Over the past week, the news has been dominated by details of the MOVEit data breach. The mass attack saw cybercriminals exploit a vulnerability in the MOVEit file transfer application – a tool used by thousands of organizations around the world to securely share files with colleagues or external parties. Or so they thought...so what went wrong?
What do we know?
The attack arose because bad actors were able to exploit a new and previously unknown vulnerability in the MOVEit file transfer tool – known as a zero-day attack. This led to an instance of MOVEit used by Zellis, a supplier of IT services for payroll and human resources departments, being compromised, along with data from its customers including the BBC, Boots, Aer Lingus, and Ofcom. And the attack is not just confined to the UK – organizations in Canada and the U.S. are also confirmed to have been impacted.
The Clop ransomware gang has claimed responsibility for the attack and is threatening to publish all stolen data from affected organizations by June 14 unless the companies pay a ransom. But aside from being discouraged by law enforcement agencies across the globe, paying ransoms only breeds more attacks. So, what can – and should – organizations be doing to protect themselves from similar attacks in the future?
What can we learn?
The attack is a good reminder of the risks posed by both the supply chain and software supply chain. Organizations often put too much implicit trust in their suppliers to safeguard and store sensitive data when outsourcing systems or functions like payroll. But if the supplier is attacked, organizations can quickly find themselves indirectly compromised.
In this case, Zellis clearly had developed a dependency on the MOVEit software – a software with high-risk exposure due to its connection to the internet. However, zero-day attacks can be introduced at any point through a software update, and these are often accepted blindly or automatically.
5 steps to building resilience against attacks like MOVEit
Rigorous testing on all updates will never be feasible, so businesses must build resilience and fail-safes to ensure that any vulnerabilities do not cause any significant damage.
The below are key steps that organizations should take to boost resilience:
1. Always assume breach
The first thing to learn from the MOVEit attack is that no organization is immune from cyberattacks. Ransomware is now the most common type of attack, so you must adopt an “assume breach” mindset whereby the focus is on breach containment rather than prevention to ensure ransomware is isolated at the point of entry.
2. Get the basics right
Secondly, do not neglect the basics. Most risk exposure comes from bad hygiene, bad process, and human error. Remember, defenders need to be right 100 percent of the time, but the attacker only needs to get it right 1 percent of the time to be successful, so there is no room for error.
Zero-day attacks always have – and always will – happen, yet too many businesses still are not getting the basics right. The best way to reduce risk is through the practice of good security hygiene and a defense-in-depth approach, which at a very minimum, means regular patching, limiting access to systems and services with known vulnerabilities, and imposing a strategy of least privilege.
3. Visibility is key
A critical step to building resilience is gaining visibility. Visibility allows you to understand what your normal looks like so that when an unexpected connection happens, or you notice an unexpected high volume of data being transferred, you can detect using existing SIEM (Security Information and Event Management) technologies and take action.
Visibility also enables you to understand the dependencies associated with that system and build up a picture of “known good.” Any organization impacted by the MOVEit breach needs to have visibility of all inbound and outbound connections for which MOVEit is installed.
4. Deploy a strategy of least-privilege access
For those areas where you have less control, such as your software supply chain, ensure you have good segmentation from the rest of your environment. Implement very restrictive allow list policies that ensure the workload has very little access to the rest of your network and restrict how much attackers can discover about the network and move laterally.
In the case of MOVEit specifically, apply allowlisting in front of the iMOVEit workload to restrict access at the application and activity layer.
5. Ringfence high-value applications
Take steps to ringfence high-value applications that handle any intellectual property, non-public financial data, legal documents, or sensitive and personal information. Ringfencing shrinks the security perimeter from a subnet or VLAN to a single application. It provides the largest impact with the least amount of work, requiring only one line of security policy per application to close off 90 percent of the potential attack surface for east-west traffic movement.
How can Illumio Zero Trust Segmentation (ZTS) help?
Illumio ZTS makes it quick and easy to see your vulnerabilities and take simple steps to protect your organization. While Illumio ZTS cannot prevent a software supply chain attack, it can help you gain attack surface visibility, determine suspicious behavior, and contain the spread of breaches.
With Illumio ZTS you can:
Establish what "normal” or “expected” behavior looks like from and to any workload.
Identify any deviation from the acceptable norms (for example, a change in the volume of connections or data transferred, or new and unusual IPs or domains accessed).
Quickly isolate workloads until you have confidence in their status during an active attack.
Proactively restrict access to and from workloads to ensure that access outside what has been authorized by policy is not possible.
Building resilience against software and supply chain attacks
Hyperconnectivity has led to such rich, dense, and critical interdependencies that attackers know they can increase efficiency and profitability by compromising the software supply chain. As a result, businesses need to get a handle on their software supply chain fast, or risk similar breaches.
Still today, 99 percent of effort and budget in cybersecurity is spent on stopping bad things from happening (detection and remediation). Yet, companies could triple their cybersecurity budget and still have breaches.
Organizations must proactively strengthen resilience by always assuming breach and building in containment capabilities to limit the spread of an attack. This means adopting a risk-based approach focused around understanding the flow of data throughout the extended asset attack surface and separating key functions within the network to prevent breaches from spreading to reach critical assets.
Operationalizing Zero Trust – Steps 2 and 3: Determine Which Zero Trust Pillar to Focus On and Specify the Exact Control
Workload protection encompasses many security capabilities including, but not limited to, effective securing and patching of the OS and any installed applications, host-based threat protection controls such as antivirus, EDR, file integrity monitoring, host-based firewalling, etc.