The truth is no organization is un-hackable. As John Chambers, former CEO of Cisco, and current CEO and founder of JC2 Ventures, stated several years ago, “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.”
Those we thought would be hack-proof – like security vendors themselves – have proven that they too are vulnerable. A prominent cybersecurity company was an unlikely victim in the recent attack on the SolarWinds supply chain. The company typically reports on the hacks of others, not on themselves. Even though their own tools were stolen in the breach, those same tools helped to discover the hack.
Details that trickled out over the last six months reveals that Russian-backed hackers infiltrated countless networks and went about their operations undetected and unimpaired. Multiple departments of the US Government, from the US Treasury, Commerce, Energy and State Departments, as well as many additional government agencies and organizations were targeted in the hack.
If the US government and a cybersecurity company can fall prey to such invasive attacks, anyone and everyone is vulnerable.
The goal of most advanced attackers is to breach a datacenter via a vulnerable application, and then run their code instead of the legitimate application code.
Remote Code Execution Exploits
In the case of the SolarWinds hack, a popular product ironically installed to help large companies track network health, a remote code execution (RCE) exploit was used to infiltrate and deposit a backdoor into the well-protected SolarWinds software infrastructure. From there, the bad actors had access into the systems that housed thousands of users’ data in the SolarWinds supply chain.
The malware was distributed through a product update, via DLL injection. Victims believed their software updates proceeded normally with no idea they had been breached. Once inside, the cyber adversaries ferried data in and out at their leisure until they were caught more than a year later.
Thomas Bossert, former homeland security adviser, wrote in a New York Times column: “While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.”
So … What do we do about it?
Stop Doubling Down on Failed Strategies
All the usual advice still applies, such as educate and train users, protect your endpoints, your networks, utilize WAFs, firewalls, IPS, perimeter tools, etc. But the perimeter is so porous it might as well be an open door, and endless threat chasing is a losing game.
The next version of an attack that comes in tomorrow is not going to have the same signature that your AI tool requires currently because it’s likely not even going to be from the same group. Probabilistic, or behavioral modeling, entails a healthy amount of guesswork, which provides a lower accuracy of threat detection.
Patching Is a Trailing Response
Although it is an essential practice to patch vulnerabilities as soon as they arise, there are tens of thousands of vulnerabilities every year, a significant drain on any organization's time and resources. The US National Vulnerability Database tracked over 30,000 vulnerabilities in 2020. As a result, patching is a reactive and a trailing response.
Not to mention that most organizations are not privy to vulnerabilities that have not been discovered. Once a vulnerability has been discovered, it takes even more time for a patch to be created. Additionally, this reactive approach does not necessarily address third party software or legacy applications where patches may not even be available.
A Probabilistic Model Is Still Guesswork
Finally, trying to secure application workloads that run in a “black box” where you attempt to protect the code in production, and then look for clues afterwards on the SecOps side – is an incomplete and fundamentally reactive model that is being exploited by attackers.
Forensics machine learning that looks for anomalies in application or network behavior is also reactive and after-the-fact. Probabilistic behavior modeling is in the end – sophisticated guesswork before, between, and after – but not during actual execution. We need both an offensive and proactive strategy to compliment the defense.
Assume the Attackers Are Already Inside
At Virsec, we start with the assumption that the attackers are already inside the environment. Recent NIST guidelines implore organizations to do the same, because despite our best efforts, the title of this blog holds true.
Runtime Protection Is Pivotal
The battle has moved to runtime. Evasive attacks, such as fileless attacks, in-memory attacks, zero days, and remote code execution exploits are executing undetected at runtime. Many - if not all - of these exploits sail through traditional defenses, then corrupt and hijack the code of legitimate applications, software, and workloads. They're often transient and don’t leave evidence or clues behind.
Installing Application-Aware Workload Protection
Virsec Security Platform (VSP) approach to security is to protect the application itself, placing guardrails around its code as it executes during runtime. VSP automatically maps all acceptable files, processes, libraries, input, container images, and memory usage associated with all application workloads in any environment. This fully automated process ensures that any deviation from normal is instantly detected, treated as a threat, and blocked.
Even though new malware proliferates daily, VSP blocks the malware without any prior knowledge, signatures, heuristics, etc. because the source of truth is the original code itself.
The AppMap Defense
VSP is the only unified solution that safeguards the entire application surface in any environment, ensuring visibility and protection across the entire attack surface including all runtime components throughout host, memory, and web layers with control flow integrity.
Rather than trying to blacklist everything that is possibly bad, VSP patented AppMap® technology enforces good – ensuring that applications never get derailed, regardless of threats, vulnerabilities, or patch status for any application workload at runtime from the inside.
Continuous, Comprehensive Protection
With VSP installed, even hackers who have gained entry to a system cannot compromise or hijack the integrity of the applications, software, or workloads themselves.