In December 2020, the top U.S. cybersecurity firm FireEye stumbled into an information network security breach that led them to uncover a massive data breach. The hack happened over an estimated period of 8 months and foreign perpetrators used Solarwinds, an American software company, to plant malicious code into the company's software system called “Orion”. The code created a backdoor to customer's information technology systems allowing hackers to deploy additional malware and escalate its spying operations on thousands of U.S. companies and government agencies.
More than three months later, the Federal Bureau of Investigations and other cybersecurity firms still continues to uncover more malware related to the Solarwinds hack. The question at the center of this digital supply chain security fiasco is “how so many key government agencies, high profile technology corporations, and even top cybersecurity firms were blindsided for so long?”
Indeed, cybersecurity specialists will hurry to answer this question by pointing out that this hack was a complex, deceptive spying operation supported by a top-tier cyber state actor on the U.S. adversary list. In other words: Russia. However, blaming the cyber aggressor is certainly not enough to understand what went wrong especially in the light of a brand new security incident involving Microsoft.
In early March 2021, Microsoft reported a massive breach into its Exchange software allowing hackers to access thousands of companies and government email accounts, read messages without authorization, and install unapproved software. Again, it was another “complex, deceptive spying operation supported by a state actor in the U.S. top-tier cybersecurity adversary list”. This time China seems to be behind this second massive digital supply chain security debacle.
As the saying goes: “Fool me once, shame on you. Fool me twice, shame on me.”
'Communicating risk across the enterprise is a paramount feature of risk management'
These two massive cybersecurity incidents expose a new reality: compliance to cybersecurity frameworks and regulations are clearly insufficient. Checking the compliance boxes are nothing more than a passive approach to cybersecurity risk management and only protect organizations against known threat and attack vectors. Regulations, standards, and cybersecurity governance frameworks should be understood as a baseline in risk management. Cybersecurity threats and vulnerabilities are multifaceted and ever evolving. Organizations need to move toward a more active strategy based on a holistic risk assessment. This active approach should include but not be limited to the following five components:
(1) Active Risk Communication
Communicating risk across the enterprise is a paramount feature of risk management. Organizations need to deploy continual reinforcement in their communications strategy, especially when addressing the issues of cybersecurity risk and change. CISO must use multiple communication approaches as well as tools and techniques that are appropriate for different audiences distributed across the enterprise. Finally, organizations need to plan and implement a workforce cybersecurity awareness communications campaign that allow risk communication from top-down to bottom-up. It’s important to note that, in the FireEye detection of the Solarwinds hack, it was an employee who notified his leadership about a suspicious dual authentication request which launched an internal incident investigation and the discovery of the breach.
(2) Active Cyber Defense
Organizations must conduct threat intelligence and threat hunting activities. Cybersecurity professionals should profile relevant adversaries in the cyber space (hackers, organized crime, insiders, foreign states) and analyze techniques, tools and processes they are using to perpetrate attacks against critical assets. Organization should develop threat indicators, determine potential implications for existing information systems and exploitation systems, and formulate advice on how to neutralize threats or thwart possible attacks. Then, once the intelligence part is completed, cybersecurity professionals should gather data from diverse information system protection tools to analyze events, detect malicious activities, and recommend counter measures. Advanced software powered by artificial intelligence are now available to monitor networks by using anomaly detection in order to alert stakeholders in case of discrepancies in data similar to events in previous cyber threats. Other AI solutions are smart antivirus that does not require virus signature updates, but over time will be learning to detect malicious programs from scratch to end.
(3) Active Risk Assessment
First, cybersecurity risk assessment methodologies evolve constantly due to new attacks modus operandi. These changes, like software patches, must be integrated as soon as they evolved. For instance, National Institute of Standards and Technology offers a framework for cybersecurity testing and assessment methodologies. This type of methodologies is revised and updated periodically to adjust to the threat landscape and new vulnerabilities. In terms of active risk assessment techniques, one of the best practices is the implementation of red team/blue team exercise in which the with hat hackers try to attack an organization’s information systems (red team) and the cybersecurity specialists respond to the incidents. This type of exercise is beneficial at several levels: (1) discovery of unknown vulnerability; (2) learning new attack schemes; and (3) learning from mistake made during the incidents response without facing negative consequences.
(4) Active Security in Development and Deployment Processes
An integral part of injecting security into processes is for organizations to integrate security solution at the onset of the deployment and development cycle of new software and technology. DevSecOpswas created in response to security concerns generated by the DevOps timeline in which security considerations were left until the very end of the software development cycle. The idea was to resolving security problems by addressing security at every stage of the software development cycle. However, this approach was flawed because the security solutions were left in the hands of software developers which were poorly equipped to address these issues (lack of tools and knowledge). Then a new approach was recently incepted: SecDevOps. This approach requires security to be at the forefront of every stage of the software development cycle by promoting secure coding and embedding security measures into the planning, analysis, design, and deployment stages in addition to traditional implementation and testing stages. In addition, changes in software application code are tied to security requirements related to deployment procedures.
(5) Active Supply Chain Security
Finally, the Solarwinds and Microsoft incidents show how securing the digital supply chain is critical. Organizations must shift security mindset from trusted partners to “trustworthy” and “zero trust” approach. Relationships with external vendors and suppliers must be continuously reevaluated. Thorough due diligence processes must be applied periodically and no one in supply chain network should be trusted but rather they should demonstrate their trustworthiness through a series of steps that demonstrate security requirements are achieved. For instance, the Cybersecurity Infrastructure Security Agency (CISA-DHS) provides a guide on how to establish and improve supply chain risk management across the enterprise. This document helps organizations to establish standard operating procedures on how to conduct supply chain risk management, identifies best practices to ensure security, how to build a culture supply chain risk management (training).
To conclude, it is also important to mention that organizations cannot just farm out their risks to external security firms. They must be an involved actor in their own cybersecurity risk management. If they don’t, they will be the one that will suffer the dire consequences of their passiveness.