In recent months, two of the most sophisticated and severe state-sponsored cyber attacks – SolarWinds and the Hafnium hack on Microsoft Exchange Servers – saw not only 18,000+ and 30,000+ companies and government organisations affected each, but also unintended victims within each respective supply chain.
Both ‘zero day’ exploits afforded attackers a lengthy period of time to wander unimpeded and unchallenged around the networks of their victims – planting further backdoors and manipulating certified code (in the case of SolarWinds).
It also represented new thinking in our adversaries who wandered from host-to-host undetected, digging around servers and data without once being tempted to draw attention to themselves with a nice big ransomware-fest.
Individually, these two events already have the potential to be seismic in long-lasting impact. But when combined, we are presented with a seriously worrying trend – the implications of which could force a change in thinking in the security community, the likes of which we have rarely, if ever, seen.
Cause to rethink your cyber security foundation
The traditional security role and tools are, arguably, geared to the detection of attacks, the blocking of data exfiltration based on a set of known indicators of compromise and some behavioural analysis (with any luck) – and are pretty good at it, all in all.
However, as these two recent attacks show, standard security tools and approaches very quickly start to run out of ideas when we are asked to check whether anything malicious happened over the preceding months, and crucially, has any of our stuff changed without our knowledge?
It is like being asked to identify everything burglars took from the house – it may well not be immediately obvious, especially if they seem to have looked at everything – OK, that’s a start, but what did they take and, in this case, what did they leave?
The tools to verify that nothing of note has changed internally during the period an attacker was known to have access to our data and servers are, at best, reliant on manual guidance and, at worst, so inaccurate that it is better to assume everything is compromised.
What does that mean? Well, it could mean rebuilding servers from a known (and tested) good image, but unless you do them all at the same time (not likely), or you build a shadow network with hyper-controlled communications between it and the “old” network, how do you know your shiny new servers have not been re-compromised hours after you bring them up?
That said, we have to start somewhere, and we have to assume a level of integrity at some point, or we’ll never move on from these types of attacks. But it’s not easy, and it’s going to get harder.
A wake-up call
While it will take months for forensic investigators to sift through the fallout, in the short term the attacks have provided a timely wake-up call to businesses in every industry about the importance of cyber security.
In my next blog , I’ll share some considerations on what we can do to protect our little corners of the Internet from the worst of these outbreaks.
