Cyber Resilience in the Face of the Recent Massive Breach - KEEP CALM AND FOLLOW NIST SP800-61

Thomas Ludwig - Dec 24, 2020

In insider forums, it is not uncommon for a security breach to have multiple cryptic names. What is unusual about the still evolving breach that began in March and was detected  in December is that the name changes happen on the front page of the Wall Street Journal and all over the news. The stories changed from ”Elite Cyber Security Firm Hacked” to what amounts to “Everybody Hacked. Elite Cyber Security Firm First to Notice”.  Clearly, nobody wants to be next. While “everybody” is an exaggeration it is hard to overstate how far supply chain attacks reach. Large technology giants and many others have been reported to be impacted. Chances are that the impact will travel farther through the supply chain then just to users of the impacted version.  

Cyber Supply Chain Risk Management has been on the ascendancy for years
The recent breach has brought Cyber Risks that originate with an organization’s suppliers to the front pages but this type of risk has been analyzed for years. The September revision of the omnipresent NIST Security Controls Catalog (NIST SP800-53 rev. 5) groups Supply Chain Risk Management controls for the first time in their own family. The Department of Defense launched a major initiative for their own supply chain in January 2020: The Cybersecurity Maturity Model Certification (CMMC) is becoming mandatory for all DoD suppliers and throughout the supply chain - multiple levels deep. As usual in cybersecurity, what begins at the DoD will heavily influence cybersecurity practices across the global economy over the next years.  The lessons learned from the breach are highlighted here. What all these discussions have in common is the broader focus on Resilience over just Protection.

Cyber Resilience Management - assume you have been breached
If your trusted suppliers are breached the attacker is already within the perimeter. Resilience Management is the answer to the realization that not every breach or attack can be prevented. It has replaced the old paradigm of keeping attackers out with the Resilience Management playbook for detecting, responding to and recovering from a breach. Resilience Management is heavy on processes given the huge number of breaches occurring every day. It is not primarily about the heroic response to one big breach, but about the constant vigilance that is needed to detect minor breaches and identify those that are part of a bigger scheme. In cases such as the recent, breach heroics were evidently needed too. But before the massive response and recovery efforts came the detective work that in the current case took nine months.

Known intrusion techniques - and established defense frameworks
The attackers, in all likelihood associated with foreign intelligence organizations, deployed well-known tactics and techniques. They used compromised software to establish beachheads in many organizations including critical US government agencies and business across the globe. From there they carefully expanded their access by compromising existing user accounts. The breach must be considered ongoing and persistent. Many organizations may still not know the extent to which they were breached. The work of identifying every compromised system and cleaning it up will take months.  The good news is that established Resilience Management frameworks provide the playbook to follow. The NIST Cyber Security Framework (CSF) and the NIST SP800-61 Computer Security Incident Handling Guide are the perfect starting points. Three of the five functions of NIST CSF are spelling out the steps to follow: Detect, Respond and Recover.

Detect
Given that minor attacks are a constant occurrence it is essential to follow systematic processes. While it is not publicly known how exactly the recent breach was first detected the classical elements of the playbook were all present. It began with an anomalous event: a new device was connecting to a VPN in a pattern that was not quite normal. By no means an outrageous event but enough of an anomaly to have a security analyst follow up and review the associated account. The amount of analysis and detective work necessary to trace this event to the malicious code in any elite security firm update is considerable – quite likely this is what allowed the breach to stay undetected for nine months. In many organizations the detection phase is just beginning and following the frameworks mentioned above is the prudent path to follow.

Respond
The next phase in the playbook Is the response. The key elements are Communication, Analysis and Mitigation. Communication with suppliers, partners and customers, in particular, is still ramping up. Responsible players have informed their partners whether they use the affected software versions and whether breaches have been detected. But the process of sharing detailed information about attack patterns and detected anomalies is just beginning. In the current case some of the mitigation actions were straightforward such as completely disabling affected versions of the impacted software. However, identifying and disabling accounts in other systems that have been compromised is an ongoing task that will occupy security and IT teams for months.

Recover
This is the long-term dimension. Detection strategies and Incident Response plans will be modified. We will see organizational changes and new areas of accountability for detection and response. For defense contractors, compliance with the Resilience Management processes incorporated into in CMMC are already mandatory.  Given the scale of the recent breach legal changes are on the horizon for the broader economy. No doubt they will take time but they will certainly incorporate the Resilience Management practices referenced above. Now is the time to get ahead of legal requirements – and of attackers. The good news is we have the frameworks spelling out very clearly what to do – and the GRC technologies to do it quickly and efficiently.

Detect, Respond, Recover
The recent breach has shown that detection is critical. What makes the attack devastating is the fact that it remained undetected for nine months. As in any sophisticated attack there were multiple attack points. It is not clear yet how the attackers gained the access that allowed them to hide a backdoor in the SolarWinds update. Therefore, it cannot be assessed which detection mechanisms could have triggered an alert. But it is fairly clear how the attackers could engineer the next stage of the attack. Since the SolarWinds update with the hidden backdoor was considered trusted software the attack victims installed it themselves.