You’re probably at least a bit familiar with Citrix, the software giant responsible for desktop virtualization, networking and SaaS services that are in use at millions of companies around the world. It is used by Fortune 500 organizations, the US Military and many government agencies It is a central element of how many businesses conduct their operations today.
Well in some bad news for those users, on March 8th, they were warned by way of blog post that hackers had compromised the Citrix network.
In a post penned by Citrix CISO Stan Black, he confessed that the company had been notified a few days prior by the FBI that they were victims of a cyber attack. It seems that foreign attackers used a method called password spraying, which targets weak passwords to breach their network. According to Black, “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”
Threats to US Intelligence?
According to independent security firm Resecurity who first discovered the attack, it appears that Citrix was hacked by an Iranian hacking group called IRIDIUM, who stole between 6-10 TB of business documents. They say that Citrix is not the group’s only target - IRIDIUM has attacked over 200 organizations as of recent, including government agencies and other tech companies.
If all this wasn't scary enough, Resecurity says that it appears that the attackers may have actually breached the network about 10 years ago and have been lurking silently ever since. Though it doesn’t seem that any customer information was compromised, it’s indeed a very disturbing prospect as the US Department of Defense as well as the Military both use Citrix cloud services. Though there is no cold hard proof yet, it makes sense to derive that IRIDIUM may have been after government information.
Citrix has launched an ongoing forensic investigation into the attack to better understand the scope and how it may, or may not, affect external customers. The incident has now been contained and no further data is at risk (at least not that they’ve told anyone about).
SDP - The Answer to the Evolving Perimeter
Ten years is a long time to not know about a breach. But the truth is that any length of time undetected is bad news.
Once upon a time, before distributed networks, IoT devices, and mobile this and that, the corporate perimeter was a static, unchaining entity. Access was granted on the basis of presumed innocence and Firewalls and antivirus were able to prevent the majority of threats.
But all that has changed.
Today’s perimeter is far more porous than that of the past and likewise, today’s threats are more pervasive and crafty. Attackers can easily slip past traditional security methods and get inside poorly reinforced networks — but that’s only the beginning; once inside, there’s no telling how much damage they may be able to cause.
This is why Gartner recommends implementing a Software Defined Perimeter. SDP is cloud-based access in which access is granted on a need-to-know basis. No one is permitted to access resources and applications until they have been authorized and proven trustworthy. Resources are virtually invisible until they are called upon by parties who have authenticated themselves.
In the case of the Citrix attack, having an SDP deployment would have:
- Obfuscated the internal services from unauthorized users, breaking the reconnaissance phase of the attack.
- Ensured that, if attackers did get hold of actual credentials, the SDP solution, after authenticating the user, would have provided access only to specific services, rather than to the entire network.
- Raised a flag to suspicious behavior if the SDP solution used a behavioral anomaly detection tool.
A software defined perimeter is exactly what organizations need to remain secured in the face of ever-changing threats. Sure, it may be a bit late for Citrix but it’s the perfect time for your organization to get started with SDP.