Building resilience: learnings from MOVEit

Over the past week, the news has been dominated by details of the MOVEit data breach. The mass attack saw cybercriminals exploit a vulnerability in the MOVEit file transfer application — a tool used by thousands of organisations around the world to securely share files with colleagues or external parties. Or so they thought... so what went wrong?

What do we know?

The attack arose because bad actors were able to exploit a new and previously unknown vulnerability in the MOVEit file transfer tool — known as a zero-day attack. This led to an instance of MOVEit used by Zellis, a supplier of IT services for payroll and human resources departments, being compromised, along with data from its customers including the BBC, Boots, Aer Lingus and Ofcom. And the attack is not just confined to the UK — organisations in Canada, Australia and the US are also confirmed to have been impacted.

The Clop ransomware gang has claimed responsibility for the attack and is threatening to publish all stolen data from affected organisations unless the companies pay a ransom. But aside from being discouraged by law enforcement agencies across the globe, paying ransoms only breeds more attacks. So, what can — and should — organisations be doing to protect themselves from similar attacks in the future?

What can we learn?

The attack is a good reminder of the risks posed by both the supply chain and software supply chain. Organisations often put too much implicit trust in their suppliers to safeguard and store sensitive data when outsourcing systems or functions like payroll. But if the supplier is attacked, organisations can quickly find themselves indirectly compromised.

In this case, Zellis clearly had developed a dependency on the MOVEit software — a software with high-risk exposure due to its connection to the internet. However, zero-day attacks can be introduced at any point through a software update, and these are often accepted blindly or automatically.

Five steps to building resilience against attacks like MOVEit

Rigorous testing on all updates will never be feasible, so businesses must build resilience and fail-safes to ensure that any vulnerabilities do not cause any significant damage.

The below are key steps that organisations should take to boost resilience:

1. Always assume breach

The first thing to learn from the MOVEit attack is that no organisation is immune from cyber attacks. Ransomware is now the most common type of attack, so you must adopt an “assume breach” mindset whereby the focus is on breach containment rather than prevention to ensure ransomware is isolated at the point of entry.

2. Get the basics right

Secondly, do not neglect the basics. Most risk exposure comes from bad hygiene, bad process and human error. Remember, defenders need to be right 100% of the time, but the attacker only needs to get it right 1% of the time to be successful, so there is no room for error.

Zero-day attacks always have — and always will — happen, yet too many businesses still are not getting the basics right. The best way to reduce risk is through the practice of good security hygiene and a defence-in-depth approach, which, at a very minimum, means regular patching, limiting access to systems and services with known vulnerabilities and imposing a strategy of least privilege.

3. Visibility is key

A critical step to building resilience is gaining visibility. Visibility allows you to understand what your normal looks like so that when an unexpected connection happens or you notice an unexpected high volume of data being transferred, you can detect using existing SIEM (security information and event management) technologies and take action.

Visibility also enables you to understand the dependencies associated with that system and build up a picture of ‘known good’. Any organisation impacted by the MOVEit breach needs to have visibility of all inbound and outbound connections for which MOVEit is installed.

4. Deploy a strategy of least-privilege access

For those areas where you have less control, such as your software supply chain, ensure you have good segmentation from the rest of your environment. Implement very restrictive allow list policies that ensure the workload has very little access to the rest of your network and restrict how much attackers can discover about the network and move laterally.

In the case of MOVEit specifically, apply allowlisting in front of the MOVEit workload to restrict access at the application and activity layer.

5. Ringfence high-value applications

Take steps to ringfence high-value applications that handle any intellectual property, non-public financial data, legal documents, or sensitive and personal information. Ringfencing shrinks the security perimeter from a subnet or VLAN to a single application. It provides the largest impact with the least amount of work, requiring only one line of security policy per application to close off 90% of the potential attack surface for east-west traffic movement.

Building resilience against software and supply chain attacks

Hyperconnectivity has led to such rich, dense and critical interdependencies that attackers know they can increase efficiency and profitability by compromising the software supply chain. As a result, businesses need to get a handle on their software supply chain fast, or risk similar breaches.

Still today, 99% of effort and budget in cybersecurity is spent on stopping bad things from happening (detection and remediation). Yet, companies could triple their cybersecurity budget and still have breaches.

Organisations must proactively strengthen resilience by always assuming breach and building in containment capabilities to limit the spread of an attack. This means adopting a risk-based approach focused around understanding the flow of data throughout the extended asset attack surface and separating key functions within the network to prevent breaches from spreading to reach critical assets.

Image credit: iStock.com/setixela