There was another breach this week that made headlines – the breach of the US Treasury Department. This time it is assumed to be a supply chain attack through a Solarwinds Orion server. According to a FireEye blog post the attack uses a trojanized plug-in that contains a backdoor for communication via HTTP to third party servers. Once again – no zero day.
Because it is based on a server update and not an exploitable vulnerability, the issue would never be uncovered using penetration testing. The malware masquerades as legitimate SolarWinds activity and uses multiple obfuscated blocklists – making it very difficult to uncover using standard tools that look for behavior. It is also another example of why purple teams need credentials to be effective – the key to predicting the issue and preventing damage is understanding what happens after authentication – not finding an initial breach option.
The attack could have be prevented through good cyber hygiene based on actionable risk analysis. The key is that the risk analysis must be actional – otherwise organizations face too many security alerts and suffer alert fatigue. Prioritization and actionability are key to effective cyber defense.
Lateral movement is key to risk prioritization and actionability. Cyber attacks without lateral movement are, to quote the Shawshank Redemption, a fart in the wind. The lateral movement may be based on a variety of techniques (e.g. vulnerabilities or credentials) but without it 90% of attacks will not cause damage (except denial of service). In this instance, if the attackers couldn’t “escape” from the breached Orion server, no real damage could be done. Deep modeling and analysis of lateral movement through attack paths using a business context (i.e. the business value of confidentiality, integrity (CIA) of reachable assets) is the best way to assesses cyber risk in context and to provide actionable, prioritized recommendations.