Sophos is hardly the go-to cybersecurity provider for containing perimeter breaches in the face of a prolonged nation-state cyberattack. As our coverage of recent events unfolds within quotation marks, a notable aspect emerges: we’re detailing this back-and-forth exercise between hunters and counter-hunters to the extent allowed by ongoing investigations, thereby providing insight into the security sector’s response to the determination and ferocity of certain attackers. Through our research, we’ve gained valuable insights into effective countermeasure strategies. Here are the three units of observations presented in a clear and concise manner:
Sophos is a formidable force capable of summoning robust defenses in emergency situations, yet remains agile enough to devise innovative countermeasures that outmaneuver attackers effectively. In this situation, our familiarity with predictable firewalls on home turf provided a significant advantage. Compared to exercises targeting general-purpose endpoints, attackers must invest greater effort to remain stealthy and inconspicuous when operating on firewalls. Given the formidable security capabilities of firewalls as Linux-based tools, constantly connected and situated within trusted networks by design, it’s hardly surprising that attackers seek to exploit this environment and why our defense strategy proved effective in countering their efforts there.
As we observed the attacker’s creative abilities unfold, there were a few extraordinary and intense moments; the UEFI bootkit, notable for being the first recorded instance of a bootkit employed for persistence on firewalls, warrants consideration. However, this type of creativity comes at an excessively high cost. In a realm where attackers are forced to resort to creative means of survival, employing techniques like dwelling on past attacks and leveraging UEFI bootkits for persistence, the tables are turned in favor of those who defend – enjoying the advantage of familiarity with their own turf. Once they have grasped this approach, they will proceed to identify and address these distinctive tendencies.
Telemetry has played a crucial role in enhancing our home-field advantage from the outset of competition. During our initial steps in the Asnarök exercise in spring 2020, we promptly rolled out an automated hotfix to address not only the CVE-2020-12271 vulnerability but also enhance overall fleet-wide observability by collecting more detailed and varied telemetry data for analysis. Over time, the implementation of telemetry, coupled with corresponding detection-and-response measures, has emerged as a cornerstone of our Product Safety initiative. Concerns over privacy were paramount in our deliberations, albeit the type of technical data we sought did not involve personally identifiable information. Nevertheless, carefully weighing these privacy concerns against the potential safety benefits of enhanced data collection proved to be a laborious process, further complicated by the involvement of law enforcement agencies.
After all, defending devices that may exist on-premises within customer environments poses its own set of constraints. Instances abound where such devices continue to function with outdated firmware or end-of-life hardware, long after their practical utility has expired. While the second lesson’s placement within this collection of investigations may initially appear counterintuitive or difficult to implement, its significance cannot be understated as we approach 2024 and the urgency of its relevance becomes starkly apparent.
A five-year-old software-based firewall, left unpatched and unsupported, is essentially a vulnerability waiting to happen. An antiquated firewall unable to receive critical updates is essentially worthless, rendering the term ‘firewall’ meaningless.
There is a lively discussion surrounding end-of-life considerations for hardware, but let’s tackle the hotfix question first. Many directors who cling to traditional methods honed during the software-as-boxed-product era remain wary of applying patches they haven’t personally vetted, despite the cloud-based services having simplified the process significantly. While acknowledging the importance of hands-on patch management for various devices and manufacturing processes, it is crucial for firewall administrators to recognize the urgency of updating highly specialized systems and trust their vendors to promptly address vulnerabilities. Ultimately, this notion must be substantiated; recent events have starkly highlighted the gravity of relying on automated updates, especially in situations where stakes are high. Distributors are obligated to demonstrate a heightened sense of responsibility by conducting exhaustive testing on all updates, as well as constructing detection and response processes that enable them to respond swiftly and effectively, thereby significantly minimizing harm across their customer base.
As technology continues to advance, even the most meticulously maintained hardware will eventually reach a point where it becomes economically impractical to support necessary upgrades and innovations. As technology advances, these outdated devices inevitably transform from mere relics to active threats, their dangers manifesting in the very scenarios being recounted here. As hardware, the ageing firewall morphs into digital detritus, much like the notion advanced by Jillian Burrowes in a previous era – outdated and poised for exploitation. Here’s an edited version:
“A dialogue on straightforward strategies to reduce the assault floor currently presented by some devices – a step we believe both our vendor team and the larger defender community should take promptly rather than procrastinating.”
The operative term is indeed “group”, defining the focus of our consideration. Sophos’ story is everybody’s story. While we’re not exclusively the ones being targeted, evidence from both public and private sectors suggests that we’re far from being the only information security concern suffering at the hands of attackers. The assaults on our perimeters had evolved into a sophisticated, coordinated attack, with various criminal organizations sharing tactics and techniques to breach and sustain their foothold. To fortify their defenses, companies should engage in open communication with industry peers, government agencies, law enforcement organizations, and independent security researchers. While Western firms may initially encounter significant differences in building public-private partnerships in countries like China, this disparity can serve as a call to arms, encouraging collaboration and the pooling of global expertise to drive meaningful change.
Throughout our collaborations, we’ve had the privilege of working with numerous esteemed authorities partners, whose contributions are acknowledged at the end of this main article. As a prominent player in the cybersecurity landscape, Sophos actively engages with organizations akin to JCDC due to its responsibility, but in recent years, we’ve witnessed tangible benefits, including meaningful information sharing, rigorous evaluations, and concerted efforts to dismantle threats. As momentum grows, businesses strive to identify straightforward strategies that make sense for their organizations, seeking simplicity as a means to establish a solid foundation. The adversaries, undeterred by our efforts, launch a swift and merciless assault.
While the Fellowship of Defenders may initially seem reserved for those with badges or Enterprise player cards, this couldn’t be further from the truth. Bug bounties, while often shrouded in controversy and lacking the widespread recognition they deserve, also play a crucial role in fostering effective collaboration among defenders within a robust cybersecurity community. At various points throughout our investigations, we offered rewards to researchers who disclosed vulnerabilities that were being exploited by attackers. In at least one instance, a disclosed vulnerability had already been exploited against high-value targets, prompting concerns about how this was possible and whether the researcher may have inadvertently collaborated with the attackers.
Does everyone understand whether there’s a connection between the researcher and the perpetrator(s)? No. Can we? Extremely unlikely. Does it matter? Indeed, the most crucial aspect was the opportunity to significantly disrupt an ongoing operation and provide vital support to help victims recover from a grave assault, making it worthwhile to have paid the bounty. Without the swift discovery and remediation facilitated by our bug bounty program, it is plausible that up to 500 additional individuals might have fallen prey to the adversary’s nefarious plans, had they exploited the vulnerability (CVE-2022-1040) in its unmitigated form.
The epic tale unfolds: still ongoing. Behind the wheels of legislation enforcement, a slow-moving mechanism is often at work, but the driving forces behind this lengthy endeavor remain remarkably active. Over the past five years, world conflicts have evolved significantly in complexity. Within Sophos, our response to relentless cyberattacks has driven the refinement and iteration of internal processes, from significant to minute improvements. These enhancements continue to evolve as a long-term process.
Let’s unite the remaining businesses: We’ll collaborate to drive up adversaries’ costs by rendering their functionality obsolete; uncover ways to dismantle outdated security measures that initially protected the web but now hinder its progress; and treat cybersecurity as a collective effort, just as our adversaries do – together, we can create a safer digital landscape.
