Illusive Blog March 2, 2021

On SolarWinds, Collaboration and Getting Ahead of the Attackers

By Claire Trimble
Active Defense, Advanced Persistent Threats, Nation-State Attacks

The recent large-scale nation-state attack against US government agencies and private enterprises, often referred to as the “SolarWinds attack,” continues to attract news coverage and analysis as our understanding of it continues to evolve. Just last week, a hearing dedicated to the attack took place before the US Senate Intelligence Committee, with key government and cybersecurity leaders warning that “the ‘scope and scale’ of the operation were unclear, and that the attack might still be continuing.”

I was thrilled to moderate a cybersecurity panel discussion last week that used the SolarWinds attacks as a jumping off point, and that included Admiral Mike Rogers, former director of the NSA and Operating Partner, Team8; Nadav Zafrir, former commander of IDF Unit 8200, where he established the IDF Cyber Command, and Managing Partner & Co-founder, Team8; Ann Johnson, Corporate Vice President Security, Compliance and Identity Business Development at Microsoft; and Ofer Israeli, CEO and Founder of Illusive. 

I’d like to share a few of the topics we examined during the discussion, and what our panelists had to say. I also encourage you to view the full discussion on-demand at your convenience. 

No One is Immune From Cyberattacks

We began by asking if companies that do not have the SolarWinds-affected Orion versions in their IT environment have to worry, and more importantly if there are general categories of organizations that do not have to consider cybersecurity as a top priority. The answer was an emphatic NO.

Ann Johnson – “Roughly 30% of entities that were attacked [as part of this nation-state attack] were attacked with methods other than SolarWinds, and those methods were standard attack methods. We saw password sprays, spear phishing attacks, brute force attacks. Any method the actor could use to compromise your on-premises environment and use that to navigate and elevate their privileges…was what they were looking to do…Every organization just needs to always assume that there’s someone in their environment.”

Mike Rogers – It was always evident before, but COVID, to me has…just blown up the perimeter for most organizations. So this idea that we’re all going to operate behind a central security stack with well-defined perimeter, and that therefore increases the probability of successful defense. If you define defense as precluding penetration, I just think that’s a strategy with a pretty low success rate.

“And as a guy who was part of teams that both penetrated and defended networks for a living, boy, as an attacker, I loved it when the adversary assumed that we were never going to get inside. Because quite frankly, it just made life so much easier to achieve penetration.

“What you’re seeing in cyber is that no sector of business, no size of organization, no particular business model, and no particular business focus is immune from cyber activity.” 

Deception and Active Defense

I asked Nadav if there is too much of an investment priority in preventing attackers from getting in, and not enough identifying and stopping attackers already inside the network.

Nadav Zafrir – “It’s ironic that we’re in 2021 and this is still an issue. And if you look at the statistics, I think even in investment in cybersecurity, we’re still more focused on preventative measures than detection measures. My answer is very simple. The perimeter is dead. We are highly interconnected and interdependent. That’s a fact of life.

“We must assume some level of compromise. And in order to deal with that, the first layer is awareness. Yes, there may be malicious actors, there may be bad actors within our environment all the time. In fact, there are. So the first level is acknowledging that, and starting to optimize our investments in security, not just on the preventative side, but also detection, resilience, recovery.“

“If we don’t have the ability to detect when it’s still relevant, we become historians. And this is our quest now. How do we create systems that can detect possible breaches within our environment at a cost and at a timing where it’s still relevant?”

“The reason that I’m so excited about Illusive is this. We used to say that from a nation state perspective, ‘the first date is always at my place.’

“What does that mean? If you’re a nation-state that has the means, you will always have the protective measures, the products that your victim will be using in your lab before you actually carry out the attack, for obvious reasons. If I can circumvent it in my lab, there’s a good chance that I can circumvent it at the target/victim…Deception specifically means that yes, you can have the first date in your place, but it’s not going to look the same once you’re the victim, because the deceptions are crafted in a way that they’re constantly changing in a contextual manner.

“And so it doesn’t matter if you know what I’m doing. The point is that you cannot rely on the data that you’re collecting at the victim’s network to be accurate and truthful. And that throws you off, the defender, the ability to detect within time with high fidelity.”

Ofer Israeli – “The homogeneous way that we go about things I think has just shown itself very clearly in the SolarWinds attack. We saw the tackers disabling all kinds of security tools, all kinds of things. They could anticipate, they could test it out in their environment. They knew how it worked. They knew how to circumvent it or bypass it.

“And to Nadav’s point, once it’s homogeneous, I can plan for them in advance and I can get myself ready for what I’m actually going to see in a real environment. If on the other hand, I know what some of the techniques are, but I don’t really know what data I’m going to be confronted with, it’s a very different animal. Every attack becomes a new attack. And back to imposing costs, well, that becomes very costly. It becomes very complicated for the attacker to figure out.”

“If we’re building our defenses relying on a priori knowledge, by definition, we’re behind the attackers. And they get to innovate, we need to play catch up. That’s a losing strategy. That does not work. And it doesn’t matter what we do. We can’t win that way. So we have to flip that thinking. We’ve got to take the lead here, otherwise we’re always trying to run behind them and we’ll never be there.”

Nation States and Cyber Criminals – The Lines Are Blurry

If I were to ask you, who is the bigger threat – nation-states cyber armies or cyber crime groups, what would you say?

The truth is, it’s becoming more difficult to distinguish between them.

Nadav Zafrir – “The bad news is that the lines are blurring between nation-state and criminal. We do see actors specifically from this part of the world where it’s hard to distinguish, and sometimes a nation-state will piggyback on a criminal just so that if it is out in the open, they don’t have to take the blame for it…and so the lines are blurring completely. It’s almost to a point where trying to differentiate between nation-state, military, cybercriminals, private attackers is almost impossible. Everything is interconnected and interdependent.”

A Need for Collaboration and Integration

One of the observations about the SolarWinds attack shared by our panel was the need for more collaboration. 

Ofer Israeli – “We have all of these pockets of information about what happened. Microsoft has a good view on it. FireEye, that was presented. CrowdStrike, they have done a lot of investigations. A point that came up time after again is, how do we collaborate and how do we really get all of this information available to all of us?

“So that as defenders, we know the attackers, they’re working well together. As the cyber defense industry, how are we able to share that information in a private way so that we can get a better understanding and can better use the forces of all of us to thwart these types of attacks?”

Ann Johnson – “I’ve been in security forever and it feels like, in the past 8-12 weeks, I’ve seen more collaboration in the industry, both competitors, public, private sector. There’s been more collaboration than I’ve seen probably in those 20 some years I’ve been in security…But I think it’s a really good point that in order for us to have a common defense for our customers and partners, and as an industry, we have to continue the momentum on collaboration and transparency and sharing everything we see.”

Mike Rogers – “I would argue collaboration is a positive, but it is not going to get us where we need to be. We need integration, not just collaboration. The thing that always frustrated me in the government on the defensive side was look, I don’t want the pain of the one to lead to the benefit of the many. And the way we do business right now, the pain of the one is repeated over and over and over again. The actors continue to use the same techniques and continue to have success.

“What you saw with SolarWinds, I thought was an interesting microcosm. So you get initial detection from the private sector, not the government. And I’m like, well, why aren’t we integrated with each other so we’re dealing with these challenges in real time, instead of we’re behind the power curve weeks and months after the initial penetration? We have got to get to the other side of this. And I just think collaboration is a positive, but I think integration really is the future. Much more of an integrated private sector and government approach to this.”

Claire Trimble is Chief Marketing Officer at Illusive.

Here’s other sources for keeping up-to-date on cyberthreats: