Albert Einstein is credited with saying, “we cannot solve our problems with the same thinking we used when we created them.” One way to get that fresh thinking? Learning from our mistakes as well as those of others. That was the idea behind the inaugural Calyptix Genius Briefing. In this session, we reviewed lessons learned from recent breaches and discussed how to best configure AccessEnforcer to shore up small business cybersecurity.
“Managed service is all about security, after all,” noted Calyptix CEO Ben Yarbrough in the April 14 webinar (view the recording now). “That’s why it’s important that our Calyptix community understands the threats and what they can do with our tools to monitor and manage cybersecurity vulnerabilities.”
In a survey starting our webinar post-mortem on the SolarWinds, Exchange and Ubiquiti Hacks, the Microsoft vulnerability was the biggest issue for our participants. One in four of respondents had been impacted by the Exchange attacks. SolarWinds and Ubiquiti each required 11% of our participants to take action to mitigate risk.
We’ve already written about the Microsoft Exchange Server breach as well as the risks for those using Ubiquiti’s cloud networking solutions in Calyptix blog posts. However, the SolarWinds breach is perhaps the biggest one so far in 2021. Just yesterday, the NSA, CISA, and FBI released a new advisory about this far-reaching attack. We’ll discuss that in more detail next.
SolarWinds Breach a “Worst Case Scenario”
Calyptix senior developer Aaron Bieber expressed his relief that SolarWinds hadn’t impacted more of the webinar participants – who primarily represent and support small business customers. That exploit was really a “worst case scenario” that would require a lot of work to remediate.
The cyber attack, attributed to the Russian Foreign Intelligence Service, has been described as the “most sophisticated and large-scale cyber operation ever identified.” It has prompted the Biden administration to take action aimed at Russia, “including an executive order restricting the buying of new debt, issuing sanctions, and expelling 10 diplomats,” according to Bloomberg.
The attack inserted malicious code into an update of the Texas-based SolarWinds company’s popular network management platform, Orion. This meant customers were unknowingly downloading an embedded virus into their systems.
SolarWinds has more than 320,000 customers in 190 countries, including 499 of the Fortune 500. Those known to have been affected by the hack include the U.S. Secretary of State and the federal government’s Departments of Homeland Security, Commerce, and Treasury. Additionally, state and local governments and enterprises such as Microsoft, Intel, Cisco and Deloitte all learned firsthand the massive risk of digital supply chain attacks.
Mitigating the Cybersecurity Risk
“Fortunately, the government is prioritizing instant response by releasing the known indicators of compromise (IOCs) associated with the breach,” Yarbrough expressed. The IOCs included domains, IP addresses, file names and sizes, hashes and more.
The CISA also identified three threat categories:
- Category 1 –Networks that do not, and never did, utilize the affected versions of SolarWinds Orion.
- Category 2 – Networks that utilize or utilized affected versions of SolarWinds Orion but have forensically demonstrated that, at most, only initial beaconing activity occurred, and the threat actor conducted no follow-on activity.
- Category 3 – Networks that utilized affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity.
Those in Category 2 are instructed to rebuild their platforms and harden the configuration before resuming use. Category 3, though, has to assume compromise and requires a complex reconstitution and mitigation plan, which could include comprehensively rebuilding the environment.
Any organization that could not hunt for the IOCs was told to assume the worst, Category 3.
Takeaways from these Cyber Attacks
At Calyptix, we were able to go back to our Event Vault and look for the SolarWinds IOCs released by the government and cybersecurity researchers. Fortunately, we didn’t find anything disturbing.
At the same time, the exercise was a great reminder of the value of configuring unit settings and logging activity. The NSA, CISA, FBI all recommend “robust logging” of “Internet-facing services and authentication functions.” Keeping logs:
- Permits recall queries for IOCs
- Enables leveraging of shared cyber intel
- Helps forensically confirm no breach
Additionally, Calyptix updated all AccessEnforcer units to protect from the known IOCs in all three cases.
“These attacks bring home one big point,” Bieber said. “When things are exposed, it’s just a matter of time before there is an exploit for them.” Ultimately, then, it’s about reducing your attack surface.
The defensive measures Calyptix integrates into the platform only help our SMB customers if the unit settings are activated. Keeping systems updated and installing patches as soon as they are released is essential to enhance small business cybersecurity posture.
With small business cybersecurity there is a size advantage. It is possible to map your IT footprint and match the security posture to it.
Our discussion closed with a reminder of powerful AccessEnforcer settings that can make the difference. The SMB or its MSP can:
- Deny all IP traffic except from the US & Canada with Geo Fence
- Segment subnets with LAN lockdown & use pinhole exceptions
- Create IDS/IPS dynamic Blacklist
- Restrict management access
- Establish Port Forwarding Rules
- Incorporate easy two-factor authentication with Gatekeeper
Plus, with the unit settings on, we benefit from log data that can generate valuable insights and help identify signs of compromise or credential misuse. This brings us back to the importance of learning from our mistakes and following the guidance of Einstein for continuous self-improvement.
Strengthening cybersecurity is essential and the effort must be ongoing, among all of us. The attacks are persistent, but working together to better understand what is happening and how, we can continue to fortify the integrity and availability of systems at small businesses and larger entities as well.
Need help configuring your AccessEnforcer? Contact us today.