38 PM
Re: Good read!
Thank you, I'm glad you enjoyed it.

 

-Tony
etaymaor
50%
50%
etaymaor,
User Rank: Author
5/3/2021 | 10:56:01 AM
Good read!
Good read
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...