The SolarWinds attack discovered near the end of last year shook the cybersecurity community. The tactics that enabled its success will undoubtedly be copied, but there are things businesses can do to protect themselves and their users from the most severe consequences of a breach like this. That's why, in this series, we're offering some tips for defending against the next attack targeting IT supply chains.
Even the best threat intelligence feeds can be easily undermined by unwise policy configurations. When threat warnings are ignored for whatever reason – convenience, overconfidence, insufficient attention – administrators essentially help attackers overcome an initial layer of defense. That's why our second piece of advice for limiting the damage caused by supply chain attacks deals with policy configurations.
Ensure policy settings are up to date
Once the fundamentals are in place, it’s also critical that policies are enabled and configured properly to best take advantage of the threat intelligence. "Proper" policy configurations may refer to a range of admin features spanning internal access permissions, automatic patch and periodic forced password resets. But for our purposes, we'll focus on permissions regarding information relayed by threat intelligence feeds.
The Webroot Platform analyzes and correlates data to create predictive risk scores that fall into one of five rating bands ranging from trustworthy to malicious according to the BrightCloud IP Reputation Index. This score is calculated using the likelihood that an actor, even if previously unknown, is malicious based on its associations with other URLs, IPs, files and mobile apps. Numerically lower scores indicate IPs that are more likely to be or become dangerous and are monitored at a greater frequency than trustworthy IPs.
These reputation tiers can be used to fine tune security settings based on risk tolerance, and proactively prevent attacks by limiting the risk of user exposure to malicious IP addresses. Setting policies based on this type of intelligence allows for dramatic improvements in security efficacy and efficiency, as the time required to identify IP threats is drastically reduced, making way for more proactive threat decisions.
As we've mentioned before, in the SolarWinds attack, seven of the IP addresses used in the campaign had been previously identified by Webroot BrightCloud Threat Intelligence as botnets months prior to the discovery of the attack. Accordingly, they were marked as high-risk with a fairly low reputation scores. But if the policy threshold was configured to allow users to communicate with IP addresses assigned these low reputation scores, users still wouldn't benefit from the threat intelligence that was, especially in hindsight, quite accurate.
All in all, for threat intelligence to help prevent attacks close attention must be paid to policy configurations. Otherwise, it’s all too easy for users to inadvertently undermine the intelligence by interacting with threatening data objects that would otherwise be blocked with full visibility.
Next, we’ll address DNS security and why the NSA recommends taking advantage of security enhancements at the network level to help thwart these types of attacks.