Breach

Why we can expect another SolarWinds attack

Today’s columnist, Ryan Noon of Material Security, says we can expect more SolarWinds attacks until we change to an “inside-out” strategy that assumes attackers are already inside the network and security teams set defenses accordingly. ecooper99 CreativeCommons Credit: CC BY 2.0

Airport security has been designed (in theory) to detect threats to air travel before a malicious person or item makes it to the plane. Much of cybersecurity works the same way.

As anyone who’s ever been frisked by a TSA agent because of their shampoo bottle can say, the system can be frustrating and surreal. For security luminary Bruce Schneier, TSA checkpoints were the classic example of “security theater” when he coined the term. Such “impenetrable” perimeters are a classic tool for defenders throughout human history. But when it comes to airports, many argue that we over-rely on these checkpoints to prevent the next 9-11. Despite these protective gateways, dangerous people and items pass through uncontested every day. 

Email has become incredibly important to billions of internet users. Outside the fearsome headlines, the lives of ordinary people are regularly hijacked through scams, account takeovers, and data leaks. Keeping hackers out of inboxes remains nearly impossible for even the most well-funded organizations. Major breaches, from the 2016 Election Hacks to the SolarWinds incidents, successfully target email data from both personal and work accounts and they manage to bypass every type of security that the best defenders throw at them. The reason? We’ve always protected email just like a TSA checkpoint. 

How did we get here? Can we do better? If we want to answer these questions, we need to zoom out.

Leave checkpoints at the door

The “guide incoming traffic into a single checkpoint and strip search it” approach used by both the TSA and email security software stands as an example of “outside-in security.” So are castles, moats, drawbridges, trench warfare, and other classic images in our popular conception of “defense.” In this paradigm, the defender exploits (or engineers) favorable terrain (think: mountains, walls, checkpoints, or SMTP servers) to make costly obstacles that attempt to prevent attackers from getting themselves (or their phishing messages) inside.

By directing all traffic through checkpoints, defenders can concentrate all of their resources, attention, and intelligence at the fewest number of decisive locations. Think of a famous example from history when 300 Spartans used geography to forestall a Persian army nearly 1,000 times larger at Thermopylae. While conceptually seductive, the effectiveness of the strategy revolves around having good answers to questions like: Where does the attacker come from? What does the attacker look like? How well do I know (and control) the terrain?

In our personal and professional lives, email has emerged as our largest collection of sensitive information. You sign into everything with your email address so it’s also the de facto identity layer of the internet. This means that when it comes to protecting email and data, the terrain now favors the attacker. Worse, many attackers have become hopelessly sophisticated at sending malicious messages that evade detection. Everyone from the would-be leader of a country (or her campaign chairman) to a school-age kid can be compromised with devastating results for them (and potentially anyone who’s ever emailed them something sensitive).

The value of a hacked email account is higher than ever and the number of ways to break into them greatly outnumbers the ways to prevent that from happening. Incredibly, we’ve discovered that Russian hackers have stolen email and office data from hundreds of organizations in the public and private sectors without even sending phishing emails.

Hackers may succeed a little, but they don’t have to succeed a lot

How would our defensive strategy change if we assumed the attacker was already inside or that no walls could possibly keep them out? The result is “inside-out security.”  Without dominating territory, inside-out defenders seek to understand the attacker’s goals and, if possible, neutralize their capabilities. Instead of TSA checkpoints, think of reinforced cockpit doors and strategically placed air marshals. Instead of castle walls, think of the winding staircases designed to disadvantage the right-handed swordsmen climbing them during an attack. Think of the Mongols, born to open plains without the geography for Thermopylae, compensating with deadly mobility and versatility. The two questions requiring answers in this paradigm are: What does the attacker want? What can the attacker do?

Computer networks are built and maintained by humans. This fact tends to give defenders an undeserved sense of control over the territory we’re supposed to protect. It biases us towards outside-in approaches to secure them—who doesn’t love a good firewall? The contours of our map are not just the digital links between servers but the ever-evolving relationships between users, their data, and the applications that power our world. Given this it’s not surprising that traditional chokepoints like blocking, filtering, and mangling incoming email aren’t effective. In a recent example, a high-profile employee was signed into their personal email on their work laptop and detonated malware sent to it. This allowed the attacker to then compromise their work email and bypass their company’s entire email security perimeter.

Some of the best ideas in information security in recent years are conceptually inside-out. Pervasive multi-factor authentication, popularized by companies like Duo, Okta, and Yubico, are designed with the assumption that an attacker already has the user’s password. Security awareness training and phishing triage systems (like the “if you see something, say something” announcements at airports) assume that malicious emails will always slip past the guards to unsuspecting people scrolling through their email. 

The silver lining of Microsoft and Google

Email as a technology is so old—and its traditional “spam blocker” chokepoint has become so seductive—that we’re misallocating scarce resources. Worse, we’re ignoring real opportunities to apply what we’ve learned elsewhere and approach the problem with new strategies beyond email firewalls. The best opportunity we have comes downstream from the reality that most people and organizations have recently irreversibly migrated to cloud-hosted email from the twin titans of Microsoft and Google. 

The importance for security of the society-wide shift to cloud-hosted email can’t be overstated but it’s not obvious: email has become a development platform. Email is 40 years old, but under the surface new Google and Microsoft developer APIs enable “inside-out” security techniques that simply weren’t possible even five years ago. The massive scale and integration speed of these platforms is also unprecedented. For the first time ever, apps can protect billions of work and personal accounts with the press of a button in less than fifteen minutes. Sometimes big technological shifts have positive unintended consequences.

It takes at least as much creativity to make a technology safe as it does to invent it. Lucky for us, creative humans have been defending themselves throughout history and we can learn from them. We’re too reliant on technology like email to protect ourselves with digital walls we’ve long outgrown. There will certainly be another SolarWinds until we remember the more fundamental question of “what does the attacker want?” and work to apply it on whatever platforms we can. Protecting our online accounts has never been more urgent: chaos and theft at this scale imperil the privacy and material well-being of ordinary people and reduce our competitiveness as an open society.

Ryan Noon, co-founder and CEO, Material Security

prestitial ad