The Lasting Effects of SolarWinds: The Winds that Never Stop Blowing
From pandemics to politics, 2020 has been a year where trends like digital transformation have quickly helped establish a new normal for many during an unprecedented time. This has led to increased worry about breaches, social engineering and nation-state interference, resulting in the mainstream awareness of potential cyber hazards for critical public assets like voting machines and vaccinations. On December 11 though, as we looked forward to putting 2020 behind us and focusing on a potentially bright new year, all our wishful thinking came to a screeching halt with the announcement by FireEye that SolarWinds Orion updates were not only corrupted, but weaponized, and the result will long be known as the breach heard around the world.
The SolarWinds supply chain attack was an incredibly sophisticated combination of malware technology, concealment, and the strategic targeting of critical management systems, which results in high levels of access across an organization’s systems. The campaign quickly impacted public and private organizations, potentially up to 18,000 around the world compromised, at a velocity not seen by previous successful supply chain attacks — even NotPetya or Target.
Supply chain attacks like this have been rare, with attackers inserting malware into a trusted system like software. The reward, though, is exponential when successful — basically weaponizing the trusted source. Beyond the traditional attack scope, the weaponization of a trusted asset can significantly erode confidence not only from a brand perspective, but when government entities are impacted, the ability to successfully protect critical infrastructure on a global basis is called into question. Interconnection dependencies between public and private entities become even more critical to understand and protect, which may become a catalyst for larger global regulations.
The lasting impact of supply chain attacks?
The biggest concern here is that more threat actors will look to repeat the success that the SolarWinds compromise has had thus far. If supply chain hacks become more commonplace, the focus on visibility within an environment and app-to-app/user-to-app communications in a real-time, dynamic way, will become critical to prevent additional widespread breaches. Software testing and code review will also come under massive scrutiny from a security perspective, more so than has ever been seen in the past. Companies will have to quickly put measures in place to address both of these issues. Additionally, having the capability to recognize changes in behavioral patterns, particularly around privileged accounts and systems, is an important part of being able to detect and mitigate extremely advanced campaigns such as this.
So what can we do in response?
As we know, security is only as good as its weakest link. The SolarWinds attack should be a wake up call that we need as an industry to quickly adopt a security model with solutions that center around the Zero Trust architecture concept that has become the security buzzword of choice over the past year. We need to rely less on policies that focus on blocking traffic, and look more towards models that focus on what types of traffic should be allowed among users and applications. Visibility is critical. Security models must move away from being log-based and static, and need to focus on adopting more dynamic visibility and policy controls, implemented at scale, which focus on app-to-app and user-to-app traffic controls in a centralized policy focus.
A few quick steps for companies to consider are:
- Inventory all your assets, applications and users (ideally in a continuous fashion)
- Ensure proper visibility and understanding of all app-to-app and user-to-app dependencies & necessary policy enforcement. Inventory those dependencies.
- Execute a credential audit & remove all default credentials
- Implement & enforce least privilege policies
- Consider 3rd party penetration testing to identify other areas of improvement
The SolarWinds attack will continue to have a ripple effect in cyberculture for years to come. Legacy security policies and the entire concept of trust have been called into question and found lacking in mere days from the disclosure. The lessons learned from this catastrophic attack may allow us to finally shed some of legacy thinking and emerge with a more clear, relationship-based, centralized security model, which will lead to more manageable and advanced security controls going forward.