During a cybersecurity incident, the main focus is getting the attacker out of an organization’s systems and cleaning up the damage. Doing so quickly and effectively is vital to minimizing the impact of the attack and restoring normal business operations. Focusing too much on the obvious, however, can be detrimental in the long run. While a quick fix may be desirable, going deeper is essential to good cybersecurity.
Root Cause Analysis Gone Right and Wrong
The National Institute of Standards and Technology (NIST) defines root cause analysis as, “A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.” In cybersecurity, the true cause of a security incident may not be immediately obvious. This is especially true when an attacker is actively working to cover their tracks and confuse the issue.
Performing root cause analysis is essential to effective cybersecurity as it can identify other issues that may have contributed to the success of a data breach. Two recent cases demonstrate the impact of root cause analysis performed correctly and failing to do so.
The SolarWinds Hack
The SolarWinds hack discovered in late 2020 is one of the most well-known cyberattacks in recent history. The malware variants associated with this attack were discovered on the systems of hundreds of companies. These intrusions were discovered when it was discovered that SolarWinds, a cybersecurity company, was compromised and the updates for its Orion software were used to push malware.
The investigation of the SolarWinds incident is an example of root cause analysis performed correctly. If investigators stopped when they discovered the malicious updates, then it is likely that several of the malware variants used in the attack would have been overlooked completely.
It’s also likely that the 30% of organizations compromised by the attack but with no direct link to SolarWinds would have been overlooked as well. The cybercriminals behind the attack used a variety of different methods to infect organizations with their malware. SolarWinds’ compromised updates were like the most widely used attack vector used but not the only one.
Project Zero and 2020 Zero-Days
Project Zero is an initiative within Google designed to “make zero day hard”. The goal of this project is to investigate the techniques used by cybercriminals to discover unknown vulnerabilities and to develop and deploy zero-day exploits. The project helps to identify and fix unknown vulnerabilities in software as well as looking for patterns in how attackers identify and exploit vulnerabilities.
In 2020, the Project Zero team investigated twenty-four zero-day exploits seen in use that year. For seven of them, there was a clear pattern: they’d seen these exploits before.
The cybercriminals behind these attacks took advantage of poorly-designed patches for existing vulnerabilities. According to Maddie Stone, a member of the Project Zero team, “Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit.”
Over a quarter of the zero-day exploits discovered in 2020 could have been prevented by performing proper root cause analysis when developing patches for past vulnerabilities. Because the patch developers did not dig into the details of the vulnerability, they did not fully understand what made the software vulnerable and the patches they created were ineffective at fixing the problem and protecting the software’s users.
How MorganFranklin Can Help
Root cause analysis is essential to effective cybersecurity. As demonstrated by the SolarWind hack and Project Zero’s research, a failure to fully investigate a problem and fix the underlying issues can leave an organization vulnerable to being attacked again.
Effective root cause analysis requires a deep understanding of cybersecurity, how systems work, and the common tactics, techniques and procedures used by cyberattackers. MorganFranklin analysts can provide this guidance, knowledge, and expertise to help to ensure that an attempt to remediate a cybersecurity incident or close a vulnerability is effective.