Imagine if nobody spoke up about either the SolarWinds supply chain compromise or the Microsoft Exchange Server vulnerabilities. Some of our government’s most deeply held secrets and valuable data and information from some very large customers of those companies could have been at stake.
Luckily, these vulnerabilities that, according to some reports, led to the compromise of tens of thousands of networks in both the public and private sector, were disclosed soon after they were discovered or soon after a patch was developed and released to vulnerable customers.
However, there is near unanimous agreement among the IT industry that cybersecurity professionals need to do a better job of sharing information and piecing data together to better understand how cyberattacks are growing in frequency and sophistication.
The bad guys are better at sharing information
Cybercriminals and nation-state hacking groups are already ahead of the IT and cybersecurity industries when it comes to sharing information, as vulnerabilities and stolen information are frequently published on the dark web.
The most recent and obvious example of this is the Microsoft Exchange Server vulnerability, which was first leveraged by Hafnium, a nation-state hacking group from China before, ransomware operators and hosts of other groups began attempting the same attack chain.
Even before Microsoft on March 2 disclosed the vulnerability and released security updates for vulnerable systems, other hacking groups were observed trying to copy Hafnium. In fact, the Wall Street Journal reported earlier this month that attacks not attributed to Hafnium began on Feb. 27, and four separate hacking groups began their attacks on Feb. 28.
“The bad guys share information really, really well,” says MJ Shoer, senior vice president and executive director of the CompTIA Information Sharing and Analysis Organization (ISAO). “Somebody leaked it into the dark web and now everybody and their grandmother is jumping on board with this.”
According to cybersecurity experts, attacks attempting to leverage those same vulnerabilities are skyrocketing as organizations struggle to apply security updates.
In a recent blog post, Antti Laatikainen, senior security consultant at cybersecurity company F-Secure, said cybercriminals are moving blazingly fast to compromise unsecured severs visible on the internet.
“Tens of thousands of servers have been hacked around the world,” Laatikainen wrote in the post. “They’re being hacked faster than we can count.”
Erich Kron, a security awareness advocate at security training company KnowBe4, cited statistics from defense contractor Booz Allen Hamilton that suggest average dwell time for cybersecurity teams – the time a threat goes undetected on a victim’s network – is between 200 and 250 days.
“With attackers’ average dwell times, the time from when they gain access to a system to the time they are discovered, running in the hundreds of days, any information that can lead to spotting them is incredibly valuable,” Kron says.
“By sharing security incident information, organizations can develop Indicators of Compromise (IoCs) that can help other organizations defend against current and future attacks.”
Congress could take action
After the SolarWinds breach, executives from that company, Microsoft and FireEye testified in front of the Senate Intelligence Committee about the attacks and how the U.S. needs to do a better job of being proactive.
At the Feb. 23 hearing, executives and lawmakers essentially agreed that the private sector needs to do a better job of sharing information about cyberattacks, and that starts with disclosing them in the first place.
According to The Washington Post, there are now several proposals being drafted by lawmakers that would mandate organizations to report cybersecurity breaches in a certain amount of time, with some of that responsibility being delegated to the Federal Trade Commission.
In his opening statement, Microsoft President Brad Smith called for the private sector to speak out and share information about attacks as they occur. He applauded FireEye, SolarWinds and other companies that came forward, but said they were the exception, as many others have not publicly said they were implicated in the SolarWinds compromise.
“It is important that the private sector speak out and share relevant information so that we can all respond to an incident rapidly and efficiently and learn from each incident how to be more resilient in the future,” Smith said. “If the industry continues to hide what we know, we cannot effectively defend ourselves.”
Smith said its contracts with federal agencies prevented the company from sharing information with any government entities other than its customers. SolarWinds CEO Sudhakar Ramakrishna echoed that sentiment, saying one government agency should be responsible for receiving and sharing that information.
Meanwhile, FireEye CEO Kevin Mandia suggested a confidential sharing solution could ensure a “consistent flow of two-way information sharing” between the government and private sector. He outlined several other ideas, including a federal disclosure program for both information sharing and breach notification.
This could not only help cybersecurity professionals and the government respond to attacks in a timely manner, but could also help encourage organizations everywhere to adopt recognized cybersecurity standards, Mandia said in his opening statement.
“Speed is critical to the effective disruption or mitigation of an attack by an advanced threat actor,” Mandia said. “However, challenges today prevent entities from sharing cyber threat intelligence.”
The barriers and how to eliminate them
According to Post, this issue has plagued lawmakers – especially those in tune to national security issues – for more than a decade. The private sector has historically resisted legislating how, why, when – and even if – cybersecurity incidents are disclosed.
Some of those challenges identified by tech executives and others include public relations implications, reputational harm, fears over class action lawsuits, reduction in shareholder value and other concerns.
However, cybersecurity incidents are becoming so common that the stigma associated with such a breach is fading away, says Mark Brown, global managing director for cybersecurity and information resilience at BSI.
Now, the attention has turned to preserving brand reputation and trust in the aftermath of what being increasingly recognized as an inevitable risk of doing business.
“Any organization therefore failing to report a cyber breach in a timely manner, whilst it may fall foul of regulatory compliance burdens in reporting, is likely to face a much larger risk in preserving its brand integrity, should it be found to have been providing tarnished services to clients,” Brown says. “Such undeclared “breaches” would therefore pose risks not just to the organization directly impacted but also to their clients, and consequently, years, if not decades of brand reputation building, could vanish in an instant if it was identified that an organization has deliberately avoided reporting the breach.”
However, not every organization has dedicated cybersecurity staff to look for signs of a compromise, and some even lack entry-level IT support.
Taking a blanket legislative approach may not be the best course of action as it could be too costly for small and medium-sized business owners, says Shoer of CompTIA.
“The government can regulate at the enterprise scale and large, mid-size scale very well, but I don’t know that the government can do it well at the SMB scale,” Shoer says.
Related: The ROI of Cybersecurity
Instead, he suggests a public-private partnership that is representative of businesses of all sizes – not just large enterprises.
Helping IT professionals better protect against these threats with proactive threat intelligence and analysis is exactly the mission of the ISAO, which Shoer says can help make a sizable dent in the impact of these large nation-state cyberattacks.
Shoer, who we spoke to for expert commentary on both recent nation-state hacks, said in December after the SolarWinds compromise was disclosed that sharing information and disclosing attacks is much more important than protecting a company’s reputation.
“We can’t be holding our cards so close to the chest anymore, whether it’s for public relations reasons or perceived competitive reasons,” Shoer sys. “We’ve got to make it known when we see something potentially malicious so everybody can be looking for that or similar behavior.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply