Lesson learned from SolarWind incident:
- Your risk boundary is not your network boundary.
- An attack timeline, from start till release date, can take almost 19 months.
- Identity is the new "perimeter".
- Behavioral analysis techniques are required to identify an identity compromise.
- Network baselining and abnormal behavior analytics are instructive.
- Think if you built software using third party library.
- Think if you are using products/services from any compromised parties, including open source software.
- Think who you trust and when did you last validate?
- Build capability to detects TTP, not IOC.
- CTI likes to use different code name to identify malware.