With the recent SolarWinds SunBurst exploit, many security professionals are reassessing standard threat models and national cyber-defense strategies. For now, organizations and system owners must use the tools and resources available to mitigate the probability of being further exploited by supply chain attacks.
For those unfamiliar with Sunburst, the exploit compromised the product development cycle through a patch rather than just through the product’s security. All major applications require maintenance, and maintenance is accomplished through updates and patches. These patches correct previous flaws and close off previous vulnerabilities from attack. A supply chain attack exploits this dependency by inserting malicious code into updates and patches.
So how can organizations and system owners increase trust while still maintaining their own IT systems now? Enterprises can begin by rethinking their definition of access control, developing a patch management strategy that promotes research and testing, and monitoring their network for malicious behavior in collaboration with cyber threat intelligence.
Let’s start with three questions to develop trust: What is your definition of access control? How are you coordinating patching with security verification? And are you using cyber-threat intelligence to monitor your network?
What is Your Definition of Access Control?
From my perspective, most define access control as a process or procedure to restrict contact or usage to applications or information. The National Institute of Standards and Technology (NIST) defines access control as “procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices or physical access to a controlled space” (NIST 800-192). NIST’s definition focuses on who rather than what has access, and it hinders our thinking of what enterprises and system owners can do to better safeguard the network. A better concept of access control would include anything that uses an IT system or interfaces with the network. Defining access control this way more broadly compels enterprises and system owners to review the hardware and software they use rather than how they restrict user access to them. If you do not know what is on your network, the probability you can be exploited from a supply chain attack is amplified.
Redefining access control more broadly appropriately considers the vendor. Vendor reputations and their software assurance program are necessary to combat these attacks. Enterprises should also consider automating account reviews to allow organizations to compare and analyze user access between time periods; this enables system owners to identify discrepancies and monitor behavior for anomalies quickly. By understanding all the access points and regularly reviewing access, organizations can consider all the threat vectors to their assets.
How Are You Coordinating Patching With Security Testing?
Organizations can help system owners coordinate how they’ll patch and update software for all the major operating systems with time planned for testing critical assets. One simple mitigation is evaluating patches or updates to the systems identified from a crown jewel analysis (CJA). A CJA “is a process for identifying those cyber-assets that are most critical to the accomplishment of an organization’s mission.” The information from these assessments can be shared to aid risk identification and response. Without planning at the enterprise level, the most valuable systems and critical infrastructure lose prioritization. System owners who do not have an enterprise patch management strategy to follow can at least harden their attack surface by tiering patches at the system level. These tiers could be based on anything that supports the systems’ mission. Two examples could be patching based on the host or vendor. This methodical approach would allow organizations to maintain their IT systems and enable further research and testing.
Are You Hunting with Cyber-Threat Intelligence to Monitor Your Network?
One lesson from SolarWinds is the need for proactive threat sharing. Enterprises can stay alert by prioritizing the security operations center (SOC) and consuming progressive cyber-threat intelligence. One approach is to use advanced threat hunting to find the alerts that SIEMs are not able to provide for supply chain attacks. Cyber Threat Analysis Cells (CTAC) should be analyzing networks based on cyber-threat intelligence to provide defense across the entire cyber-attack life cycle. If organizations do not have the resources to build their own CTAC or SOC, organizations can outsource these operations to save money. Equipped with intelligence and engaging partners, organizations can more effectively identify and respond to incidents.
Asking these three questions can help assess your current cybersecurity plan and consider other steps that can be taken to better protect your assets. There are tools and strategies organizations can adopt now to mitigate against supply chain attacks. By restricting access, monitoring the network based on threat intelligence feeds, and securing trust in your patch management strategy, the adversary’s dwell time and ability to successfully exploit your system are reduced.
Disclaimer: This article was prepared by the author in his/her personal capacity. The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy, opinion, or position of their employer.