Black swan events
are considered incidents with high impact and low frequency that are impossible to predict. Whether you consider them black swan cyber events or not, the SolarWinds attack and the Log4Shell exploit stressed some of the key ways in which organizations can prepare themselves and prevent crises.
Here are three common misconceptions around prevention of such events.
Misconception No. 1: There's nothing we can do about zero days and supply-chain attacks.
One of the common misconceptions is that it's almost impossible to protect environments from critical zero-day vulnerabilities or supply-chain attacks, as they are highly stealthy and cannot be predicted. At best, this misconception will shift efforts toward enhancing the detection and response capabilities. At worst, it will promote a sense of helplessness when dealing with such events.
Contrary to common perception, these events are not the "unknown unknowns." Organizations can deploy and adjust their defenses strategically, often using their existing teams and security stack, and protect themselves from such attacks.
A simple yet powerful example is preventing egress Internet traffic from servers. Even though it may sound like a basic security practice, real-world experience demonstrates that it's not implemented by even relatively mature organizations.
Blocking servers from reaching out to the Internet will prevent attacks (or dramatically slow down attackers), where the exploit depends on the server to initiate connection to the attacker's command and control infrastructure, whether through reverse shells, malicious code in a third-party software such as SolarWinds, or a vulnerability such as Log4Shell. This leads us to the realization that even a basic security control can stop both the SolarWinds supply chain attack, one of the most sophisticated attacks in recent years, as well as mitigate the Log4Shell vulnerability, one of the most potent and ubiquitous vulnerabilities discovered recently.
Investigating and learning common tactics, techniques, and procedures (TTPs) and modus operandi of the latest breaches and exploits can provide organizations with valuable insights on how to improve and prioritize defenses in a way that will mitigate the use of future exploits.
Misconception No. 2: Once attackers infiltrate an environment, they will fully compromise it.
Another misconception is that these novel exploits will inevitably allow attackers to do more than just infiltrate the perimeter.
Targeted security enhancement initiatives can be implemented to make the environment much more resilient to lateral movement and privilege escalation techniques, keeping attackers at bay, not able to leverage their initial footholds to gain access to core assets. This approach will also provide defenders with more time to detect and eliminate attacks in their early stages.
- Lateral movement:
Microsegmentation is a daunting task. Many organizations procrastinate on implementing such projects as they require mapping all internal traffic, creating granular allow-lists of ports and hosts, buying expensive solutions, and investing crucial resources in deploying and then maintaining such environments. However, many of the advantages of microsegmentation can be achieved without going the full distance.
Restricting ingress traffic on interactive (e.g., RDP, SSH) and noninteractive (e.g., SMB, WinRM, RPC) management protocols, by using host-based firewall policies on both servers and workstations, and then limiting management traffic to specific dedicated segments or jump boxes, can help achieve the core value provided by microsegmentation.
While sometimes traffic on noninteractive management protocols toward servers is required for operational or applicative purposes, in many cases it's not required between different workstations or between servers in the DMZ. Adopting a focused deny-list approach at first will yield an immediate risk reduction, to a point where it will gradually become very challenging to move laterally within the network.
- Privilege escalation: One of the major challenges in reducing the risk of materializing attacks in the network is credential hygiene and prevention of privilege escalation. Nevertheless, similar to the approach taken above, focusing on high-value measures derived from real-world use of known and common TTPs can provide significant value for defenders.
To achieve this, constantly search for exposed clear-text credentials, set long and complex passwords for service accounts, avoid using domain admin accounts for daily activities, and use built-in Microsoft security features such as Protected Users, LAPS, LSA Protection, and Credential Guard.
Credential hygiene issues are a major contributing factor in almost every single attack that Sygnia responded to in the last couple of years. Securing privileged identities should be top priority in any security road map for 2022.
Misconception No. 3: Patching is the only solution we have for novel vulnerabilities.
Often when a new vulnerability is published, the main (and sometimes the only) recommendation suggested by numerous advisories is patching, as if patching is the only action organizations can initiate to contain the risk. Patching is crucial, but it can take time for large enterprises to fully understand their exposure and apply patches in production environments. Occasionally, a few days after patching, new vulnerabilities are discovered by the security industry because of the attention the system or the application is drawing. Patching will not always mitigate all gaps.
Understanding the way in which the exploit is executed — and the dependencies on which the exploit is relying to execute — is imperative in responding to such events. What may be considered as only a workaround to mitigate the vulnerability can sometimes prove to be a lifesaver for organizations.
Leverage and Optimize Your Security Stack
Contrary to common belief, organizations can prevent or reduce the impact of novel exploits such as Log4Shell or highly sophisticated attacks like SolarWinds.
This can be achieved by organizations leveraging and optimizing their current security stack, implementing surgical hardening measures, and using built-in security features that can be turned on easily without requiring additional spend.