Today’s threat actors are becoming ever more creative when it comes to taking advantage of our digital dependencies, and public sector organisations are increasingly in the crosshairs of cyber criminals explains Sudhakar Ramakrishna, President and CEO at SolarWinds.
The criminal ecosystem supporting these attacks is extensive. State-sponsored attackers and highly organised criminal groups (OCGs) are adept at collaborating and sharing services, tools, and techniques over the “dark web.” This allows them to find new and highly sophisticated ways to hijack networks and infiltrate technology supply chains and systems without being detected.
As attacks continue to evolve, detection and prevention depend on creating a culture of disclosure and transparency so everyone can implement countermeasures and initiate a strong collective response against cyberthreats. It’s also critical to encourage—and possibly even reward—organisations that come forward with information of cyberattacks, even when it may not immediately appear to be in their best interests. Timely identification of threats and corrective steps can make the world a safer place.
Having investigated the tactics behind last year’s attack against SolarWinds, we’re sharing some key learnings so public sector organisations can better secure their own software environments and development processes.
1. Create a “Secure by Design” Development and Build Environment
The novel methods utilised in the attack against SolarWinds highlight how organisations need to move beyond traditional integrity checks and single software development and build environments.
To optimise protection of the development and build environment, initiate two or more separate environments and use changing build systems with separate user credentials. The integrity of each build environment can then be independently checked to identify and address compromises. This forces threat actors to replicate an attack across multiple heterogeneous environments with no overlapping privileges.
Organisations also need to adopt a mind and culture shift where software development cycles are concerned. Rather than simply baselining security after the fact using techniques like penetration (PEN) testing, it’s critical for every developer to undertake source discovery/analysis and PEN testing at every stage of the design prior to a final security review. This helps ensure the build pipeline is regularly reviewed and appropriate security controls are defined for every asset.
2. Prevention Is Better Than Cure: Adopt a Zero-Trust and Least Privilege Approach
Using compromised credentials to gain access to an organisation’s development environment and internal systems is the attack vector of choice for today’s threat actors. This is especially true in an era when many enterprises are dependent on software as a service (SaaS) tools and platforms within their environments.
Deploying stronger and deeper endpoint protection and improving visibility across the network is now the key to securing against cyberintrusions. Similarly, adopting zero-trust and least privilege access mechanisms and consistently enforcing least privilege policies for all employees—and contractors—are must-haves.
Security teams will also need to increase, expand, and strictly enforce requirements for multi-factor authentication in every environment, using privilege access management platforms for all administrative accounts, complete with auditing.
3. Get Proactive About Defence: Think and Act Like Cybercriminals
When it comes to checking the robustness of an organisation’s defences, today’s CISOs need to be given more autonomy to simulate full-scale tailored attacks and check how well the organisation would fare. These “Red Team vs. Blue Team” exercises enable cybersecurity professionals to train for incident responses, identify points of vulnerability, and gain firsthand experience in responding to and remediating attacks featuring the latest real-world techniques and methods. In this way, organisations can continuously evolve their security strategies, pinpointing security gaps such as potential backdoor vulnerabilities within the existing security architecture.
In the last year or so, the emergence of free-to-use knowledge sharing platforms like the MITRE ATT&CK® framework have helped organisations fine-tune their “white hat” intrusion simulations, and the National Cyber Security Centre (NCSC) recommends organisations use MITRE ATT&CK to find ways to disrupt an attacker at different stages of an attack.
4. Pursue Private/Public Partnership Collaboration Opportunities
Transparency and cooperation represent the best approach to preventing future attacks, and the public sector needs to work with IT industry partners to optimise the protection of critical systems and infrastructure. Indeed, a collective vigilance and defence posture now depends on the transparent disclosure of incidents and prompt information sharing to help protect everyone.
Implemented correctly, transparency practices can lead to improved security and increased internal stakeholder trust, which serves as the foundation for changing perceptions. This ensures everyone views security investments and efforts as a business enabler rather than simply a burdensome cost.
The NCSC has long been pushing for everyone to discuss, share, and collaborate more—in much the same way today’s threat actors combine their own learnings—so everyone can fortify their defence postures. Defending against determined, persistent, and sophisticated threat actors with the resources and capabilities of a nation-state now depends on enhanced public-private collaboration and a positive commitment to viewing every incident as a learning opportunity.
By sharing openly within and beyond organisational walls, public sector organisations will be well positioned to boost and constantly progress their security safeguards and best practices. As the threat landscape continues to evolve, cybersecurity can no longer be viewed as an “everyone for themselves” pastime—especially when it comes to collaborating with coworkers, intelligence sharing, and taking steps to enable better compliance with legal and regulatory controls.
To hear SolarWinds® CEO Sudhakar Ramakrishna speak about the company’s response to the cyber incident and what the public sector can learn from this, you can watch his speech at CYBERUK 2021 here: