Reflections on Security: Looking Back at 2021
As we exited a difficult 2020, we did so with lessons and learnings we were hoping would guide us better in 2021. There was a new focus towards a hybrid working environment that was also secure. This shift required a modernization of infrastructures, the adoption of new technologies, and innovative ways to automate, orchestrate, and reduce overall operating expenses. And for many IT and security professionals, there was a sigh of relief as budgets were reallocated and identity and security projects became prioritized. It should have been an amazing year of growth and expansion. But was it?
2021 did bring some benefits—new ways of thinking and invigorated approaches. But it also brought a firestorm of large cyberattacks that dominated mainstream news. These incidents emphasized the importance of having good security practices, with robust Identity Access Management (IAM) solutions in place. But many in the industry were mentally channeling Arthur Dent of The Hitchhiker's Guide to the Galaxy: “Would it save you a lot of time if I just gave up and went mad now?”
For those standing at the front lines of security, it’s important to look for the key lessons found in every incident—with an eye towards prevention in the years ahead.
Security controls are needed around access events
2021 started off with a major cybersecurity event in the form of the SolarWinds attack. Though it took place in late 2020, its effects continued into the new year and the following months. Even as late as December 13, SolarWinds Orion was the victim of a highly sophisticated cyber intrusion. The two most important aspects of this attack were:
1. the exploitation of the supply chain, and
2. the subsequent breach of privileged accounts and SAML authentications to attack on-premises devices through cloud platforms.
And what were the core lessons from Solarwinds?
- Supply chains are easy access points that will continue to be vulnerable.
- If an attacker gains a foothold in a network, it’s critical we contain the blast radius and prevent lateral movement—thereby diminishing the effects of a successful attack.
- Hybrid networks are vulnerable. Attackers are targeting the junctures between legacy and modern networks, such as SAML.
The Kaseya attack was another big event that made headlines. Kaseya, an IT solutions developer, announced on 2 July that cybercriminals leveraged a vulnerability in the organization’s VSA software—a security platform used by Managed Security Service Providers to secure small and medium-sized businesses. The result of this attack had a cascade of events:
- Attackers entered the supply chain to infect thousands of MSP customers with REvil ransomware.
- This shut down their operations, putting many of them out of business for weeks.
- This forced Kaseya to shut down its SaaS servers.
- Kaseya had to recommend a shut down of on-premises VSA servers for all of their customers.
In the end, a simple authentication vulnerability in the Kaseya VSA product allowed a combination of targeted, successful attacks to be used against the initial MSPs.
From this incident, we learned that even security suppliers can be vulnerable to supply chain attacks. We now know it’s critical to ensure that no part of the network is exempt from strong policies, to apply the principle of least privilege, and build a defense in depth. Anything brought into the network should be treated as potentially dangerous, whether it's a download, an update, or a new connection. In essence, we need to adopt the Zero Trust strategy of “never trust, always verify”.
These breaches shone a spotlight on protecting the supply chain, applying the principle of least privilege to all systems and services, as well as highlighting the importance of zero trust, user management solutions, and extending protections to legacy systems.
Old security models are no longer effective
Among the many cyberattacks that have occurred in the last six months, one of the biggest was the Colonial Pipeline Attack, from which the North American East Coast is still feeling the effects. In April 2021, hackers entered the Colonial Pipeline Company using a legacy Virtual Private Network (VPN) system that had reused passwords, expired accounts, and no additional controls in place (i.e., no multi-factor authentication (MFA)). Once inside the network, the lack of additional defenses meant the attackers were able to deploy Darkside ransomware across the operational side of the business—forcing them to shut down and causing national fuel shortages.
Both Kaseya and Colonial exposed the rising scourge of ransomware-as-a-service. They demonstrated both how incredibly devastating these types of attacks can be, as well as how simple their infiltration techniques are. Due to the increase in cyber attacks and the rising prevalence of ransomware, President Biden issued an executive order to improve federal cybersecurity, noting that agencies need to "lead by example." The order includes a shift to MFA, data encryption (both at rest and in transit), a zero-trust security model, improvements in endpoint protection, and incident response.
Expect the unexpected
We would be remiss if we didn’t also acknowledge 0-day vulnerabilities that are exploited and cause endless heartburn for the infosec community. According to Google’s own 0-day tracker, in 2021, Google saw 58 zero-day attacks in the wild. In 2020 Google saw 26 zero-day attacks in the wild. In 2019 Google saw 21 zero-day attacks in the wild. The progression during the pandemic has been stark.
With things like the most recent Apache Log4j vulnerability, the importance of having well-defined policies and practices for remediation has been catapulted to the forefront. Organizations that responded quickly were able to keep up with this and mitigate the attacks in an adequate time. However, as detailed in this year’s Businesses at Work 2022 report, organizations that relied on more traditional approaches to vulnerability management did not.
This most recent event was a stark example of how having a modern, managed cloud identity service allows for more rapid management in these situations, with less dependency on internal teams. Another downside of legacy solutions, one based on open sources, is the lack of automation. For an already overworked set of security and IT professionals, management responsibilities should be centered around workflows. This is true regardless of the type of threat, and another reason that modernizing solutions should be a priority for security professionals in 2022.
So what does the future hold?
These cyber incidents remind us that the threat landscape is ever-changing as much as it stays the same. Ransomware is the new “smash and grab” of cybercrime, and social engineering continues to dominate as the vector of attack. While ransomware primarily exploits exposed infrastructures like RDP and weak passwords, phishing is absolutely one of the biggest risks to enterprises, especially when you consider financially motivated attacks.
While identity-based attacks, like phishing, remain the primary attack vector, one of our biggest opportunities moving forward is to stop viewing users as the weakest link—even though they’re undeniably the most vulnerable risk surface. Instead, let’s think of them as the “new security team,” equipping them with the proper tools (such as MFA and context-based access policies) and giving them the knowledge to be our first line of defense in combating future threats.
Is it time to just give up and pack it all in? Don’t Panic! Grab your towel and a pan-galactic gargle blaster, but we don’t have to wait seven and a half million years for the answer. Stay tuned for part 2 of this series where we take these lessons and turn them into real actions in 2022.