FEDERAL DIVISION

Mark SincevichNovember 4, 2024 8 minute read

Are Your Network Defenses Inviting an Attack?

In a world where cyberthreats are constantly evolving, the historical Battle of the Bulge serves as a poignant analogy for the importance of robust network defenses. Mark Sincevich, Federal Sales Director, draws a compelling parallel between this WWII event and the necessity for modern organizations to adopt a direct-routed Zero Trust architecture to safeguard against sophisticated cyberattacks. Highlighting the lessons learned from the SolarWinds breach, this blog underscores the critical shift needed from traditional perimeter-based defenses to a more secure, dynamic approach to cybersecurity.

Eighty years ago, on December 16, 1944, the Battle of Bulge erupted in the Ardennes Forest on World War II’s Western Front. The Germans had surprised the Allies under the cover of snowstorms and bitter cold, the leaking of selective intelligence, and strict radio silence. As part of the operation, the Germans sent 150 soldiers behind American lines to conduct subterfuge. The soldiers spoke perfect English, carried false identification papers, and were dressed in American uniforms while driving captured American jeeps.

The German operations had a devastating psychological impact on the American forces: infiltrators had sent an entire American regiment rushing to the battlefield in the wrong direction and led other units away from key areas with ‘white tape’ falsely indicating minefields. Their actions even inspired rumors of non-existent operations as far away as Paris. No one could be sure who was friend or foe. Nervous military policemen (MPs) stopped everyone and demanded answers to questions only an American would know, like the name of Mickey Mouse’s girlfriend (Minnie) or the identity of ‘Dem Bums’ (the Brooklyn Dodgers). The confusion and paranoia that the German infiltration introduced had created a serious breach of the American lines.

But why had the Germans chosen the Ardennes in Belgium, from December 1944 through January 1945, to launch their attack? It was mainly due to the poor state of the allied frontline defenses, stretched thin since D-Day—the largest amphibious landing operation in history, just six months prior—and the fatigue brought on by months of continuous combat. The Allies, stretched thin since D-Day, the largest amphibious landing operation in history, just six months prior. The Americans in this sector of the front also chose to defend the area with as few troops as possible, noting the favorable terrain and deep river valleys. It’s interesting to note the terrain was literally at the border of the German homeland. This, combined with the Allies' decision to deliver minimal defenses to the area, suggests a “castle-and-moat” mentality in their defensive operations—the belief that the terrain itself, like a moat around a castle, would deter the Germans. This approach is similar to a traditional perimeter-based network security model, relying on a strong outer barrier for protection.

However, were the American defenses truly designed to ward off an attack, or did the lack of a proper defense invite an attack? The Americans were not well hidden; their lack of preparedness may have inadvertently signaled vulnerability.. In other words, “Did the arrow seek the target or did the target attract the arrow?” Perhaps the lack of proper manpower and misguided reliance on the terrain encouraged a surprise German attack? Similarly, in the realm of cybersecurity, could an over-reliance on traditional network perimeter defenses using a castle-and-moat strategy invite cyberattacks by creating an illusion of security and encourage attackers to exploit specific end-points?

Lessons Learned: SolarWinds

The SolarWinds cyberattack, though it happened almost four years ago, However, it remains a stark lesson in the dangers of sophisticated cyber espionage. The attackers demonstrated remarkable creativity by inserting malware into a legitimate software update. Thisenabled them to not only monitor the target networks, but also to steal data from SolarWinds customers. Considered one of the most advanced cyberattacks in U.S. history, the infected SolarWinds software update was installed on approximately 18,000 computers. While most organizations were not actively targeted, many Federal agencies, including the Departments of Energy, Treasury, Commerce, and Homeland Security were compromised. Although the Department of Defense (DOD) reported ‘no evidence of a compromise in DOD networks’, nearly 40 defense companies were impacted. The SolarWinds attack, along with the subsequent Colonial Pipeline attack, served as a clear wake-up call to the federal government, highlighting the inadequacy of relying solely on network perimeter defenses.

Due to the attacker’s sophistication and preparation that began years prior, we still don’t know the full extent of the damage or even the final number of organizations impacted. Beyond compromising SolarWinds customers, these attackers also gained access to many other organizations. For those using SolarWinds, the delivery of the backdoor within the Orion software update appears to have been a two-part process. First, the Sunspot malware surreptitiously inserted the second part—the malicious Sunburst backdoor—into the SolarWinds Orion software update. When customers updated their Orion software, the servers running it were compromised across 18,000 companies. This is a textbook example of a supply-chain attack. The real damage, however, unfolded when the malware made unauthorized command and control domain calls to download additional payloads called Teardrop and Cobalt Strike Beacon. These payloads then moved laterally through the affected organizations to conduct credential dumps, impersonate users via SAML tokens, and elevate privileges to move laterally. It was these additional payloads that caused the real damage.

In the case of FireEye (now owned by Symphony Technology Group), a SolarWinds customer, the stolen data included some of its proprietary Red Team tools. These tools are designed to “mimic a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.” The attackers were not after personal information like social security numbers or bank accounts. Instead, they targeted hacking tools, critical government data, and intellectual property. This reveals two key things: first, the sophistication of the attack points to a Tier 1 nation-state—later confirmed as Russia’s SVR, their primary foreign intelligence service. Second, the stolen items suggest plans for a larger, even more devastating attack, potentially already in the works. It will again come by surprise and the preparation could be underway as you read this article! Further evidence pointing to Russia’s SVR is the estimated involvement of more than 1,000 engineers involved in the attack, making it one of the most labor-intensive and resource-intensive cyberattacks in history.

What lessons can we learn from this attack? It’s clear that we cannot rely solely on an outdated perimeter-based security model, nor can we depend on the exposed IP addresses of individual computers or OT devices. Once an attacker breaches the network, controls must be in place to prevent unauthorized access to critical resources, as well as to identify users and devices based on tags and labels.

The SolarWinds attack is analogous to the Battle of the Bulge: attackers operating behind American lines in captured American jeeps and uniforms with false identification papers. This is precisely what happened in cyberspace! With traditional perimeter-based network security models, cyberattacks will inevitably disrupt or compromise the mission, and critical data will be stolen. Even worse, if a cyberattack is combined with other forms of irregular warfare—migrants overwhelming the border and social services, coupled with a kinetic attack—the results could be irreparable.

Direct-Routed Zero Trust Network Access (ZTNA)

We must fundamentally shift our approach to network defense, ensuring the target no longer attracts the arrow. Otherwise, the incidence of attacks will escalate, and cyber attackers will infiltrate our lines, overcome our defenses, or simply outsmart us. These attackers who “look like us,” often blending in seamlessly, can even deceive our frontline defenders. We need to operate under the assumption that the enemy has already infiltrated our systems. Better yet, must treat every access attempt as potentially hostile, regardless of its origin—whether from inside or outside the network. This is a core principle of Zero Trust architecture: assume a breach has already occurred.

While identity management is crucial for governing network access, this is not sufficient for cyber defense. You need a Software-Defined Perimeter (SDP) that creates a dynamic, context-sensitive access boundary across network resources, and this requires an identity-centric approach, involving cloaking infrastructure, establishing a unified policy engine, enforcing least privilege and micro-segmentation, and providing flexible and agile policy options. It is also vital to avoid dependence on cloud-based SaaS offerings for ZTNA. Cloud-route solutions may increase latency and place the Policy Decision Point (PDP)in the cloud, making them impractical for securing on-premises users accessing local resources, in Denied, Degraded, Intermittent and Limited Bandwidth (DDIL) environments, as well as at the tactical edge. In these situations, the Policy Enforcement Point (PEP) should bey hosted as close to the protected resources as possible.

Instead, you need a Direct-Routed ZTNA architecture with a unified policy engine that provides ZTNA access for all users. This will give you full control over network traffic, ensure high availability direct access, and accommodate legacy workloads, IoT and OT networks. Crucially, it also enables the PDP to be hosted where the protected resources reside, such as on-prem for on-prem resources. The PDP verifies context and grants access rights. A direct-routed ZTNA architecture enables granular access control, restricting each user to a specific set of applications or data, as mandated by the December 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity in Section 10, item (k). Furthermore, you should implement multi-factor authentication (MFA) for high-value resources like SSH or RDP, ensuring continuous verification. This demonstrates MFA capability for legacy protocols used to access admin ports. This data-centric approach to direct-routed ZTNA, combined with tagging and labeling, guarantees that the right user gains access to the right data at the right time.

Although the Allies ultimately prevailed in the Battle of the Bulge, the After-Action Report (AAR) from the battle revealed increased railway traffic was ignored, the quadrupling of enemy aircraft in the area was overlooked, and intelligence traffic from Project Ultra (the Allied Intelligence project that decrypted high-level encrypted communications from the captured German Enigma code machine) was misinterpreted. The Allies relied too heavily on the captured German Enigma cipher machines, assuming they would provide complete and timely warnings of enemy operations. In this instance, the Enigma machines failed to reveal the complete picture (due to their unusual silence), much like the supposedly comprehensive Federal network monitoring systems of four years ago. Both the Department of Homeland Security’s (DHS) Einstein detection system, designed to detect known malware, and the DHS’s Continuous Diagnostics and Mitigation (CDM) Program, which alerts agencies to suspicious activity, missed the SolarWinds attack. The attackers even exploited the limits placed on the National Security Agency (NSA) to enter and defend private sector networks.

A core principle of Zero Trust is to assume a breach has already occurred. And even if the enemy isn’t there, the introduction of malware could happen at any time. Even if no attacker is currently present, malware could infiltrate at any moment. For example, a user falling victim to a phishing attack could introduce malware that then targets authorized resources. Direct-Routed ZTNA cloaks unauthorized resources and triggers alerts if malware attempts to scan or access them (e.g.: scan of port 22 if only port 443 is authorized). Each user essentially has a personal micro-firewall that protects resources from unauthorized access. Single Packet Authorization (SPA) completely cloaks endpoints from public access attempts, rendering port scanning and service discovery ineffective, e.g., it will return a message such as ‘resource not found.’ Attackers cannot target what they cannot see!

Federal agencies and commands must implement a direct-routed ZTNA architecture to secure the user and device attack vector. This, together with microsegmentation to present adversarial lateral movement, would have mitigated further damage from the Solar Winds attack and will help limit or even prevent future surprise attacks. If this approach had been applied during the Battle of Bulge, the Germans would not have been able to penetrate American lines. Federal agencies must take decisive action to strengthen cybersecurity posture—our nation depends.

Receive News and Updates From Appgate