The massive attack against SolarWinds has created significant concern through the compromise of a single company impacting multiple other connected companies. Attackers have realized that to scale their attack operations, it’s simpler to attack companies that already have access to other customers’ networks on mass. Instead of attacking one company at a time, it makes good “attacker sense” to infiltrate companies, chain the mass attack to thousands of customers, and then use the system to control the attack network. This is by no means a new strategy but remains a very effective one that is challenging to stop.
The breach of FireEye, by nation-state hackers, was carried out by malicious updates to a widespread network monitoring product (SolarWinds) impacting government organizations and companies. Hackers compromised the infrastructure of SolarWinds and used that access to produce and distribute malicious updates to multiple software users.
How massive was the SolarWinds attack? SolarWinds’ customers included 425 or the U.S. Fortune 500. This highlights the significant impact that supply chain attacks can have on companies, with many of them even unaware of the threat or the need to defend against it. It emphasizes the requirement for steps to be taken to manage supplier security whenever possible.
Supplier security
There is no denying that the SolarWinds attack raises questions around supplier security. It is essential to ensure that suppliers are appropriately vetted and are held to the same or better security standard as your company. Every organization must set a security baseline. Many organizations set a baseline based on a framework such as ISO 27001 or NIST 800-53/171 as this makes it simpler to compare technical and administrative controls and measure security maturity.
It’s not always possible to ensure that suppliers are compliant with the organization’s same framework baseline. However, the company will still need assurance of the high level of security that its board expects. When compliance with a specific framework cannot be guaranteed in such circumstances, it’s good practice to ringfence the supplier and their services. Thus, the created isolation or airgap provides the organization with the level of protection it requires.
Creating the cyber-resilience security posture
It’s often wondered if an attack as large scale as this one, that is nation-state sponsored and has companies such as FireEye and Microsoft struggling to detect and stop it — can it be controlled, and what chance does the corporate have to defend against such an attack effectively?
These types of attacks are targeted and are very difficult to detect, so the best countermeasure for such attacks is layers of defense. By utilizing a layering defense strategy (putting in place multiple obstacles), an organization can make it more challenging for the attacker to succeed. Although these attacks are challenging to detect and stop, the answer should never be to do nothing at all.
The better the organizations’ cyber-resilience, the more challenging it will be for attackers to compromise the environment and remain undetected. Companies can take the following steps to improve the security posture and resilience.
1. Continuous detection
The first thing to consider is what the organization needs to defend. Identifying the assets that need protection, including devices or data and ringfencing them so that they are correctly protected and defended, is essential.
A pen test or a vulnerability scan does not go far enough — it’s a snapshot and point in time, which is not adequate for persistent attacks like the SolarWinds attack. The challenge with attacks like SolarWinds is that it involves compromising a trusted plugin and possibly slipping past this type of scan. A robust and continuous testing platform would detect outbound connections and exfiltrations and remote trojans like the SolarWinds one.
However, a challenge with continuous detection is the need to have “eyes on glass.” People who have the experience and understand what they are looking at and for should be watching and analyzing. Companies must acquire the expertise needed to provide this function securely for the organization.
2. Watch the data and connections leaving the perimeter
These days, network traffic traverses many networks. Notwithstanding, some paths are well-traveled and are required for typical day-to-day operations. These patterns can be detected, and a pattern can be used to defend the organization. All of the applications form part of the traffic generation, and the introduction of an exploited module like the one in SolarWinds would introduce a detectable anomaly. However, if not monitored, it could fly under the radar. Attacks like this one are not easy to detect; this is evidenced by the fact that only a handful of vendors could detect the SolarWinds breach.
It is also essential to consider the endpoints as an extension of the perimeter. These must also be monitored, especially since many devices are remote yet have access to the corporate network and assets. Thereby, infections and intrusions could occur.
3. Air gapping and isolation
Using air gapping to defend devices, data, and any element that could compromise the environment is a suitable defense mechanism. Air gapping is a security measure to ensure a computer network is physically isolated from unsecured networks.
It could be viewed in the same way as a moat is viewed around a castle. The moat provides an obstacle. In simple terms, from the towers above a moat, you can detect the attackers trying to surpass the moat to access the castle. However, from the perspective of the SolarWinds attack, the attackers would infiltrate through someone who already has access to the castle’s inner walls. This means that even the most trusted suppliers should be scrutinized. Therefore, using the strategy of Zero Trust would also be beneficial in this instance.
4. Privileged account management
Suppose any system, person, application, or device has a higher privilege and can be administered or decide where data flows or enables access. In that case, the credentials must be securely managed.
Service accounts and back channels are the exact attack paths that attackers look for, and any tool that can be used to administer the environment will be a target. The SolarWinds attack is a lesson to learn from, and organizations must ensure that their defenses are raised. Also, that the appropriate tools are properly implemented as well as monitored for vulnerability.
5. System hardening
Currently, vendors making devices are endeavoring to release hardened devices by default. However, this does not always work as well as intended. Therefore, it’s recommended that the system’s hardening be considered a technique to secure the environment better. Ensuring that all tools and software that is not required is removed from computers and that the devices, servers, and services are only used for what they are intended is key to a more robust security posture.
Many people confuse flexibility with strong security when, in fact, flexibility is actually not always required to do a job securely. For instance, if you need a device to browse the Internet, to do office-related work, and only need to store data on the corporate network. In such a case, there is no reason that all other functions can’t be stripped away from that device, leaving only the intended function through a restricted interface with strong authentication. By doing this, a barrier could be created that is potentially frustrating to the attacker and, in some cases, too challenging for an attacker to pay attention to. This may divert an attacker’s attention and focus to a weaker point.
Finding a pragmatic balance is necessary, but it is not easy. Therefore, many avoid the exercise, but doing nothing could lead to compromise. It’s worth taking the time to harden your environment and create a security culture so that you can defend against these types of attacks. If the asset is worth protecting, then the exercise is worth the effort.
6. Supplier vetting
Supplier vetting, although difficult, is a fundamental step. It is common for suppliers to get questionnaires regarding security from their customers these days and respond positively to all the questions to retain the business and form a positive perception for their customers. When audited, it’s often found that suppliers react in a way that could result in their customers being exposed. Only a few have the defenses required to keep their customers safe, and the reason for this is that cybersecurity is not straightforward. Also, attacks can infiltrate from anywhere and through anything.
SolarWinds attack aftermath: Analyzing the risks
A step in the right direction would be to employ a structured way to vet the supplier and work with the supplier to understand their security posture and maturity properly. It is essential to achieve a level of honesty and to be realistic. Once this is known, the risk can be more effectively evaluated. Realistically, the organization can either accept the risk according to its risk appetite or mitigate against it by implementing layers of defense as required. Some risks may be possible to accept, but others may not, and for that reason, companies need to take an informed view on how to address each issue or risk.
Featured image: Shutterstock
