The SolarWinds breach was one of the most prolific cyber-attacks in recent history. The incident resulted in financial losses estimated at more than USD 90 million. One year after the attack made headlines, what lessons have security leaders learned?
An unprecedented attack
In late 2020, SolarWinds, the largest cyber-attack recorded was discovered in the United States. The attack compromised the security of as many as 250 governmental bodies, including the US Energy Department. Following months of investigation, US intelligence agencies believe that the Russian government was behind the attack.
The attack was made possible through a software update from SolarWinds in a sophisticated operation involving a weakness in a supply chain that went undetected by security solutions. Through the SolarWinds update, hackers were able to create ‘backdoors’, or hidden access points, in the networks of hundreds of companies, government departments, think tanks and more across the US and further afield, allowing the attacks to maintain a persistent presence. The attack went undiscovered for almost a year.
Security lapses
The first stage of the attack occurred as a result of login information for SolarWinds’ update server being left on a public GitHub repository, which allowed attackers to gain access and upload files to the company’s servers, “This was discovered in November 2019 and responsibly reported to SolarWinds by a security researcher. However, it’s believed that the credentials had been published to the repository as early as June 2018. SolarWinds corrected the situation within a few days but the damage was done. This is not a unique scenario, it happens far more frequently than it should,” said Brian Chappell, chief security strategist, EMEA & APAC, BeyondTrust.
Alongside the security problems associated with the use of publicly accessible platforms such as GitHub, the SolarWinds attack also highlighted that companies and government agencies of all kinds rely on the security procedures of their suppliers, partners and other third parties; the security failure of one link endangers all, according to Sameer Basha, Security Consultant, Check Point Software Technologies, Middle East.
“The sophisticated attack has forced the industry to redefine the organization security posture as it highly depends on the risks associated with third parties and cannot be mitigated just by having contractual controls,” he said.
According to the FortiGuard Labs Threat Research Team, by hiding the malware in a trusted network management tool from a trusted vendor, the attackers managed to gain highly privileged access on the networks of some of the largest organizations in the world. It exposed several weaknesses in industry defences against advanced persistent threat (APT) actors including how most anti-malware and endpoint detection and response tools failed to spot the initial backdoor or malicious activity until signatures were developed and indicators of compromise (IOCs) released after the breach was discovered.
SolarWinds also highlighted the reach, financing and skill of certain hacking groups, according to Joseph Carson, Chief Security Scientist and Advisory CISO, ThycoticCentrify, “As we analysed the details and timeline of this attack, we realized it was truly sophisticated. It attempted to stay covert; tracks were hidden. There was unlimited time, expert resources, financial backing, and creativity behind this attack. The preparation will have likely taken several years of testing, planning, staging, and executing,” he said.
Carson further pointed out that the SolarWinds attack and the nature, resources and backing of the attackers behind it, represents the most serious cyber threat he has ever seen in over 15 years in the cybersecurity industry.
Copycat hackers
As a result of the successful attack, cybercriminals around the world took note of the method used by the SolarWinds hackers and began to target links in the supply chain, resulting in a significant uptick in such attacks. The most famous examples of such hacks are Colonial Pipeline and Kaseya incidents from the previous year. Bolstering the defences of an entire supply chain, from solution developers and vendors, to service companies, through to end users and departments, is a daunting task.
“The solution is neither immediate nor easy, and we will see similar attacks again in the near- and mid-future. Shoring up cybersecurity defences against such attacks begins with a shift in mindset from blind trust in the supply chains’ security capabilities. This tends to be the case particularly when the supplier is a big company and the product is used by a large customer base. Secondly, the audit process should be re-examined to ensure proper coverage across the entirety of the stages. Thirdly, organisations should implement solutions to verify compliance, at both technical and non-technical levels, to ensure a proper validation of the supply chain,” said Hadi Jaafarawi, managing director – Middle East, Qualys.
Preventative measures
Companies can take a series of steps to help limit their exposure to attacks. Ensuring that access to privileged administrative accounts is tightly controlled and monitored is key, according to Chapell. “In cases of attacks delivered through updates, each and every update should be tested in an isolated environment. Furthermore, in terms of long term breaches, aiming at gathering sensitive data, internal software must be patched and configured correctly and login credentials should be strictly managed and controlled,” he explained.
Meanwhile, FortiGuard Labs Threat Research Team posited that regular auditing of systems will help to identify weaknesses that might have passed unnoticed. The Team also highlighted the ability of companies to filter and scan downloaded files for malicious code along with tightly controlling what applications and programs are able to run on their internal systems.
Collaborative security
One recurring theme that the security experts highlighted during the discussion on SolarWinds was the need for a degree of trust within the supply chain. The answer to security flaws within the supply chain is obvious: every company involved in the chain has to work together to address threats in as holistic a manner as possible. However, with so many companies involved in the chain, this in itself is a hard nut to crack.
The first step is to ensure that vendors are delivering secure, reliable products to their end users. “Vendors will have to enforce adequate security controls their organization to mitigate the supply chain attack. They should provide high-quality products and services that are secure, and in doing so, they secure the customer,” said Basha.
Alongside ensuring that end users, their employers and vendors place a premium on security, a supply chain risk management plan to establish policies and procedures for dependencies and exposures, according to the FortiGuard Labs Team. This plan should document key risks throughout the system development life cycle, including design, manufacturing, production, distribution, acquisition, installation, operations, maintenance, and decommissioning. Moreover, awareness and the security leadership of each link in the chain should maintain situational awareness through timely threat intelligence so they can quickly reprioritize strategy and defenses when the situation calls.
As customers, we can require our suppliers to have basic security controls in place; as suppliers we advise our customers on how they can protect their environments from any supply chain attack, according to Chappell.
Above all, he also noted that implementing a zero-trust architecture (ZTA) is vital. “ZTA starts from the fundamental premise of a breach already in place and assembling controls to ensure that the breach is contained and restricted. When all parts of the supply chain have addressed the security basics and, ideally, moved to a zero-trust architecture (ZTA), we will have done all that’s reasonable in defending against attacks,” he explained.
The future
All the experts spoken to by ITP.net concurred. Supply chain attacks such as SolarWinds will continue. This type of attack of here to stay and the best form of defence is a layered approach to security on both a company level and with regard to the supply chain itself. This will entail individual companies taking responsibility for their own defence, but also their working in tandem with their suppliers and clients and demanding that each stage in the chain take steps to secure their organisational environment and the products they produce.
