Much has been written about the Sunburst attack, a supply chain attack using the SolarWinds Orion application. Many organizations are still diligently working to understand the potential exposure to their organization from this devastating attack. And many are starting to think about how they can get to a future state where the risk of these type of attacks are minimized. So how do you get your organization to address problems like this, and make preparations to better handle these types of attacks more effectively in the future?
Piecemeal Security Paradigm
Despite an increase in security investments, most organizations are experiencing longer threat dwell times within their security ecosystem — 280 days on average1. Why is that? A core challenge is that organizations often find themselves dealing with incompatible point solutions, delivering patchwork coverage for their environment and undermining any efforts to build effective cyber risk management. The telemetry data logged by each security tool often is analyzed in isolation — often lacking the fidelity to detect more subtle and hidden attacks. Then, the alerts generated are decided upon in isolation — often concluding too little malicious intent or risk exposure for teams to act quickly or at all due to limited resources. When teams act within this piecemeal security paradigm, too often response happens one control point at a time without efficient coordination – wasting time and often failing to complete defense against the breach.
Shatter the Piecemeal Security Paradigm
Cisco believes a platform approach will help build fortified defenses to deal with the ever more devastating threat landscape. Cisco SecureX is a cloud-native, built-in platform experience that gives your security infrastructure – Cisco and 3rd party solutions – a makeover from a series of disjointed solutions into a fully integrated defense that will liberate you from being stuck in the piecemeal security paradigm.
Our platform approach with SecureX will deliver the broadest Extended Detection and Response (XDR) capabilities to intelligently detect and confidently respond. And unlike others offering XDR solutions, SecureX offers turnkey interoperability with your infrastructure, including 3rd party security tools. From initial access to impact and the mitigations to execution, lateral movement, or exfiltration in between. Cisco can connect many layers of machine learning-enhanced analytics across multiple data sources to accurately identify malicious intent and risk exposure. Then, Cisco pinpoints the root cause by simplifying investigation with visual forensics and connecting playbook-driven automation across the most control points to reduce threat dwell time. This is how you shatter the piecemeal paradigm to become more effective in defending against attacks such as Sunburst.
Critical Building Blocks
SecureX is built into the Cisco Secure portfolio, so if you have Cisco Secure products, you are entitled to it. Let’s talk about some core control points that are critical to helping implement a strong defense.
- Cisco Secure Cloud Analytics: delivers critical network detection and response capabilities. One of the key capabilities is that it will help you quickly discover SolarWind Orion servers in your network. Once you have patched the servers, you will need to assess whether any malicious or suspicious activity has already taken place in your network. Secure Cloud Analytics is capable of detecting a range of suspicious activities that are commonly seen in an advanced cyberattack to steal data, like C&C connections, lateral movement, and data exfiltration. Now that you have searched for and identified potentially compromised servers and had a look at detections that alert on malicious behaviors in the network that might be associated with the attack, you can go ahead and define a set of actions that will further protect your organization, and also allow for an automated response.
- Cisco Secure Endpoint: Gain visibility into endpoints to locate Sunburst infected hosts, and our endpoint detection and response capabilities deliver insight into the “SolarWinds Supply Chain Attack” event notice to inform of the attack and provide retrospective detection alerts based on ongoing threat intelligence and hunting efforts. And customers that are using SecureX threat hunting will of course be notified where IOCs indicate the presence of the Sunburst backdoor. Additionally, you can assess exposure to Sunburst using Cisco Endpoint Security Analytics (CESA). Find out what endpoint accessed what domain, as well as what software processes and protocols were used, enables immediate visibility to what endpoints are exposed—for both on-net and off-net endpoints—within minutes.
- Cisco Umbrella: is a cloud-delivered security service that converges multiple functions in the cloud, blocks users from connecting to malicious, command & control domains, IPs, and URLs associated with this attack, whether users are on or off the corporate network. On December 18, 2020, Cisco Umbrella released an update to the threat reports providing visibility into threats you may have been exposed to over a given period of time and whether they are blocked or allowed. This specific update enables all customers to review the last 12 months of Umbrella DNS events for traffic that may indicate the presence of the SolarWinds Orion / Sunburst backdoor. The Umbrella team also provided instructions on how customers can use these new capabilities to quickly assess their environment.
- Cisco Secure Workload: assists in the identification of compromised assets and the application of network restrictions to control network traffic through central automation of distributed firewalls at the workload level. This flexible approach means a consistent firewall policy can be quickly applied to control inbound and outbound traffic at each workload without the need to re-architect the network or modify IP addressing and is compatible with any on-premises infrastructure or public cloud provider. It can identify compromised assets via three methods: (1) presence of installed package; (2) presence of running process (either name or hash); and (3) presence of loaded libraries (DLLs). Once compromised assets have been collated, network traffic can be restricted based on the least privilege model. In the current situation, it may be advised to provide zero privileges to all identified Orion Platform assets. In the future, as patched versions of Orion are deployed, privileges may be slightly increased, but only to cover the exact communications Orion requires for operation, and nothing more.
- Cisco Talos Incident Response: provides a full suite of proactive and emergency services to help you respond and recover from attacks. With this service, you will have access to the world’s largest threat intelligence and research group. Talos Incident Response is currently engaged and supporting many customers concerning Sunburst.
Simplify Incident Response
Despite good intentions, security investments without a platform approach too often leads to a piecemeal security paradigm that will not effectively defend against attacks such as Sunburst. True, control points such as Network Detection and Response, Endpoint Security, Firewall, etc., are important, but being able to effectively implement extended detection and control across these control points is critical.
With the Cisco Secure platform approach, you will be able to quickly pinpoint the root cause of an attack such as Sunburst by simplifying investigation with visual forensics and connecting playbook-driven automation across multiple control points to reduce threat dwell time. Explore our integrated approach to find out how you can identify and contain 70% more malicious intent and risk exposure with 85% less dwell time.
1. Source: Ponemon Institute research featured in IBM’s Cost of a Data Breach Report 2020
This blog was originally written by Joakim Lialis for Cisco Blogs.