Many questions have not yet been answered regarding the SolarWinds incident, but one thing has become clear as investigations and responses continue. Managing supply chain risk requires a level of sophistication similar to that of an attacker.
Advanced Persistent Threat (APT) has long been a major concern of the cybersecurity community. A well-organized assault team with considerable resources and objectives that do not give up attacks until the mission is accomplished is certainly not a threat to be underestimated. The tactics of the APT group include a combination of various types of attacks, from exploiting zero-day vulnerabilities to social engineering, securing access rights, establishing strongholds, and deepening access rights. will be.
The recently discovered SolarWinds hack is a typical APT attack. Since at least March of last year, it has been undetected, targeting several US federal departments, private companies, and major infrastructure organizations. The initial infection vector identified so far is related to a zero-day vulnerability in SolarWinds Orion Update, an IT stack monitoring service providing a platform that allowed attackers to access network traffic management systems. FireEye, which detected the attack, discovered SUNBURST, a malware that turned the Solarwinds Orion update into a Trojan horse.
As is common with APT, as APT deepens and expands, the list of exploited vulnerabilities will grow both in the supply chain and in the target entity's internal systems. In addition to SolarWind-related alerts, other early infection vectors are being investigated, according to an alert from the Cybersecurity and Infrastructure Security Agency (CISA). The initial infection vector may be related to the vulnerability of the supply chain itself or the target entity itself, but when the attacker deepens the access rights, the attack surface will increase by exploiting the internal system vulnerabilities. Cybersecurity reporter Brian Krebs pointed out the recently identified VMware vulnerability as a possible attack expansion method, considering that access to internal systems has already been achieved through the exploitation of the Solarwinds vulnerability.
As investigations and responses continue, many of the remaining questions will be resolved. It is important for both the government and the private sector to learn from these events and ask the right questions to improve cybersecurity. Cybersecurity should not be isolated, it should only be viewed from a holistic perspective. That is, the flaws in identification, protection, detection, response and recovery must be analyzed and understood. In the case of APT, in particular, it should be understood that detection, response, and recovery are becoming increasingly important, as protection can fail at some point because of its sophisticated and complex nature.
This article focuses on the supply chain, excluding internal system vulnerabilities in terms of identification and protection of cybersecurity. In a previous post, I explained the importance of resilient supply chains given that we are dealing with complex ecosystems today.
In mid-December 2020, the US Government Accountability Office issued a report urging federal agencies to take action to manage supply chain risk. This requires a level of sophistication similar to that of an attacker. Supply chain cybersecurity must be addressed through ongoing testing and monitoring, as well as contract and liability provisions.
APT can be successful in access with a high level of sophisticated attack, but cybersecurity relies on timely detection to minimize damage through appropriate response and recovery. It is of utmost importance to centralize correlation events for pattern tracking. However, the New York Times did not identify the attack by Einstein, a Department of Homeland Security/U.S.-CERT program, which collects data from federal agencies (including contractor services) and provides threat information back to federal agencies through association analysis. Reported that it was not possible. Malware disguised itself as the Orion Improvement Program (OIP) protocol and mixed it with legitimate Orion traffic, making it inconspicuous.
On the response side, CISA issued urgent orders to mitigate the attack, and Microsoft, FireEye, and GoDaddy created a kill switch by hijacking the domains that the malware used to control compromised systems. Public-private organizations have also been formed to respond to damage, better understand the impact of attacks, and formulate recovery strategies based on the damage situation.
In a statement, US President-elect Biden announced in a statement that cybersecurity will be a top priority at all levels of government, costing attackers a significant price, and strengthening cooperation with allies and partners.
As you can see, cybersecurity gets noticed when attacks surface and underestimate when it works effectively. However, APT is not a typical cyber-attack. APT is difficult to protect, track, respond to, and recover from. In addition, to support cybersecurity efficiency, priority should be given to reducing the complexity of the ecosystem.
In particular, with the business environment affected by Corona 19 rapidly adopting digital technology, companies should pay special attention to the supply chain and take immediate action to further cope with the threat posed by APT. IT and related ecosystems need investment in training and education to create cybersecurity personnel that can meet security needs, among other things, along with research to improve protection and detection.
0 Comments