The Cyber Security Podcast from PwC UK: SUNBURST and supply chain risks

Subscribe to our cyber security podcast series

The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.

Subscribe to our podcast on:

Transcript

Introduction by our host, Abigail Wilson: Joining me to offer their advice are Gabriel Currie, our Incident Management Lead; and Will Oram, our Cyber Remediation Lead. Will, Gabe thank you for joining us.

Gabriel Currie: Awesome, thanks very much Abi, happy to be here.

Will Oram: Hi Abi, thanks for having us today.

Since the SUNBURST hack appeared in the press, what types of conversations have you been having with clients, Gabe?

Gabriel: Yeah sure, as you mentioned Abi, obviously this is something that’s probably really relevant to a lot of our listeners, who I’m sure have been working overtime in the weeks and months following this to kind of understand the risk that this might pose for their organisation. I’ve been talking to lots of clients about this. And I think broadly the queries bucket up into three separate things. First of all is intelligence, so actually trying to understand what’s happened. This is a really complex hack in many ways, although kind of quite simple in others.

So really trying to understand what are the tools and techniques that this attacker used, and therefore what are the kinds of things that organisations need to know and how can they look for those things on their network. The second is, I’ve just kind of led into, detection. So how can organisations actually go and find the signs of compromise in their environments that potentially might mean that they’re impacted here. Then third is response. So if they do find those signs of compromise, what do they need to do in the immediate, short, and medium-to-long term in order to respond to that.

Before we take a deeper dive into some of what you’ve just mentioned, would you mind just briefly covering, how many it looks like have been affected by this attack?

Gabriel: Yeah sure, I mean I think that’s a really interesting question right, and lots of people, especially in the press, there’s quite a lot of hyperbole around this attack, and it being the biggest hack ever. And I think broadly, that kind of thing is slightly unhelpful. So what we do know about this is that it’s likely motivated by espionage and its quite targeted. Now, it looks like approximately 300,000 organisations were customers of this particular product that was impacted, that about 18,000 of those organisations received one of the updates that was impacted, but actually the number of organisations that went on to have that backdoor exploited was much smaller. So initial reporting from industry partners and government suggests that only around 50 organisations were targeted. So actually, while the numbers that we’re seeing are very high in terms of people who are vulnerable, the actual numbers of people who were targeted were actually pretty limited. So calling this the biggest hack ever is perhaps not quite a defensible position to take.

Thanks for that context, Gabe. Just before we move on, do you have any recommendations of what organisations should do if they think they have been affected by this attack?

Gabriel: Yeah sure, so I think the first thing that organisations need to do is to understand their exposure, so work out if they have the affected products on their environment, and there are lots of different ways that they can do that. So looking at their CMDBs or alternatively using things like their EDR tools to search for running processes relating to those products across their environment. And then once they find those products, they need to work out if they are affected or not. There are certain versions, which we know are impacted, and all of the details of those are on the vendors website, so kind of work that out, cross reference the numbers. If you do think you’ve got an affected version, then there’s probably some kind of immediate actions that you should take off the back of that, which broadly is around containment and investigation. So the first thing is working out, do you already have any incident response plans that are going to be helpful here, and putting those into place, and then doing anything on top of those, or if you don’t have incident response plans, coming up with those on the fly and trying to immediately mitigate the risk. So basically, taking the impacted software offline and then taking any other containment steps that you might need to take in order to mitigate that risk.

And then beginning an investigation to work out if you think there are any second stage indicators of compromise, that might indicate that that vulnerable product has actually been exploited. There are loads of different indicators of compromise that are available, that you can use. I know that here at PwC, we’ve published some that have been provided to our clients. There’s loads of really great resources out there that organisations can use in order to determine if they have been impacted.

And then if you then find those second stage indicators of compromise, then what that means is that the vulnerability or the backdoor has been exploited, and that means that you are probably dealing with a very sophisticated attacker, who likely has quite widespread access to your network. And that’s the point in time when you need to think, ‘do I have the skills, and experience, and capabilities to respond to this internally. Do I need to call someone, who can help me, be that a retained incident response provider, lawyers, informing security services or law enforcement’, all that kind of thing, and then going from there in terms of the response. After that there is probably a whole load of other things that you can do, but I won’t steal Will’s thunder in terms of remediation.

Thank you for that Gabe. So moving on, now that this attack has highlighted several risks for organisations to consider as we move towards the medium-to-longer term solutions to this. Firstly, looking at the supply chain, which we know has been used as an attack vector before, why are organisations still vulnerable, and this is despite learning opportunities from previous high-profile supply chain attacks. Gabe, would you like to provide some insight into that?

Gabriel: Yeah sure, so I think in terms of this being a supply chain security issue, I think this is really interesting right, because actually this is a really sophisticated attack and Will might want to argue with me on this one, but I am not 100% sure that supply chain security, and kind of third party assurance can reasonably be expected to identify this kind of thing. I’m not sure it’s reasonable that we should expect organisations to audit the code of every single supplier on their environment. I think this is definitely a supply chain security problem, but you know more supply chain security perhaps isn’t the solution here. I don’t know Will, if you’ve got any thoughts on that.

Will: I think one thing that organisations can definitely do is look at the privileges that they have software and applications running with on their networks. So with some of the products in question here, speaking to clients they’re running them on their networks as the main admin for example, and if organisations can work to implement least privilege, and make sure that when they have these applications running on their networks from other companies, and they’re running them with minimal privileges that those require, that can help make an attacker’s life a lot more difficult for them.

The other thing is, looking at reducing, and locking down and then simplifying the number of applications on estates. It’s a challenge that a lot of our clients have especially on their legacy IT estates when they might be running tens of thousands of applications. So anything that can be done to look at the applications you’ve got on your network, reduce the number of applications, and lock down those applications is key.

Gabriel: Yeah I think that’s a really good point. Supply chain security is good, but it’s not the be all and end all. We need to kind of encourage organisations to provide some level of assurance over their supply chain, but they need to have other compensating controls like defence in depth so that if it turns out that there is indeed a vulnerability in that supply chain, so that first of all the actual impact of that is limited, so Will talked about minimising privileges that we give to that type of software, and then also that there is the right levels of detection, of response around that.

Just to follow up on that point, the SUNBURST attack is reported to have been undetected for some time. Will, why do you think this was?

Will: Yeah that’s a really interesting point Abi. It looks like the attack went on for over nine months at many organisations before being detected, including some security companies and large tech companies, which does raise a question around how effective are organisations’ detection and response processes. I think there’s a couple of reasons why the attacker was able to remain undetected for so long. So first up, although the attacker was using many known techniques, the attacker was putting significant effort in evading detection when they were on organisations’ networks and being very patient in the activity that they were carrying out. It’s very unlike some of the cybercrime groups, who were carrying out ransomware attacks and moving really quickly and fast through organisations’ networks and triggering alerts. These attackers knew what they were doing, and they were very patient, and they wanted to remain undetected. The second reason is, what this attacker did was when they arrived on organisations’ networks, was they moved very quickly to compromise privileged accounts and move onto cloud environments. Those are two areas that we often see organisations being weaker at in terms of having the right login, monitoring, and detection in place. Traditionally organisations have focused on detecting malware and malicious commands and processes being run on endpoints, but this attacker moved very quickly up into cloud environments, using APIs to steal and exfiltrate data from organisation’s cloud services and moving around inside cloud environments.

So Will, just to pick up on that point, is it fair to say that SUNBURST has shown that organisations, many of them still don’t have effective threat detection and response capabilities in place then?

Will: It’s definitely fair to say that it’s something that organisations still really struggle with, and I think that there’s a couple of reasons why that’s the case. So first up, organisations don’t do enough validation around their detection response capabilities. I think that’s an area that a lot more organisations can do more in, and use purple teaming and security testing to test the tools and technology that they’ve put in place to detect these attacks, can actually detect these attacks, and do detect these attacks, and actually that their SOC know what to do when they detect these attacks.

And I think secondly, as I’ve alluded to in that previous answer, organisations have really traditionally focused on detecting malware and processes, and actually now organisations are moving so quickly up into the cloud, they need to pivot their detection and response capabilities up into cloud environments and making sure that they can detect attacks against those and know what to do when those alerts go off.

And moving on to look more at threat detection, the SUNBURST attacker is reported to have targeted Azure Active Directory and cloud services, once they gained access to a victim’s network. Will, can you tell us a little bit more about this?

Will: Yeah of course Abi, this is something that I found really interesting over the last month or so, or whenever revelations have come out about these attacks. So we saw this actor doing two things relating to Azure AD and Microsoft 365. So first up, when the attacker broke into the networks of these companies, the on-premise networks, we saw the attacker stealing keys and credentials from on-premise systems and then using those keys and credentials to gain access to cloud services. So the attacker was moving from on-premise networks up into cloud services.

And a few years ago, people might wonder why would the attacker be trying to do that, all of the sensitive data is on the on-premise network, but actually now with organisations moving so much up to the cloud. Actually, a lot of organisations’ sensitive data is all sitting up in those cloud services, like email, instant messenger chats, files, and it’s all up there in the cloud. So, this attacker moved really quickly and took those keys and credentials enabling them to do that. And secondly, we saw the attacker making modifications to Azure Active Directory and Microsoft 365 to facilitate long-term stealthy access to Microsoft 365 data, whether that’s emails, or instant messages or firewalls. So both very interesting attacks, both very difficult to detect, and both for a lot of companies probably the first time that they have considered these attacks could be carried out against the cloud infrastructure.

Will you’ve mentioned cloud services a few times in your response. Why are organisations vulnerable to these new risks attributed to the cloud?

Will: I think there’s a couple of reasons for that. First up, the workload that organisations have has doubled. Security teams in organisations now have to manage both on-premise environments and also cloud environments, so security teams are more stretched. There’s definitely a lack of expertise in the cyber security industry around cloud services, and also in organisations around how to secure cloud services.

I think thirdly, cloud services are really quickly evolving and requiring new security controls be put in place to protect those, and organisations have to keep up with that. Every few months we’re seeing new features, and new capabilities in cloud services, and all of those might bring new risks and threats that organisations have to consider.

And then I think lastly, when organisations are moving up into the cloud, they’re not prioritising securing privileged access enough, and as systems and data is move up into the cloud, actually identity becomes the most important thing to secure an organisation’s networks, because it’s that identity that can be used to authenticate the cloud services and gain access to that data. That’s something really important that organisations should be focusing on.

Gabriel: I think that’s a really interesting point Will just around identity actually. I think Microsoft’s been saying recently that identity is the new perimeter. I think that’s such a great, clear statement around it, and we previously thought around like having firewalls and everything as segregating off our internal corporate environment from the rest of the world, but now actually with the growth in cloud services, identity is that new perimeter as opposed to what we might traditionally think of that as.

So it sounds like a lot for companies to keep up with and thanks for providing those really important points. So Gabe, I guess a question that you could provide some insight into is looking ahead, how can our listeners respond?

Gabriel: Yeah sure, So I think there’s probably four key things that organisations need to do in terms of the medium-to-longish term response to this. Obviously, it’s always going to depend on their specific security challenges, their environment, but broadly that’s around securing privileged access, looking to secure the new security risks that Will talked about from the cloud, improving detection and response capabilities, and looking to manage those supply chain risks, both in terms of actually assuring that supply chain and making sure that the software in that supply chain is properly secured when it’s in the environment.

To dive into some of those, so first of all around securing privileged access to infrastructure and cloud services. I talked a little bit and Will was talking about identity being the new perimeter, and I think that’s so true. Securing privileged access is one of those things in IT that perhaps isn’t the most exciting cool thing, but actually if we can do that right, then that’s so, so important.

So doing things like, limiting the number of users and service accounts, which have the main admin privileges and ensuring that those are all protected with strong authentication, be that really long passwords, which are managed through some privileged access management solution or implementing things like multi-factor authentication, or like risk-based authentication, all of that I think is so important to prevent the attacker from being able to elevate their privileges.

Then around detection and response, to pick up on another of those things. We need to be in the mindset that a breach is realistically going to happen and being able to really quickly and effectively detect that breach, and then respond to it is so important. Having a clear understanding of the threats that are going to target your organisation, the tools and techniques that they’re going to use, and then what that means in terms of logging, so that you can actually effectively spot those threats and attack techniques on your environment. And that you have all the technical logging in place, and the alerting of use cases in place to go and fire on all of that. That’s really important and then being able to execute that efficient and effective response, so having the right people, process, and technology in place to actually execute that. So I think lots of things to think about, but those are some key things from my perspective.

Thanks Gabe, it sounds like you’ve picked up on some really fundamental points and I think it is really commonly those hard basics, rather those new trending areas of security that people tend to focus on short term. My next question is, for organisations looking to develop more effective detection and response capabilities, what would you say are some really important things they should be considering?

Gabriel: Yeah sure, so I think the first thing is to probably consider outsourcing. So lots of organisations just aren’t going to be able to build the level of detection and response capabilities that they require. So looking really critically at your own security operations function and working out, what can we deliver effectively in house and what do we need to think about outsourcing. And there are loads of service providers out there that can help with these kinds of things. So from a detection and response perspective, there’s like the managed cyber defence offerings, whereby a third party service provider can monitor the environment for you and provide that initial technical response to ensure that the only alerts you’re getting are validated incidents and where possible all of the low hanging fruit is already all being dealt with, so that your in house team isn’t being swamped with alerting, I think that’s really important.

And then I think something that Will touched on earlier, was purple teaming, so actually being able to validate that you are developing effective detection and response capabilities. So something that we’ve done a lot with organisations in the past is, using combined teams of red and blue team, and so purple teaming to execute offensive security techniques, or emulate attack techniques on their environments and then assess in real time organisations’ capabilities to detect that activity and to respond to it, and then over the course of that process, seeking to iteratively improve that. So is our SOC able to detect, like Kerberoasting, if not, why not. Can we bring the logs on board in order to be able to detect that activity and then once we’ve detected it, do we know how to respond to it, if not can we train the people, can we write the processes and ensure that the technology is right to respond.

So really like validating that actually those processes, that all of those capabilities are in place. I touched as well on logs and stuff, I think as Will’s talked about some of the new risks from cloud, and just making sure that all of your threat detection and response capabilities cover those new environments and are able to detect attacks on those platforms, which perhaps a lot of security teams might not necessarily be as confident with as other more traditional attack techniques.

Outro by our host, Abigail Wilson: Thanks Gabe and also Will, that’s a great summary of SUNBURST and what our listeners can learn from it. Thank you so much again for joining us. And thanks to everyone listening. We hope this has been a useful summary with some actionable steps to take in the wake of SUNBURST.

To find out more on how you can improve your cyber security, just search PwC cyber security. And of course, please subscribe to receive our latest episodes. See you next time.