Supply chain attacks are here to stay. Use them as an institutional learning opportunity for cyber resilience.
April 1, 2021
The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organisations laser-focused on what happened and what next.
But here’s the part that’s easy to miss: the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.
Example: Most readers will be familiar with frameworks such as Cyber Kill Chain® or the MITRE ATT&CK®. Better and targeted monitoring, two-factor and risk-based authentication and privileged account controls (e.g., vaulting, session recording, credential rotation, least privilege and user and account behaviour analytics) can all help reduce risk after the breach. However, these same controls could have significantly reduced the impact of the breach in the first place, boosting an organisation’s ability to detect the breach and contain the threat, or even help to prevent it all together.
People in the information security industry know bullet-proof defence is not possible. A highly motivated, skilled and funded actor is likely to find a way in.
And against this backdrop, it’s surprising that organisations tend to take a very limited view of these breaches, only asking themselves: Did I have the breached software or not?
Instead, I suggest this perspective to my clients: Use this event as an opportunity to learn how to become more cyber resilient, so that when it’s your software that’s breached in a highly sophisticated attack, you’re ready to detect, contain and respond to it.
Here are some reflections on how to get ahead.
NCSC in the United Kingdom and CISA/DHS in the United States recommend a number of basic controls as the foundation for a robust defence. These include, to name a few, strong identity and access management, monitoring, vulnerability management, patching and network segregation.
For example, the attackers behind Sunburst leverage a number of highly stealthy mechanisms to masquerade their attack and to use the initial breach as a beach head for lateral movement. As has been reported by FireEye, the attackers often use legitimate accounts in the attack. This only reinforces the need to focus on identity management and privileged account management.
When you review the controls that will help remediate the SolarWinds attack, four things are clear:
When I talk to my clients, my advice boils down to this: build up your cyber resilience before the next attack to avoid a grueling journey of incident response and remediation. Fundamentally, this is about learning from current threats to safeguard your customers, shareholders, employees and other stakeholders. Don’t ask “Was my organisation breached by this attack?” Ask “what can we learn from this targeted intrusion to increase our resilience in the face of the next one?” And now is the time to get ahead. Contact me to find out more about how.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.