Don’t Want Another Sunburst? Start Thinking Like Your AdversariesPosted to Idaho National Laboratory in the Digital Utility Group
image credit: Canva.com
- Feb 5, 2021 11:22 am GMTFeb 4, 2021 11:42 pm GMT
- 562 views
It may not seem obvious, but state-on-state espionage, like many human endeavors, conforms to certain practical norms. With top tier cyber espionage, adversaries will predictably aim their attacks at the highest value, highest return targets. Depending on the mission objective, sometimes the targets are unique and distinct. But in the case of the Sunburst attack on SolarWinds’ Orion module, we witnessed a massive sweep operation that achieved nearly ubiquitous access and vacuumed up oceans of sensitive corporate and government data. It’s hard to be shocked by major cybersecurity lapses these days, but Sunburst compromises and losses appear to be many times larger than what we’ve seen in the past, and it may mark a turning point in awareness, if not action.
And it may prove to be more than espionage. If in the fullness of time, blueprints, process flow or design diagrams captured in the Sunburst raid help enable a cyber-physical attack on critical infrastructure, then this event could be a precursor to sabotage. Hopefully, this will not be the case.
There’s no question that massively horizontal threat surfaces – meaning products or components within products that are relied on by hundreds, thousands or even millions of organizations – are highly enticing to adversaries. Why? They offer the biggest bang-for-the-effort buck. The Windows operating system was and remains an attractive go-to target for all manner of attackers, not just nation-states. And anyone in a security position, namely your organization’s chief information security officer (CISO), should express concern when a single product or vendor is relied on across the entire federal government, within the U.S. military and at many Fortune 500 companies. SolarWinds, a software suite that helps organizations manage, monitor, and yes, secure their networks, was largely given unfettered access to network and system access control credentials. When attackers breached their security protocols, it affected nearly everyone.
It’s hard for experts versed in targeting and cyber risk analysis to understand why organizations continue to place so much unverified trust in products like this. Observation of this behavior is in large part what led to the development of a new approach to defense. While Idaho National Laboratory’s Consequence-driven Cyber-informed Engineering (CCE) methodology was initially conceived as a set of engineering-based defensive measures to thwart top tier cyber adversaries attempting to sabotage industrial processes within critical infrastructure, some of its core concepts apply to defending information technology environments, such as those compromised by Sunburst, as well. Achieving and maintaining robust cybersecurity defenses is one of the most challenging operational requirements in 2021, but thinking through the following questions will put you on a better path toward keeping your organization’s most essential networks, systems and data secure:
What are your digital crown jewels?
In other words, what matters most to you? What kind of losses are simply unacceptable from a strategic business or mission risk perspective? With finite resources, you can’t protect everything uniformly, so which systems or data simply must not be breached or lost? These are the things that the adversary wants.
What are the most proximate pathways to those jewels?
Those assets you identified in #1 … what do you currently do to protect them? Are you aware of all the ways an attacker might reach them? What extra steps have you taken to ensure they are as safe and secure as your organization needs them to be? Are you putting too much trust in any one product, system or defensive measure? One thing is for sure: adaptive, well-resourced, top tier adversaries likely already know the answers to these questions.
Who touches these systems?
The human element: You vet and trust your employees, but how much scrutiny and controls do you apply to human third parties to whom you give access like maintainers and partners? For things that matter most, the vetting and monitoring must be extreme.
The supply chain: The products and services that comprise and theoretically defend your IT environments. How demanding have you been of the suppliers – whether U.S. based or not – whose products or services might provide a skilled adversary a pathway to your crown jewels?
How much can be learned about your networks and systems from public sources?
You shouldn’t make it any easier for adversaries to learn about your environments, dependencies and vulnerabilities before they send malicious packets your way. Scrub your online materials and insist your partners, suppliers and customers do the same regarding anything that might shorten your adversary’s learning curve. And by assuming you’ve already been breached (a safe working assumption), adopt the perspective of your adversaries and ask: “What do we need to know and do, and where do we need to be in a system to achieve the disruptive or destructive effects our bosses seek?”
Are you storing operational technology credentials in IT systems?
If your environment is not an entirely IT operation and you have operational assets that are or support critical infrastructure, make sure you make the adversary’s job as difficult as possible by segmenting your networks. And by all means, DO NOT STORE authentication credentials for operational technology (OT) systems and networks in IT systems. With Sunburst’s penetration into OT still unknown, it doesn’t take an alarmist to know that it’s time for extra vigilance.
For more information on CCE, visit www.inl.gov/cce. The CCE methodology, its origins and best uses are described in detail in Countering Cyber Sabotage: Introducing Consequence-driven Cyber-informed Engineering, a book being published this month by CRC Press Taylor & Francis.
Andy Bochman is a senior grid strategist at Idaho National Laboratory and co-author of the book mentioned above. A Harvard graduate and former Air Force Academy instructor, Bochman is a leading expert in infrastructure security with more than 20 years of experience.