When Is the Right Time to Assume Compromise?
Many organizations right now are facing a major security challenge in the form of a global state-sponsored campaign to penetrate their networks, steal sensitive data, and potentially do other damage.
One of the main attack vectors is compromised software updates to the SolarWinds Orion product. The latest advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) warns they are also investigating “TTPs consistent with this activity [in organizations where] victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”
The Orion compromises are the latest reminder of an enduring challenge in information security, which is the simple but difficult discipline of remaining vigilant over long periods of time in which threatening activity isn’t apparent. The principle that large organizations should “assume compromise”—that is, always actively look for and seek to disrupt potential threats—has been around for a very long time. But sustaining that practice is hard.
Should Have, Could Have
I suspect at this moment many agencies and companies affected by the SolarWinds compromise are wishing they’d thought more carefully about what it means to assume compromise. Their network monitoring tool was updated with a trojanized DLL and they are struggling to understand the scope and consequences. CISA’s alert says, “removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
Assuming compromise requires comprehensive detection, response, and recovery tools. At this point, many security teams are feeling the presence or absence of those capabilities. They are scrambling to quickly determine the scope of systems affected, contain and remediate them, and hunt down any unauthorized actors on the network. This is where comprehensive visibility into current and historical events on endpoints, and flexible detection, proves its value in spades.
Always Stay Vigilant
Nuix Adaptive Security delivers this, giving organizations the ability to quickly detect, respond, and recover when something of this magnitude comes to light.
A few weeks ago, we posted a video on responding to APT-related threat intelligence. If you’d like to see how Nuix Adaptive Security could specifically help if it was installed at the time of compromise, or was being used post-compromise, you can find that here. In a separate article, I also go more in depth into responding to this specific compromise using Nuix Adaptive Security.
The SolarWinds compromise drives home, once again, the importance of continued vigilance. Sometime from now, perhaps in a few months, perhaps in several years, security teams will receive another stark reminder to “assume compromise.” I believe those armed with strong internal detection and response capabilities will be thankful they did so before the alerts from DHS started coming in.