We recently hosted a conversation with Alex Stamos (former CSO at Facebook, co-founder of the Krebs Stamos Group, and advisor to SolarWinds), Charles Carmakal (SVP & CTO of FireEye Mandiant), and Vinnie Liu (CEO at Bishop Fox) about the SolarWinds attack. In the webcast, they explored lessons learned from the attack six months on, discussed the security challenges facing the supply chain, and offered solutions for how to build more resiliency and trust in the software ecosystem.
The full webcast is worth checking out, on-demand, here.
In this blog, we wanted to share key points and guidance from the webcast that will help you plan security strategies, including not just preventative security measures, but reactive responses and strategies for working with threat actors.
Attackers use tools and tricks that offensive security experts have built to help people protect their businesses. Many of us working within the security industry build and share tools - open source - with the community to help with offensive security efforts. As those tools are publicly available and people add features to them to adapt them for their own uses, threat actors will often use these same tools to attack their targets, rather than reinventing the wheel by creating similar tools or manually hacking systems, applications, and software.
For defenders, this can be a big win. As threat actors, including those sophisticated and nation-state-sponsored groups, use these open source tools, they leave a footstep behind that defenders and red teamers can use to track their behavior, anticipate their next move and, if the attack is already complete, trace their steps through the entire process to learn how to prevent similar attacks in the future.
As an industry, we should move to publish investigation reports to the public, much like we do in the case of an airline disaster. In those cases, the investigation occurs, and data is analyzed and then shared with not just the airline and criminal investigators, but with the public. Cybersecurity incidents and investigations should operate in much the same way, so that we can learn from the attacks and how the investigation and response to threat actors was handled. With that information, we can come together as industry leaders to plan for prevention, reaction, and how we should be thinking about responding to threat actors and blackmail efforts like ransom requests.
As things typically go today, cybersecurity incidents happen and the public, authorities, and press may or may not have even heard about them. In the cases where incidents are responsibly disclosed to affected parties, the media focus tends to be on attribution, and the buzz eventually wears off as incidents quietly go away and are swept under the rug once we have someone to blame.
What we should be shifting toward is sharing information about the attacks, attack methodologies, vectors, and behaviors, and targets so that industry leaders and security professionals can learn how to prevent similar attacks. The obvious risk of this is that in sharing that information you could be tipping off threat actors at the same time as you’re informing defenders. But it’s time to accept that risk and assume that threat actors know as much as defenders, and keeping intelligence close to the chest helps no one. No one wants to fall into a cycle of victim-blaming, but we should at least be learning from these incidents to help our peers prevent attacks and help security vendors build tooling and features to lend a helping hand to security teams playing offense.
We’re not in the business of scaring security leaders or spreading FUD. We believe that you can defend forward and prevent attacks. However, no one is invincible, no matter how much you’re spending on your security program, resources, and experts. The best plan for securing your business is one that includes both prevention and reaction efforts.
This isn’t about scaring organizations into a mode where they’re only reacting to attacks after the fact; it’s about preparing for the worst so that you can take control of the situation, rather than giving threat actors the power. You can anticipate that your attackers will blackmail you and request a ransom in order to let you re-open your business operations or keep sensitive data private.
With that in mind, we can all agree that multifactor authentication, vulnerability management, and other preventative security measures are important, but we should accept that we need to plan for every potential outcome, including the worst-case scenario. One area, which Alex Stamos called out, is that the issue for most companies isn’t a lack of money to fight attackers; it’s that they don’t they don’t have the approvals needed to disrupt business in order to focus on security.
“Executive CEOs and boards are going to have to get on board with the idea that they are going to have to be secure,” said Alex. “[These days] if you're a meat company, it turns out you have to invest in security like Lockheed Martin did in the 2010s.”
Read our guide about when to engage a red team and how to get the best ROI from your efforts. Another helpful and quick read is Daniel Wood’s lessons learned from years of red teaming within the U.S. government and for many of the Fortune 500. Both of these articles help you prepare for incidents and plan for things like attack simulations and external testing.
If you’re interested in this topic, listen to the conversation between Vinnie, Charles, and Alex to pick up more tips and learn from those who’ve been in the trenches.