At the end of 2020, one cybersecurity attack turned the security industry upside down.
What we can do to prevent this in the future? How can we better protect and prepare our organizations for an attack of this magnitude? How can we apply a lesson learned from another company’s cyber attack to better our own education, defense and preparedness?
Here, we’ll step back and break down the attack (as much as we know) and determine what defense and preparation strategies your company may be able to implement.
The Attack (or what we know so far)
The story is constantly developing, and we are rapidly receiving latest news updates regarding the SolarWinds/FireEye/U.S. government. Here’s what we know at this moment.
The attack involved threat actors compromising the infrastructure of SolarWinds, a company that produces a network and applications monitoring platform called Orion. The users affected most were those using the cloud-based version of the software, but it also impacted major government organizations and companies.
Threat actors gained access to produce and distribute the malicious updates to a network monitoring product and to the software’s users.
The incident highlights the severe impact software supply chain attacks can have and the unfortunate understanding that most organizations are largely unprepared to prevent and detect such a threat.
While much is still unknown, several countries and nation-states are being blamed for the attack. If it turns out to be part of cyber warfare and your organization is/was impacted, check your cybersecurity insurance policies for the exclusion clauses related to damages due to an “act of war.” This part of the story could be one of the most highly contested aspects of the attack for years to come.
The Defense and Preparation Needed
So, what could have been done to prevent this?
Well, not much (except understanding the threats to supply chain—and yes, software development is a supply chain).
Who do we blame outside of the threat actors?
Well, no one, really.
But there are a few tactics that companies should employ to better their security posture and improve their technology environment. Below are a few classics to consider related to this type of attack.
Know Your Vendors
Vendor management is a large portion of technology controls, even though it has little to do with technology and more to do with awareness and understanding. Knowing who your vendors are can help determine if you are impacted by a globally acknowledged cyberattack or breach.
While many organizations rely on one person to remember all their third-party vendors, it’s solid practice to keep an updated log of:
- Who they are;
- What processes or activities they perform for you; and
- Who your contact is.
Also, performing a risk based due diligence of their involvement with your daily controls and processes will help you better understand (and be aware of) any shortcomings they have that you need to protect yourself against.
Making sure they perform the same due diligence on their third-parties (known as your fourth-party vendors) is also crucial. Many people will soon learn that their fourth- and fifth-party vendors may be overseas companies or companies that are included on the Office of Foreign Assets Control (OFAC) SDN lists that you cannot do business with.
Understand Your Cyber Liability Insurance Policies
Make sure you fully understand what is covered by your cyber liability insurance policy—and what isn’t covered.
Organizations can get into a messy situation when they expect an insurance policy will protect them completely or reimburse them should a threat actor be successful against their system or data. Cybersecurity insurance is there to help you if your controls and processes fail—not restore your system without you doing anything to help prevent the attack or breach.
Most cyber liability insurance policies have a section in the policy (or included in the underwriting process) that details the controls your organization should be performing should an attack occur. A condensed (and not all inclusive) list for most insurance companies is:
- A risk assessment process (internal and/or external);
- Security awareness training;
- Intrusion detection or prevention systems and processes;
- Incident response plans;
- Vendor management process; and
- Data backup procedures.
These controls ensure that your organization is pulling its weight related to the rights of the insurance policy.
In addition, make sure all exclusion clauses are reviewed and understood before enacting the policy. This includes what costs are not reimbursable and when the policy is not valid (i.e., act of war clause).
This aspect should concern organizations that were impacted in the SolarWinds attack the most. If, and when, they determine who was responsible, and if it is determined to be part of a larger attack or potential pretext to cyber war (of which we have never experienced), it could cause a larger invalidation of policies or changes to future policies that could drive up the cost of premiums to remove such a clause.
With attacks becoming larger in scale and actors getting more and more devious, the cyber liability insurance industry could become too large for anyone to handle or afford.
Testing Your Incident Response Plan
Update and test your incident response plan so that you can effectively respond to an actual attack when it happens.
In 2018, the AICPA, in connection with the guidance on SOCs for cybersecurity, issued their tenets of cybersecurity, with one stating that preparing your company for your response to have “as minimal disruption in your business as possible” is just as important as implementing controls to defend against these attacks and threat actors.
A solid incident response plan should consider all potential threats and risks to the organization. One plan could have multiple threats and courses of action should a cybersecurity event occur, and every organization should update their documents for “software supply chain attack.”
Testing the plan can be as simple as:
- a table-top exercise where all parties involved (including external consultants or vendors) would sit around a table (maybe virtual these days) and talk through who does what, in what order, and how to handle communications, issues and what can go wrong; or as complex as
- simulating the attack and responding accordingly in real time.
Both have their advantages and disadvantages, but something should be done to prepare your organization for all possible attacks and threat actors.
Protect Your Organization As Much As Possible Against Cyber Attacks
This attack proved that anyone is vulnerable, and no matter how much money you spend on protecting yourself, there is always risk that needs to be understood. No one person or organization, outside of the threat actors and possible nations involved in the aforementioned attack, is to blame for this attack occurring.
While human error or insider threat still remains that largest threat to prepare to protect and defend against, knowing your vendors, understanding your risks, knowing where you can get assistance and preparing for the worst can go a long way in preparing your organization to have as little disruption in your operations and finances as possible.