How to prepare for the next SolarWinds-like threat

The insertion of malware into SolarWinds’ popular Orion network management software sent the federal government and major parts of corporate America scrambling this week to investigate and mitigate what could be the most damaging breach in US history. The malware, which cybersecurity company FireEye (itself the first public victim of the supply chain interference) named SUNBURST, is a backdoor that can transfer and execute files, profile systems, reboot machines and disable system services.

Reuters broke the story that a foreign hacker had used SUNBURST to monitor email at the Treasury and Commerce Departments. Other sources later described the foreign hacker as APT29, or the Cozy Bear hacking group run by Russia’s SVR intelligence agency. Subsequent press reports indicated that the malware infection’s reach throughout the federal government could be vast and includes—only preliminarily—the State Department, the National Institutes of Health, the Department of Homeland Security (DHS), and likely parts of the Pentagon.

Former director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs said in a tweet after news broke of the intrusion, “this thing is still early,” meaning that it will likely be months—possibly years—before the true scope of the damage is known. SolarWinds said that up to 18,000 of its 300,000 customers downloaded the tainted update, although that doesn’t mean that the adversary exploited all infected organizations.

CISA issued a rare emergency directive calling on all federal agencies to “review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” The FBI, CISA and the Office of the Director of National Intelligence (ODNI) issued a joint statement acknowledging they established a Cyber Unified Coordination Group (UCG) to mount a whole-of-government response under the direction of the FBI.

On December 17, CISA issued an alert that spells out the threat actor’s tactics and techniques in detail. The alert also offers steps that organizations should take to apply mitigations to networks using the Orion product. The alert further states that CISA is investigating evidence of additional initial access vectors, other than the SolarWinds Orion platform.

Future successful SolarWinds-level attacks likely

As the federal government and businesses begin to understand and mitigate the damages, the question arises whether anything could have been done to prevent this catastrophe. One seeming failure on the federal government’s part is the delayed updating of its multibillion-dollar detection system, Einstein, which is operated out of CISA and is designed to detect malware on government networks. A 2018 recommendation by the Government Accountability Office (GAO) called for new features be added to the system that might have helped detect SUNBURST earlier.

“There is no way that you can prevent a future occurrence like this from happening with a 100% guarantee,” Michael Daniel, president and CEO of the Cyber Threat Alliance and cybersecurity coordinator under President Obama, tells CSO. “I told the president several times that if anybody came into his office who promised to solve the cybersecurity problem for him, or had a 100% guarantee, that he should throw them out because they were either fools or they were lying,” he said. “You cannot achieve 100% security, especially against an adversary that is backed by a nation-state and with a nation-state’s resources that is willing to be patient and willing expend a lot of resources.”

“These types of attacks are generally very difficult to protect against since [SolarWinds] is already a third-party trusted provider for software and is using practices such as code signing,” Dave Kennedy, co-founder and chief hacking officer of TrustedSec, tells CSO. “Most organizations treat third-party software as trusted entities, and from a risk perspective, the likelihood was always perceived low overall.”

Despite the difficulties of preventing and detecting significant attacks like this, experts believe that organizations can do more to minimize the risk from them.

Behavioral-based detection

Kennedy says monitoring for behavioral-based detection around unusual server activity might have detected the malware earlier. “In the case of SUNBURST, the servers began to beacon out via DNS resolution to domains that it never had before. These types of deviations should be identified and investigated,” he says. “From a SolarWinds perspective, this should have been identified much earlier on.”

Dedication to basic cybersecurity hygiene

Daniel says that “a lot of it is really about ensuring that you follow the basics and have your networks properly segmented, for example, and use the least privilege. You should put up many different sorts of tripwires for an adversary so that even if they are able to get into the supply chain like this, they find it more difficult once they actually get into your network to move around.”

Kennedy agrees. “Network segmentation and access controls are equally important [as robust network monitoring], as is data encryption and backups. It’s also important to audit your network, assess your liabilities, plan for contingencies and conduct regular network tests,” he says.

Proper supply chain risk management

Whether SolarWinds breach was a supply chain attack or not, it’s clear that one solution to minimizing this kind of threat in the future is proper supply chain risk management, something few federal agencies do, according to a report issued this week by the GAO. Virtually none of the 23 civilian agencies reviewed by the GAO had implemented the seven selected foundational practices for managing information and communications technology (ICT) supply chain risks recommended by the National Institutes of Standards and Technology. Because of the weaknesses in managing supply chain risks, “agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain.”

Regarding how the federal government moves forward from here, Daniel says that “they’re going to have to continue the cleanup efforts. They’re going to have to continue the damage assessment to understand what has happened. I think from there, what you want to do is go back through these agencies and look at their cybersecurity practices.”

Include supply chain attacks in your threat models

Kennedy thinks that “organizations really need to focus on building their overall threat models to incorporate third-party supply chain attacks and design their architecture, infrastructure, and privileged access around these models to ensure compartmentalization on software and services.” A full understanding of the SolarWinds attack would help organizations to properly assess the risks for their threat models, but that won’t happen soon.

Most cybersecurity experts have only a hazy view about what has happened. “What is most concerning is that we don’t yet know what other types of malware the attackers may have installed after the initial stage of the compromise. If those were custom tools or zero days, it could take even longer to get control of this,” Kennedy says.