The insertion of malware into SolarWinds\u2019 popular Orion network management software sent the federal government and major parts of corporate America scrambling this week to investigate and mitigate what could be the most damaging breach in US history. The malware, which cybersecurity company FireEye (itself the first public victim of the supply chain interference) named SUNBURST, is a backdoor that can transfer and execute files, profile systems, reboot machines and disable system services.Reuters broke the story that a foreign hacker had used SUNBURST to monitor email at the Treasury and Commerce Departments. Other sources later described the foreign hacker as APT29, or the Cozy Bear hacking group run by Russia\u2019s SVR intelligence agency. Subsequent press reports indicated that the malware infection's reach throughout the federal government could be vast and includes\u2014only preliminarily\u2014the State Department, the National Institutes of Health, the Department of Homeland Security (DHS), and likely parts of the Pentagon.Former director of DHS\u2019s Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs said in a tweet after news broke of the intrusion, \u201cthis thing is still early,\u201d meaning that it will likely be months\u2014possibly years\u2014before the true scope of the damage is known. SolarWinds said that up to 18,000 of its 300,000 customers downloaded the tainted update, although that doesn\u2019t mean that the adversary exploited all infected organizations.CISA issued a rare emergency directive calling on all federal agencies to \u201creview their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.\u201d The FBI, CISA and the Office of the Director of National Intelligence (ODNI) issued a joint statement acknowledging they established a Cyber Unified Coordination Group (UCG) to mount a whole-of-government response under the direction of the FBI.On December 17, CISA issued an alert that spells out the threat actor\u2019s tactics and techniques in detail. The alert also offers steps that organizations should take to apply mitigations to networks using the Orion product. The alert further states that CISA is investigating evidence of additional initial access vectors, other than the SolarWinds Orion platform.Future successful SolarWinds-level attacks likelyAs the federal government and businesses begin to understand and mitigate the damages, the question arises whether anything could have been done to prevent this catastrophe. One seeming failure on the federal government's part is the delayed updating of its multibillion-dollar detection system, Einstein, which is operated out of CISA and is designed to detect malware on government networks. A 2018 recommendation by the Government Accountability Office (GAO) called for new features be added to the system that might have helped detect SUNBURST earlier.\u201cThere is no way that you can prevent a future occurrence like this from happening with a 100% guarantee,\u201d Michael Daniel, president and CEO of the Cyber Threat Alliance and cybersecurity coordinator under President Obama, tells CSO. \u201cI told the president several times that if anybody came into his office who promised to solve the cybersecurity problem for him, or had a 100% guarantee, that he should throw them out because they were either fools or they were lying,\u201d he said. \u201cYou cannot achieve 100% security, especially against an adversary that is backed by a nation-state and with a nation-state\u2019s resources that is willing to be patient and willing expend a lot of resources.\u201d\u201cThese types of attacks are generally very difficult to protect against since [SolarWinds] is already a third-party trusted provider for software and is using practices such as code signing,\u201d Dave Kennedy, co-founder and chief hacking officer of TrustedSec, tells CSO. \u201cMost organizations treat third-party software as trusted entities, and from a risk perspective, the likelihood was always perceived low overall.\u201dDespite the difficulties of preventing and detecting significant attacks like this, experts believe that organizations can do more to minimize the risk from them.Behavioral-based detectionKennedy says monitoring for behavioral-based detection around unusual server activity might have detected the malware earlier. \u201cIn the case of SUNBURST, the servers began to beacon out via DNS resolution to domains that it never had before. These types of deviations should be identified and investigated,\u201d he says. \u201cFrom a SolarWinds perspective, this should have been identified much earlier on.\u201dDedication to basic cybersecurity hygieneDaniel says that \u201ca lot of it is really about ensuring that you follow the basics and have your networks properly segmented, for example, and use the least privilege. You should put up many different sorts of tripwires for an adversary so that even if they are able to get into the supply chain like this, they find it more difficult once they actually get into your network to move around.\u201dKennedy agrees. \u201cNetwork segmentation and access controls are equally important [as robust network monitoring], as is data encryption and backups. It's also important to audit your network, assess your liabilities, plan for contingencies and conduct regular network tests,\u201d he says.Proper supply chain risk managementWhether SolarWinds breach was a supply chain attack or not, it\u2019s clear that one solution to minimizing this kind of threat in the future is proper supply chain risk management, something few federal agencies do, according to a report issued this week by the GAO. Virtually none of the 23 civilian agencies reviewed by the GAO had implemented the seven selected foundational practices for managing information and communications technology (ICT) supply chain risks recommended by the National Institutes of Standards and Technology. Because of the weaknesses in managing supply chain risks, \u201cagencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain.\u201dRegarding how the federal government moves forward from here, Daniel says that \u201cthey\u2019re going to have to continue the cleanup efforts. They\u2019re going to have to continue the damage assessment to understand what has happened. I think from there, what you want to do is go back through these agencies and look at their cybersecurity practices.\u201dInclude supply chain attacks in your threat modelsKennedy thinks that \u201corganizations really need to focus on building their overall threat models to incorporate third-party supply chain attacks and design their architecture, infrastructure, and privileged access around these models to ensure compartmentalization on software and services.\u201d A full understanding of the SolarWinds attack would help organizations to properly assess the risks for their threat models, but that won\u2019t happen soon.Most cybersecurity experts have only a hazy view about what has happened. \u201cWhat is most concerning is that we don't yet know what other types of malware the attackers may have installed after the initial stage of the compromise. If those were custom tools or zero days, it could take even longer to get control of this,\u201d Kennedy says.