A Guide to Handling the MOVEit Attack
Even with the best of tools and training, people will be subject to criminals exploiting holes in their software supply chains. What gained prominence in the SolarWinds attack (combined with VMWare and Microsoft) three years ago, has grown and exposed not only businesses but also governments worldwide who depend on common third party software services.
The attack
Last week, a vulnerability in the popular MOVEit managed file transfer service was exploited by the CL0P ransomware gang to execute data breaches – an increasingly common cybersecurity attack technique where popular software is exploited to target, by extension, their users. Victims of this hack include British Airways, Boots, BBC, and multiple US government agencies. While the US Department of Energy is the only one officially named, several more are likely considering the popularity of this software in government circles. One can gauge the impact of this attack by the fact that the US Department of State just announced a $10m reward for information linking CloP to a foreign government.
The response
The obvious response is to patch all known vulnerabilities. However, the key qualifier here is “known”. How do you address vulnerabilities that are unknown or at least those for which patches do not exist yet? Or maybe, even with a patch available, an attacker exploits the window of opportunity between when a patch is released and when it is applied? The logical response is to observe closely what that software does or is supposed to. If you can observe all outgoing traffic, detect outliers, and then block them, you would be able to stop an ongoing attack before it does significant damage.
The ideal state
This is the ethos of Third Party Data Observability (TPDO). By providing full visibility (“Observability”) into data transfers, it is possible to detect (“Analyzability”) indicators of attack like too much data going out, or the wrong kind of data being transferred, or even data being sent to suspicious destinations. However, insight without the ability to act on it is not useful. The ability to block (“Actionability”) such data transfers with a few clicks without having to rewrite code is a key differentiator in choosing a TPDO solution.
To paraphrase Julius Caesar who said “Veni (I came), Vidi (I saw), Vici (I conquered), with the right TPDO platform overseeing your data environment, you can “SEEit, IDENTIFYit, BLOCKit” as you see fit.