It has not been that long since the news of the SolarWinds attack broke. Now, a cunningly similar cybersecurity incident is being reported. Codecov, a provider of solutions for managing and auditing codes, recently revealed that it was compromised by a cyber assault comparable to the largest security compromise to hit the United States.
It’s frustrating enough that it took a long time to detect and address the SolarWinds incident. Not taking seriously the underlying cyber attack strategy of the Codecov case would be a serious mistake. It’s high time for organizations to pay attention to security validation with emphasis on the adjustment of strategies and testing paradigms to uncover creative attack approaches and prevent them from penetrating and creating serious damage.
The security incident
First discovered on April 1st this year, the attack was detailed by Codecov on its official website through a security advisory. Along with this advisory, the company also put out a note that emails have been sent to those who may have been affected, particularly those whose email addresses are in the databases of GitHub, GitLab, and Bitbucket.
Codecov found that a malicious actor gained unauthorized access to the company’s Bash uploader script. The attacker managed to modify the script. Accordingly, the first instance of the alteration may have happened in the latter part of January 2020. This attack made it possible to export the information contained in customers’ continuous integration (CI) environments.
Hewlett Packard Enterprise and IBM were among the high-profile organizations reportedly affected by the attack. The companies said that they have already conducted investigations and reported that they found no proof of compromise. Other companies that were also possibly dealt a blow are Procter & Gamble, GoDaddy, the Washington Post, and Atlassian.
United States authorities have already undertaken their own investigation on the matter, as security experts pointed out how similar the attack is to Solarwinds. Of note, the effects of SolarWinds still linger. Around a month ago, it was revealed that the email addresses of top Department of Homeland Security officials were exposed during the SolarWinds attack.
The importance of security validation
The “success” of a cyberattack that is very much similar to a recent extensively covered cybersecurity incident is alarming. By now, conventional wisdom suggests that companies would have already been more prepared, that they have already addressed possible vulnerabilities. However, it is apparent that the security controls of many companies could still use a lot of improvements.
It is now 2021, and the importance of security validation, particularly the use of automated breach and attack simulation (BAS) has only become more important. With the advancing sophistication and continuously growing volumes of cyberattacks, organizations need to realize that security controls are unlikely to remain effective for so long.
Organizations that were not affected by previous attacks may be set to become victims of cyber attacks eventually, even by the same schemes that have been widely reported before. This is mostly because of the lack of a sense of urgency to undertake security validation.
Alas, many still continue to downplay the threat of cyber-attacks and refuse to allocate more resources and attention to improve their security measures. There are also those who become too confident in the security solutions they put in place.
“Unfortunately, companies assume that their investments will pay off—but the truth is they have no way of knowing which security controls are working and which are not,” says Early Matthews of Forbes Technology Council, who says that 2020 will be the year of security validation.
How BAS helps
Fact: there are no foolproof security controls. Perfection eludes even the best security systems developed by the brightest minds in cybersecurity. What works now may no longer work later on, as attacks evolve and new vulnerabilities emerge within the software and hardware of the system being protected.
As such, it is essential to continuously evaluate the security posture of an organization. It is not going to be a simple process, but it is definitely doable. With new technologies for cyber-attack simulations, it is also possible to automate the process and monitor security controls in real-time while having the ability to respond to threats that have been automatically sorted for their urgency.
BAS makes use of agents and other methods of simulating cyber attacks against an organization’s IT infrastructure to effectively mimic the operation of insider threats, lateral track movements, or data exfiltration. All of these are possible without incurring risks in production environments, something that is observed in other security testing approaches.
The best third-party BAS systems available at present are usually offered as software-as-a-service solutions. They feature different functions or modules to conduct tests automatically and generate quick reports along with recommendations on the best possible courses of action. They can integrate comprehensive security validation, automation, scaling, as well as an open framework that facilitates the efficient formulation of custom scenarios.
Additionally, the leading security validation platforms operationalize the MITRE ATT&CK framework. Doing this takes advantage of the framework’s up-to-date and comprehensive cyber threat intelligence.
The combination of continuous security validation and the MITRE-ATT&CK framework makes it easier to detect anomalous activities in a network, device, or cloud environment. This can cut down the time it takes to detect problems and promptly implement the necessary solutions.
There’s no doubt that the SolarWinds and Codecov attacks were highly sophisticated. Detecting them can be very challenging. However, these attacks are preventable or at the very least can be mitigated. BAS solutions conduct broad evaluations that include the testing of email defenses, weaknesses in browser and website security, firewall assessment, vulnerability to social engineering tactics, as well as endpoint security solution testing and potential network attack vector testing.
The instances of supply chain cyber-attacks are heading an upward trend, as more organizations are becoming reliant on third-party software vendors for certain functions in their operations. The SolarWinds and Codecov attacks should be enough reminders for organizations to consider thorough security validation, especially when it comes to testing for non-obvious attack manifestations.
Supply chain attacks do not directly target organizations that become the ultimate aggrieved parties. Their initial attacks focus on platforms that serve various organizations. That’s why security validation should be undertaken continuously in tandem with regularly updated cyber threat intelligence.