Back to basics: lessons from a cyber breach

12.01.21

Blog, Cyber

Cyber Incident Response Manager, Mark Cunningham-Dickie, discusses the importance of ensuring basic cyber hygiene as we take lessons from large-scale cyber breaches.

We are a long way off recovering from the extent of the recent SolarWinds Orion compromise but it’s not too early to start learning lessons from it.  

When the news of FireEye’s compromise and the loss of their Red Team tools broke, there was a lot of criticism from some quarters, positioning by rivals as being better, or by others as having a product that could have prevented it – despite not having any understanding as to what actually happened. 

I was pleased to see many respected individuals in the cyber community were quick to shoot down self-aggrandising and product promotion. 

For what it’s worth, in my opinion FireEye has handled the issue brilliantly and have been incredibly open and informative about it.

As the story progressed and the list of victims grew, there has been one question that has been niggling me…

Given that some giants, like Microsoft, with all their monitoring, and alerting, and resources have been compromised; and considering the complexity of the attack, how was it that FireEye detected it when no one else did? 

The answer that came back was simple.  They spotted some suspicious VPN activity and followed up on it.

For me this is great. It reinforces points that I’ve made in presentations and in follow up discussions. I’ve been asked repeatedly by people and organisations: “Should I be investing in any particular technology to keep the company safe?”

My simple answer is this: do the basics brilliantly before you add any additional layers. 

There’s no sense in overlaying hundreds of thousands, or even millions, of pounds of technology or “solutions” if you haven’t got the basics sorted.  If your ICT is a mess, it’s still going to be a mess just with more expensive technology stacked on top of it.

I’m not taking anything away from the technology providers, a lot of them have very good products that have capabilities far beyond what most organisations need; but their technology is rendered largely moot if there’s no one following up on alerting, or if the underlying environment is not understood. 

Intrusion Prevention Systems (IDS) takes time to learn what is “normal” behaviour on a network before it can be turned into Intrusion Prevention Systems (IPS) that automatically block suspect traffic. 

If you have VPNs already routing out of your network, then that is expected behaviour and an IPS solution will not block it.  I have detected and reported on VPNs running on internal networks and the question really needs to be why? And it needs to be investigated appropriately.

Even as a cyber incident responder, who’s job depends on people and companies being compromised, I wouldn’t wish anyone to be hacked or compromised but I’m glad that FireEye was. 

I should be clear, I don’t, in anyway, wish FireEye any harm at all, quite the opposite.  The reason that I’m glad that they got hit is because they did things right, and as a result, look at how many other organisations they are saving. 

There are lessons that we all need to learn from this.  There will be more over the coming weeks and months and from other hacks and compromises both past and future, but let’s start now and let’s get the basics right.

Scottish SMEs and Third Sector Organisations who fall victim to a cyber incident can access SBRC’s Free Cyber Incident Response service. Even if you’re not sure, it’s always best to get in touch.

The number is 01786 437 472.