Breaches happen all the time, but every so often one of those breaches breaks through into national headlines, serving as a watershed moment about where we are and where we need to be with regards to cybersecurity.One of those watershed moments occurred last December when it was revealed that Russian state-sponsored hackers breached the software developer SolarWinds, and from there managed to access some pretty tightly-sealed networks and systems across public and private sectors. But what exactly happened? Who does it effect? What can we learn to better protect our organizations?
One of the most striking aspects of the SolarWinds hack is that it was years in the making, taking a huge amount of discipline and patience to pull off and stay undetected. Forensic evidence found that the hackers gained access to Orion, the SolarWinds product that was compromised, back in late 2019. Yet, at that time, the hackers didn’t actually make any changes or launch an attack. Instead, they sat and waited in order to monitor, learn, and test SolarWind’s system to ensure they wouldn’t be caught.
Then, months later in May 2020, the hackers made their move — but not in the way most would expect. Typically, when someone wants to infect a piece of software with malware, they will modify the code behind the software. However, because security experts know to look for code modifications, these hackers decided to instead install their malware directly onto the software product itself. So, when an update for Orion was released, government agencies, and companies big and small downloaded an update that contained a backdoor for the hackers.
Between May, when malware was initially launched, and December, when the hack was discovered, the attackers were able to move throughout the networks and systems of any company using SolarWinds’ software that they wanted. And they were targeted, going after the emails of specific, high-valued individuals within affected organizations. From there, the goal was to maintain access, move around infected system, and hold onto access of specific individuals’ communications.
Much has been made about the level of sophistication involved in the attack — and it was. However, at root, this is a story about 3rd party risk. We’ve written before about the importance of vendor management, and the SolarWinds hack is an extreme case in point. Because most organization’s today depend in large part on 3rd party providers for everything from cloud storage, to product platforms, to network security, an attack like this doesn’t have a definitive end. Instead, the SolarWinds attack has the potential ripple across a web of interconnected organizations across the supply chain. According to Steven Adair, a security expert who helped with the incident response for SolarWind, the attackers “had access to numerous networks and systems that would allow them to rise and repeat [the] SolarWinds [attack] probably on numerous different scales in numerous different ways.” It’s therefore possible — and perhaps likely — that the full effects of the hack are still to be revealed.
If that doesn’t serve as a wake up call, we don’t know what will. And as it turns out, there are a number of effective and achievable steps organizations can take to mitigate 3rd party risk.
1. The Basics
It may not seem like much, but simply maintaining basic digital hygiene plays a big role in protecting against attacks. Strong password management, using multi-factored authentication, and network segmentation should be a cybersecurity baseline for all organizations. These are simple steps that serve as an organization’s first line of defense against an attack.
2. The Rule of Least Privilege
The rule of least privilege essential means providing the least amount of access for the least amount of time to systems and networks. This involves setting limits on what access you give to products and software as well as actively monitoring access privileges for employees, contractors, and vendors. Essentially, if something or someone doesn’t need access to a piece of your system, they shouldn’t be able to access it. If someone need access to a part of your network for 2 days, then their privileges should expire after 2 days. This will limit the ability for malicious users to move around systems, potentially preventing them from spreading to other, more sensitive environments.
A lot of organizations these days maintain event logs, which essentially keep a record of all network activity. While logs might not directly prevent a breach, these records are vital to asses the potentially damage and scope of an attack, allowing organizations to act swiftly and forcefully to remove the threat. However, keeping logs isn’t enough, it’s essential to also retain these logs. SolarWinds policy was to remove these logs after 90 days. The problem, of course, was that the attack was discovered far more than three months after the hackers breached the system, effectively making it impossible to gain any detailed insight into what the hackers were doing prior to August of 2020.
Combining Business and Security
We’ve said it before and we’ll say it again: it’s easy to see security needs as at best a nuisance and at worst a barrier towards optimal business performance, but this simply isn’t the case. As Steven Adair points out, a small company doesn’t need to hit the ground running with the best security products and a million code audits right out the gate. However, if businesses incorporate security concerns within business strategies, these organization can start to ask themselves: “Where are we now, what can we do now, and what can we do along the way?” Asking those questions might just make the difference down the road when the next watershed moment strikes.