In the past week, we learned that both FireEye and SolarWinds were breached. These two breaches are significant because of the companies targeted and the service/products they sell to the industry. Both of these large companies being breached prove once again that anyone can be hacked. The days of only investing in preventive controls to stop an attack are a thing of the past. As an industry we have evolved and must invest in detective controls for when the inevitable occurs.
FireEye is a well-known cybersecurity company with an incident response and cyber threat intelligence team we leverage at SCYTHE for building adversary emulation plans. They also sell products and services to prevent and detect breaches. SolarWinds is a network monitoring company that is used by many organizations to monitor system performance, asset discovery and management, and resilience. This breach was different with more collateral damage because an update for SolarWinds, installed in customer environments, has a backdoor known as Sunburst. This means thousands of other organizations may be compromised as well.
Bryson Bort, SCYTHE CEO, spoke with Business Insider, "The potential impact is gargantuan. We probably won't know for a couple of months. This is a perfect example of supply chain vulnerability, Your vendor's risks are now your risks."
Operating under the assumed breach paradigm means that your company knows that attackers will break through the defenses and eventually gain access to a system in your network. As an example, FireEye’s breach involved red team tools being stolen. Most of the Red Team tools that were stolen from FireEye appear to be post-exploitation tools (tools used after gaining initial access). This is a further call to arms that we need to focus on detecting malicious activity in our network to then respond to incidents.
In the below video you will see one of our Board of Directors, Dmitri Alperovitch, talking about the SolarWinds breach and operating under assumed breach for a RSAC interview.
Understanding your organization and your threat model are the first couple CIS Critical Security Controls. These are the basics that every organization should know. Culturally, know that any of your assets may be compromised and consider how you would be able to detect if that is the case. A great way to test your assumptions is through adversary emulation. Understanding your organization and the adversaries that have the capability, intent, and opportunity to attack will set you up for a high value red team engagement or purple team exercise.
Defenders should be able to test, measure, and improve people, process, and technology. Threat Detection is hard and is not only about technology, as Anton Chuvakin blogged. It requires logging, alerting, and responding. Those three items require people, process, and technology. Seeing an attack occur provides significant training to your defenders, much more than reading a cyber threat intelligence report. The ability to consistently and reliably emulate the known adversary behaviors allows for security controls to be tuned and validated that they are detecting the behaviors. Lastly, testing the response process brings the people and technology together to bring the most value for your organization’s preparedness.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.