CISO’s and C-level leaders around the world need to look at the exposure risk of sensitive data in their organizations when attackers can infiltrate and control its IT network like in the recent Solarwinds breach scenario. While dramatic and concerning, the compromise also creates the opportunity to engage in a new strategy for data security resilience. While no one solution can mitigate advanced threats from nation-states, a data-centric security approach does have powerful mitigating properties and offers both a strong last line of defense, and a first line of investment value to increased digital freedom in an untrusted world plagued by attackers. To be clear, nation-state level attacks of this nature and from such sophisticated attack networks are unstoppable. This amplifies the need to slow down such attackers with speed bumps wherever possible to buy time to react, or to redirect attackers to entities that are softer and easier to exploit.
A leading provider of network management solutions used by 300,000 enterprises has succumbed to a supply chain attack, allowing attackers to implant software used by at least 18,000 of the 300,000 enterprises. The attack includes government agencies, and the compromise originated from a nation state. The same group also attacked a core security provider in the days prior, releasing 300 potentially dangerous tools and cyber defense technology items that are now in attackers' hands.
This is now affecting organizations in multiple countries including the US, Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE. The extent of the blast zone is wide, and appears to be increasing as more is known and as more side effects are reported. The risk is this affects almost everyone. Even if enterprises do not use Orion, the Solarwinds’ tool, the consequential damage of exposed and exploitable defenses is a concern for everyone and the connectivity to impacted organizations across connected supply chains, attackers essentially have a roadmap for attack strategies like never before with unprecedented risk:
“Supply chain compromises will continue. They are extremely difficult to protect against, highlighting the need for security to be considered as part of the vendor selection process. Supply chain compromises do extend SaaS applications. Understand that your SaaS vendor does not have any magic process that makes it easier for them to detect these issues. They are every bit as vulnerable to software supply chain attacks” – Jake Williams, SANS.
Organizations using Orion software from provider Solarwinds may have compromised internal systems and networks, impacting the target enterprise, and possibly connected partners. The impact spans full system compromise and leakage of data, control over data processing infrastructure and theft of credentials for secondary attacks. The unknown extent of compromise due to the unique nature of the malware and sophistication of the attack elevates the risk further. Secondary and tertiary effects may be substantial, yet unpredictable in terms of data compromise threat.
How it happened
Software used by many organizations was compromised by attached malware at the manufacturer, and the package was digitally signed by a valid certificate, bypassing security controls during updates and downloads. The package is well established, with over a decade of use. The software updates installed the malware, enabling external penetration of internal networks. The software’s purpose was network infrastructure operations related, with a high degree of visibility into enterprise processing systems. Once installed, the package also camouflaged itself from detection and communication with command and control sites, evading traditional monitoring tools while data is exfiltrated.
Approximately 4 months; March 2020 to June 2020, possibly beyond with additional infrastructure compromises.
Defense strategy guidance to enterprises
This attack demonstrates yet another evolution in the threat landscape, to IT connected supply chains pervasive in today’s API-linked, cloud-delivered hybrid IT. It once again emphasizes the need for a multi-tiered defense strategy to mitigate the assumption that IT networks or cloud IT will be penetrated. This includes:
- Protections to limit live data theft to the maximum extent possible to avoid dependency on live data during day-to-day operations, and;
- To streamline visibility over data accesses for forensics should there be a breach
- To strictly and granularly control live data access on a secure, performant, but central basis.
- To ensure data shared with impacted third parties is not live information where non-live equivalents can be used (eg. for analysis or processing)
Specifically, with this best practice data-centric approach, live data attack, extraction and theft can be independently mitigated from traditional monitoring and perimeter controls to ensure IT resilience under compromised conditions. This utilizes modern data tokenization as extensively as possible on an enterprise basis, and aligns to strategies like Zero Trust.
Data tokenization has the goal of assuming an enterprise is already compromised by protecting sensitive structured data pervasively where live data was formerly used. Live data is replaced with operationally and functionally equivalent data elements that still enable application operations and analytics yet have no attack value. The outcome is that attacks and unauthorized data accesses are more difficult, detectable, and manageable versus the traditional controls bypassed in this attack.
Traditional data security controls, including data-at-rest encryption, are largely opaque to the level of compromise in this attack. The major shortcoming with traditional data at rest encryption, for example, is the data does not remain protected outside the location or resource that is encrypted, and becomes accessible to attackers with network access. Encryption is also binary. Data must be exposed for us by decryption, adding both complication, exposure, and overhead. Indeed, with data-at rest encryption, the endpoint also must retain operating keys in use to encrypt and decrypt, creating another exposure risk open to attack. Instead, an end-to-end approach is required whereby the data does not need “decryption” (aka detokenization), and data security is abstracted from the data store, IT service or application to compromise to distributed components yielding live data. Such an abstracted central service can also be shut down if unusual behavior is detected, limiting risk of authorized applications and processes which themselves have not yet been compromised with data access authority. Unusual activity outside the norm can also be more easily monitored versus distributed accesses where malware can hide in normal use patterns.
Data tokenization as a data-centric security strategy and its role as a breach defense:
Fundamentally, if an application that gains access to tokenized data is compromised and data stolen, then that data is worth nothing of value. As most data, including tokenized personal data elements, will be virtually indistinguishable from the live values they replace, attackers will have effectively only stolen ‘data decoys’ – tokens. Attackers would have tokens which are to all intents and purposes, real-looking but random, unrelated data. This also creates the opportunity to detect an unexpected data egress at this point, without actual risk of live data exposure, further strengthening existing security monitoring value.
What can enterprise security leadership do?
For enterprises concerned about future compromises, the good news is data tokenization in a modern context can be implemented rapidly to vulnerable systems, data stores, databases, structured files, and data lakes. Rather than protecting the containers that data lives in, the data itself is replaced. In contemporary implementations, this is handled by automated infrastructure-as-code models and transparent integration. Once deployed, no live data persists, and the reverse of this process to get back to authorized live data is strictly governed and secured centrally. This central system is easier to defend, monitor for behavior, and manage in a deeper more defensible enclave in the enterprise. The use of hardware security modules for physical protection also offers additional defenses and integrity over this process.
What if IT security itself is compromised?
Quite often attacks will go deeper into infrastructure, and attempt to manipulate security systems. In this case, according to Bruce Schneier, it appears attackers compromised 2FA systems by manipulating cookies to grant user level privilege, e.g. Database admin access. The outcome is any unprotected system with user access may be compromised for data theft. If such systems only operated on tokenized data, even credential theft would not yield live sensitive data. Indeed, with most tokenization implementations and a well-defined token design strategy, the only places where live data is exposed is at initial acquisition or entry (with a tokenize-only policy, not detokenize), and where data needs to be interchanged externally. All other systems can operate on tokens, and do not require any capacity to detokenize, effectively isolating them from risk – insider, malware, or attacker.
Unlike a distributed and unmanaged data protection strategy where encryption keys are distributed to endpoint for TLS, disk, data, or database encryption which is harder to defend by its very distributed nature, effective tokenization is a model where the conversion of data from live data to tokens and back is strictly controlled, managed, and monitored. This means risk, change and focus can be acute vs dilute.
What’s the takeaway?
The risk right now is the unknowns behind the extent of this attack to enterprises and their connected partners and suppliers. The takeaway is that enterprises around the world may have compromises allowing secondary attacks. If data is protected in a data-centric fashion, they are not exposed to the reverberation from this attack, and future similar attacks.
This, combined with the compromise of other defense tools as noted, puts enterprise to a new level of alert.
Enterprises should be scrutinizing monitoring platforms for evidence of leakage and compromise from this attack, but more importantly, preparing to mitigate the next one, which will come, with a pervasive data-centric approach.
Comforte is here to help, with a platform available immediately for utilization on an agile, cloud-ready and expedited basis to ensure on-going digital freedom in this increasingly, and well evidenced, untrusted world.