Breach remediation…or prevention? 

The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organisations laser-focused on what happened and what next.

But here’s the part that’s easy to miss: the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.

Example: Most readers will be familiar with frameworks such as Cyber Kill Chain® or the MITRE ATT&CK®. Better and targeted monitoring, two-factor and risk-based authentication and privileged account controls (e.g., vaulting, session recording, credential rotation, least privilege and user and account behaviour analytics) can all help reduce risk after the breach. However, these same controls could have significantly reduced the impact of the breach in the first place, boosting an organisation’s ability to detect the breach and contain the threat, or even help to prevent it all together.

If not now, then next time 

People in the information security industry know bullet-proof defence is not possible. A highly motivated, skilled and funded actor is likely to find a way in.

And against this backdrop, it’s surprising that organisations tend to take a very limited view of these breaches, only asking themselves: Did I have the breached software or not?

Instead, I suggest this perspective to my clients: Use this event as an opportunity to learn how to become more cyber resilient, so that when it’s your software that’s breached in a highly sophisticated attack, you’re ready to detect, contain and respond to it.

Here are some reflections on how to get ahead.

Get your basics in place to fend off the next remediation scenario 

NCSC in the United Kingdom and CISA/DHS in the United States recommend a number of basic controls as the foundation for a robust defence. These include, to name a few, strong identity and access management, monitoring, vulnerability management, patching and network segregation.

For example, the attackers behind Sunburst leverage a number of highly stealthy mechanisms to masquerade their attack and to use the initial breach as a beach head for lateral movement. As has been reported by FireEye, the attackers often use legitimate accounts in the attack. This only reinforces the need to focus on identity management and privileged account management.  

When you review the controls that will help remediate the SolarWinds attack, four things are clear: 

  1. Cyber resilience and SolarWinds Orion breach: If you had deployed these controls before the fact, you would have a bigger chance of detection and higher confidence of your ability to contain the breach. This would also enable you to regain control much quicker, even in the unfortunate situation where you were actually targeted by the bad (and clearly highly motivated, capable and well-funded) actors. 
  2. Transferrable defencesbe ready for the next complex supply chain breachWhile the next big breach may involve different approaches and new techniques, my prediction is that those same hygiene factors will again give you increased confidence in your ability to detect, contain and respond to this attack (whatever form it may take). 
  3. Cyber resilience is about prevention, not just responseWhereas the initial attack vectors might have been difficult, if not impossible to defend against. Having strong preventative controls could help reduce the impact or severely limit the threat actors ability to move laterally and exploit the initial compromise. 
  4. Roll out your security controls across your estate: Too many organisations have dealt with security as a response to auditors’ findings. Cyber resilience is not about being able to demonstrate a control in an isolated way. Cyber resilience requires the control framework to be applied consistently across your environments. It’s a bit like pest controlIt’s good to catch the mice once they’re in your kitchen, but better to identify how and why they got in and address the root causes. Your attacker is likely to enter on a “lower risk” environment, but this is just the beginning. They’ll find their way to your cookie drawer eventually. 
Practical (selective) lessons: 
  • Good basics. In this particular instance, you could say that patching was (viewed in an isolated way) detrimental to the exposed organisations security, but in this case it’s still important: 
    • Patching (and vulnerability management) enables you to reduce the attack surface for movement beyond the initial breach.
    • Control identity, access and crucially privileged access.  
    • Have security monitoring in place in a flexible extensible way, so you quickly can roll out new monitoring use cases as new threats emerge.
    • As a general rule, make sure you know your assets and what they mean to the business, scan for vulnerabilities, patch your services, monitor the status of all of those assets.
  • Build a strong controls and assurance framework. Assurance should not be limited to matching a standard of controls to your deployed capabilities. Rather, you should combine responsive and simulated advanced attacks through red and blue teaming, plus an active programme of threat hunting. 
  • Roll-out and coverage. Many organisations have invested in strong security capabilities, but when it comes to the implementation, corners are often cut. Budgets run dry and we end up securing only those services directly pertaining to an audit finding or a specific security architecture review, rather than leveraging these across our environments. 
  • Review your 3rd party assurance process. The SolarWinds breach isn’t the first big supply chain attack and it certainly won’t be the last. What we can predict with some certainty is that many organisations, months and years from now, would remain oblivious to this and other breaches. Supply chain security management is an absolute must for any professional security operation, and if this recent breach shows us anything, it is we need a programmatic and dynamic approach to such threats. 

When I talk to my clients, my advice boils down to this: build up your cyber resilience before the next attack to avoid a grueling journey of incident response and remediation. Fundamentally, this is about learning from current threats to safeguard your customers, shareholders, employees and other stakeholders. Don’t ask “Was my organisation breached by this attack?” Ask “what can we learn from this targeted intrusion to increase our resilience in the face of the next one?” And now is the time to get ahead. Contact me to find out more about how. 

 

Accenture Security 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security. 

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report. 

Copyright © 2021 Accenture. All rights reserved. 

Kristian Alsing

Managing Director – UK and Ireland Resources Security Lead and Digital Identity Lead for Europe

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog