Earlier this year, thousands of organizations were hit by what is being considered the largest hacks of the year with the exploitation of Progress Software’s MOVEit transfer tool.
The breach has impacted organizations globally, including more than 60 million individuals, with those numbers likely to continue to rise. In fact, just last week, another U.S. organization announced that the attack impacted 55 of their healthcare practices across more than 20 states. Threat actors compromised sensitive patient information, such as Social Security numbers, birth dates, and medical records.
It’s fair to say the damage has been extensive and affected every vertical market globally — and the CLOP ransomware group is at the center of it. With an estimated $100 million in earnings for the group, it’s easy to see why these threats continue to occur.
In this post, I’ll explain why comprehensive application visibility is essential to prepare for zero-day exploits like MOVEit and how Illumio can help.
Proactive security measures buy more time during an attack
In a previous post from my colleague Raghu Nandakumara on the MOVEit attacks, he provided lessons and recommendations in the fallout of this breach. One of these recommendations was to get the basics right, including regular patching and limiting access. It goes without saying that these best practices should be adhered to.
But what about when there is no patch ready?
Your currency becomes time — and those who have prepared for these scenarios will find themselves with deeper pockets or, in this example, more time. A resilient architecture built around visibility will deliver quicker response times and provide the currency required to reduce the impact.
Attack preparation and remediation require complete application visibility
Zero-day exploits like MOVEit are inevitable in this modern age of technology. How you prepare for these events is critical to remaining resilient and ensuring you protect your data.
A Zero Trust mindset should now be considered mandatory and, therefore, all application flows should be understood and evaluated.
Remediation can only be successfully achieved when the true footprint of an attack is understood. This leads to perhaps the most critical of Raghu’s recommendation: Visibility is key.
3 ways Illumio provides visibility to prepare for zero-day exploits
The disruption to commerce and operations the MOVEit breach has caused demonstrates the extreme importance of application visibility within our business.
Here are three ways Illumio makes getting complete visibility easy. You can be confident that MOVEit or an attack like it will be a minor security incident rather than a catastrophe for your organization.
1. See security risk with application dependency mapping
Using application language to identify and classify your risk brings control back into the business. Exploits occur at the workload in attacks like MOVEit, making visibility especially important.
De-coupling your security from the network and anchoring it to the target delivers security teams the intelligence required to reduce the impact of these severe breaches. This is where Illumio’s labelling model helps organizations to visualize their risk and build resilience.
Tools like MOVEit may be critical to your organization's supply chain. Whether they’re being used via cloud services or deployed on-premises, Illumio’s risk-based visibility map delivers insight into the footprint of these types of applications, allowing the business to understand its exposure and eradicate blind spots.
2. Quickly understand real-time communication flows with application-centric labelling
Application-centric visibility means you can quickly query your environment to visualize the risk using Illumio's application-centric labelling. This information allows security and IR teams to co-ordinate mitigation, reduce exposure, and accelerate the speed of recovery.
In the below example of Illumio's application-centric labelling, a simple query against the Finance application label as Source and the MOVEit Gateway label as Destination displays real-time flows.
3. Take action on security risk with a dynamic Zero Trust Segmentation policy model
Leveraging Illumio’s labels then delivers insight into what applications and environments consume these flows.
With this information, security teams can take appropriate action on the most high-risk resources using Illumio’s dynamic policy model to isolate or quarantine infected hosts. This ensures other assets are not compromised.
In the example below, Illumio Zero Trust Segmentation is blocking the flow upstream to the MOVEIT gateway.
In an active breach, Illumio is used in parallel to detection and response tools, leveraging visibility and segmentation to isolate infected assets and restore disrupted business lines.
When integrated into your security framework, these tasks can be automated via runbooks to execute a series of conditions to reduce the impact and speed up the overall response process — even if the attacker is still present.
What’s the future of MOVEit? Proactively prepare with visibility
As of late September 2023, further CVEs (common vulnerabilities and exploits) have been discovered within WS_FTP modules of Progress Software. These new discoveries require immediate remediation as several are critical.
A robust security framework requires an integrated approach. Layering on Illumio vulnerability maps advances on risk-based visibility to display potential pathways attackers can exploit. Vulnerability management integration empowers security teams to apply segmentation policies to control the impact and provide actionable intelligence in recovery.
Post-breach analysis can then occur once forensics are understood, and segmentation is then used to further harden critical applications.
It's important to note the recommendations in this post align with CISA’s Zero Trust Maturity Model. In fact, they go beyond the traditional and initial recommended controls to align with the advanced and optimal principles. Adopting these controls has never been easier with Illumio Zero Trust Segmentation.
Want to learn more about getting end-to-end application visibility? Contact us today for a free consultation and demo.