The cybersecurity world saw a dramatic end to 2020 with the disclosure of a large-scale, sophisticated breach orchestrated through the SolarWinds supply chain that affected to more than 18,000 organizations. For the first few weeks following the breach, organizations performed due diligence to identify and mitigate the impact. But what do you do now as we emerge from tactical response to developing a proactive strategy in 2021?
Looking at the risks that the SolarWinds breach brought to light and reviewing your organization’s security posture related to those risks is a way to start. Not only will it help you develop a strategy, but it will help you develop one that is actionable.
Review tools, tactics, procedures
It’s important to review the tools, tactics and procedures (TTPs) of the breach and map them against the MITRE ATT&CK framework.
Take networking for example: Network engineers are interested, in part, about how command and control are managed once a Sunburst malware infection is in place and abusing the trusted “Orion improvement program” (OIP), a network communication solution for Orion.
However, this is likely not monitored for potential malicious traffic because of the cost and effort involved. Unfortunately, many organizations are weak in network monitoring, especially in the area of collecting real-time network traffic for threat identification and forensic investigation.
For this example, we can construct a variety of possible security management options with associated return on investment to lower risk:
- Prioritize resources to monitor the OIP network channel and/or all channels in an organization. This likely isn’t feasible due to expense, but it is an option to consider, either in part or whole, for an organization wanting to improve visibility at the network layer.
- Perform periodic reviews of OIP network communications to audit regularly for anomalous and suspect traffic. This option may be managed by frequency and the amount of risk an organization is willing to take on dwell time possible prior to the next audit.
- Perform incident-based reviews of OIP network communications when incidents occur within the organization if they meet certain networking or remote command and control conditions. This may not be cost effective depending on how many incidents meet conditions for audits triggered based upon this strategy.
- Improve network controls by leveraging advanced security architectures like Zero Trust Networking to focus more on controls upstream of network command and control threats. This is an excellent way to lower risk for the SolarWinds breach in addition to many other threats, such as the all-too-prevalent ransomware threats targeting enterprises in 2021.
Trying to connect SolarWinds to risk management efforts can seem daunting, but as the example above shows, a myriad of options may exist as your security team considers options to best address the risk of this one TTP found in the breach.
A comprehensive review of all TTPs by appropriate domain leaders, led by SecOps management, is essential to providing the best possible strategic vision, direction and priorities post-breach.
It is also important that leadership consider the security roadmap for maturity over the next one to three years, potentially adjusting priorities and timelines if accepted risk has changed during a strategic review of a breach.
Alternatively, organizations may choose to document and accept this risk to focus on other areas of need, such as endpoint protection.
While the SolarWinds breach will be analyzed, discussed and debated for years to come, let risk management guide you as you navigate your organization’s response and strategy in 2021.