As the SolarWinds hack continues to unfold and expand in both its scope and impact, we know that the real jigsaw picture is much bigger than the pieces we currently know about. And as we still try and complete the SolarWinds jigsaw puzzle, the question that stares at us is, “What did we learn to be better prepared for the inevitable next time?”

SUNBURST was neither the first such hack, nor last. Let’s explore the learnings here, and start with the common elements of such events:

• Flies under the radar for a very long time: So, we can assume more such attacks are underway right now and no one has a clue. The attacks are using zero-days and blending the activity into background noise to stay hidden. Hence it is critical for us to
• Abuses established trust chains: Abuse of trust chains casts doubt on all connections and requires visibility across all activity to monitor for anomalous activity and unusual access patterns. Even the ‘Zero Trust Architecture’ that is founded on granular segregated trust chains requires monitoring and verification as part of the architecture.

It is extremely important for an organization to enable prevention, segmentation, and zero trust authorizations for assets, users and data to implement a “shift left” security posture. But as we learnt above, these are necessary but not sufficient for modern attacks and hence an ‘Active Defense based Detect and Respond’ security posture that operationalizes deception as well as anomaly and kill-chain detections on pervasive visibility by algorithms, hunting and investigating are the only few opportunities to detect such a hack in early stages.

• Through use of anomaly detection algorithms that flag anomalous user, network, and endpoint behaviors and/or use of specific protocols in malicious ways
• Enabling the investigation, forensics and hunting using rich metadata about endpoints and network to find the unknowns 
• By applying newly acquired threat intelligence backwards in time to automate the hunt for known IOCs in past communications.
• By deploying deception in the network and Active Directory and spreading breadcrumbs across assets to lure attackers into the deception networks where their techniques can be gathered and their intentions uncovered.

To summarize: to prepare for the next storm, create security operations processes that are founded on sound cyber-hygiene, prevention, segmentation, zero-trust as well as deception, visibility, threat hunting, investigation and response enabled by an Active XDR suite like Fidelis Elevate.