CDK Global Breach: AppSec Lessons & Incident Response

CDK Global appears to have experienced multiple breaches over the past week, leading to significant disruptions for automotive dealers nationwide. The connection between these incidents remains unclear. While the breaches may not have directly resulted from exploited application security vulnerabilities, they have severely impacted CDK's application platforms.

This highlights the critical importance of incorporating business continuity and disaster recovery into Application Security programs.

CDK Global Incident Overview

CDK Global, a provider of automotive dealership software, experienced what they believe to be a ransomware attack that disrupted its operations. This incident occurred while the company was reportedly recovering from a previous breach of their system. Unfortunately, this secondary incident extended an existing outage costing CDK more business and causing significant frustration for both CDK customers and the dealerships’ customers.

There are likely three causes for this secondary breach:

• It is possible this secondary breach is a completely separate incident with a different attacker.
• It is also possible that during the recovery of the primary incident, there was an incomplete eradication of the initial breach.  The original attacker could have maintained a foothold into CDKs systems which isn't unusual.
• Another possibility is that the backups were corrupted.  Depending on how long the attacker had the ransomware embedded, it is not unusual that a backup can become corrupted depending on how the backups were created.

Enhancing Application Security: Lessons from the CDK Global Breach

In the wake of the recent breaches at CDK Global, it’s important to reevaluate and strengthen our application security strategies. Although the exact cause of these breaches remains unclear, their impact underscores the importance of robust security measures.

Here are key application security strategies that can help mitigate such risks and ensure resilience:

• Threat Modeling:  Proactively model threats like ransomware attacks to ensure systems can remain operational on alternate networks, recover effectively, and verify the integrity of backups.
• Logging and Monitoring: It’s important to understand expected behavior of access to the system. Is someone accessing a server from an unusual location or time? Servers that control access to a businesses main revenue generating applications need to be monitored.  The monitoring also needs to be intelligent. Overloading with alerts can lead to failing to catch real ones.
• Limiting Lateral Movement: This is about network and server segmentation.  This can be done using technologies like Zero Trust or it can be done via network controls with authentication credentials.  When it comes to ransomware bringing down a system, the more systems that ransomware can infect the greater the difficulty of recovering.
• Redundancy: Having systems that can be switched on quickly is imperative.  In today's system delivery, though, this can be a little complex. If an application's architecture relies on a single database, that single database is a single point of failure.  However, managing back-ups and failover of the database requires thoughtfulness.  
• Disaster Recovery Strategies: Preparing for a disaster is the best way to be ready. While tabletop exercises are good, the best way is to regularly cause your own outages.  Netflix has this strategy mapped out. They intentionally bring down parts of their system and require any new application or application component to be resilient to any individual component going down, a network segment going down, or a single datacenter going down. This obviously needs to be scaled for the company and deployment strategy.

CDK Global Breach Final Thoughts

The CDK Global breach created a massive loss for the company. It will almost certainly recover from it in the long run, however, the amount of downtime it experienced is causing a lot of pain for not only the company but its customers and their customers. 

It may not be possible to prevent a ransomware attack, but being prepared for the recovery process and minimizing the blast radius are incredibly important.  An application security program that focuses on the engineering practices will uncover these gaps and increase resilience in the face of these threats.