SolarWinds Supply Chain Cyberattack – Experts Insight

SolarWinds supply chain attack, in which hackers (believed to be working for Russia) have tampered with software updates released by the company. Known victims of the attack so far include the US treasury, the US NTIA and FireEye itself. 

Experts Comments

December 21, 2020
Paul German
CEO
Certes Networks

The SolarWinds breach is undoubtedly unprecedented and it is certainly not ‘just another data breach’. We’ve seen cyberattacks carried out by foreign intelligence services before, but none at this scale and with this much potential to cause catastrophic damage, the extent of which is currently unknown. 

 

What we do know is that a foreign adversary was able to gain access to the IT systems of the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal

.....Read More

The SolarWinds breach is undoubtedly unprecedented and it is certainly not ‘just another data breach’. We’ve seen cyberattacks carried out by foreign intelligence services before, but none at this scale and with this much potential to cause catastrophic damage, the extent of which is currently unknown. 

 

What we do know is that a foreign adversary was able to gain access to the IT systems of the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States, stealing vast amounts of data in the process. 

 

Supply chain attacks like this have been a concern for the security industry for a long time; the threats posed by supply chain attacks are severe as not only are they typically more difficult to detect, but they often come through trusted third-parties with high levels of access to sensitive and classified data. 

 

This is where the problem lies. This demonstrates there is no such thing as an unreachable network, yet many organisations are still focused on controls that secure the network. The emphasis instead should be on controls that secure data. With a data-centric approach, organisations can ensure that even if the network of one of their suppliers or a trusted third party is compromised, their data will be secure. A software-defined approach to Information Assurance (IA) combined with the ability to deploy and manage seamlessly with technologies such as Layer 4 encryption, means that even if cyber hackers manage to infiltrate a network and ‘steal’ data, the contents of the data will be unreadable and effectively rendered useless. 

 

This won’t be the last data breach of this kind that we’ll see, so serious lessons need to be learned. These attacks are called ‘data breaches’, not ‘network breaches’, for a reason, so focusing on securing data is the only way for organisations to avoid becoming the next victim.

  Read Less
December 21, 2020
Chris Hickman
Chief Security Officer
Keyfactor

Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.

 

This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is

.....Read More

Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.

 

This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization\'s broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.

 

Here are some best practices to mitigate misuse of keys and certificates:

  • Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
  • Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
  • Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).
  • Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
  • Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.
  Read Less
December 21, 2020
Mark Carrigan
Chief Operating Officer
PAS Global

Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond. 

 

You can not secure what you can’t see, so organizations across every industry must react by first identifying

.....Read More

Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond. 

 

You can not secure what you can’t see, so organizations across every industry must react by first identifying where SolarWinds software is installed across their environments. From there, they must further hone in on their inventory by determining the version(s) that are running to evaluate the vulnerability risk that may or may not be present. Without doing so, these risks get scaled in tandem with the vulnerabilities, and from the industrial perspective, this jeopardizes critical functions that impact everyday life.

  Read Less
December 16, 2020
Jamil Jaffer
Former WH Exec and SVP for Strategy, Partnerships & Corporate Development
IronNet
SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer's network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of.....Read More
SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer's network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of this kind, it is likely that the scope of this threat is broader than the handful of agencies confirmed to be involved thus far. Moreover, it's worth noting that Secretary of State Pompeo suggested that a number of private sector entities were also likely targeted. Given the scope and nature of the vulnerability, and the ability to gain and escalate privileges in a significant way, it is important that affected entities apply the current patch available as well as any other appropriate patches as released. The jury is still out on whether or not this vulnerability has been exploited before and if it's part of a broader campaign. Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept. Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us. This event does highlight the challenge of managing the supply chain of individual organizations. Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors. Supply chain attacks, of course, are not new. Indeed, the classic story of the Trojan Horse itself is, in some sense, a supply chain attack. What is different about the modern era, of course, is how much of the modern supply chain relies on foreign sources. While this issue is not necessarily in play with this particular incident, our nation's reliance on foreign supply chains, particularly in China, are likely to continue to raise concerns. Moreover, this incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies.  Read Less
December 16, 2020
Nethanel Gelernter
CEO
CyberPion
This attack demonstrates the thought of the modern hackers and the new attack surface. Traditional tools can prevent or detect traditional attack vectors, but the ecosystem of the modern organization includes many other entry points. For organizations like FireEye, the weakest point is not in its network, but the weaker external services and infrastructures it relies upon. In this instance, hackers used the third party to penetrate the network, however in many the supply-chain attacks,.....Read More
This attack demonstrates the thought of the modern hackers and the new attack surface. Traditional tools can prevent or detect traditional attack vectors, but the ecosystem of the modern organization includes many other entry points. For organizations like FireEye, the weakest point is not in its network, but the weaker external services and infrastructures it relies upon. In this instance, hackers used the third party to penetrate the network, however in many the supply-chain attacks, hackers achieve their objectives without this, either by stealing the data directly from the third-party or by abusing the third party such that the info will reach the hackers without going through the organization’s network (e.g. Magecart attacks). Expect further hacking campaigns that will abuse an organization's ecosystem, simply because it is the easiest way to penetrate many of the hottest targets today, and because ironically, some of these attack vectors are cheaper to use and more difficult to detect.  Read Less
December 14, 2020
Ekaterina Khrustaleva
COO
ImmuniWeb
Supply chain attacks have surged in 2020: they offer rapid and inexpensive access to valuable the data held by VIP victims. The victims, like has happened in the SolarWinds case, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them. Most of the suppliers cannot afford the same level of incident detection and response (IDR) as their clients for financial and organizational reasons. Eventually, hackers and nation-state threat actors.....Read More
Supply chain attacks have surged in 2020: they offer rapid and inexpensive access to valuable the data held by VIP victims. The victims, like has happened in the SolarWinds case, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them. Most of the suppliers cannot afford the same level of incident detection and response (IDR) as their clients for financial and organizational reasons. Eventually, hackers and nation-state threat actors deliberately target the weakest link, get fast results, frequently remain undetected and unpunished. Attribution of sophisticated APT attacks, as reportedly affected SolarWinds and subsequently its customers, remain a highly complicated, time-consuming and costly task. Global cooperation in cybercrime prosecution is vital to break the impasse and make computer crime investigable.  Read Less
December 14, 2020
Piers Wilson
Head of Product Management
Huntsman Security
A successful, nation-state supply-chain attack isn’t a surprise, but it should be a serious wake-up call. Many organisations have fortified their own cybersecurity defences, but as we have seen, a single partner or supplier being breached can undermine any positive action already taken. The fact that a supplier was so successfully breached, putting core US government organisations at risk, highlights the huge importance of a secure supply chain. A holistic approach to cyber-security is.....Read More
A successful, nation-state supply-chain attack isn’t a surprise, but it should be a serious wake-up call. Many organisations have fortified their own cybersecurity defences, but as we have seen, a single partner or supplier being breached can undermine any positive action already taken. The fact that a supplier was so successfully breached, putting core US government organisations at risk, highlights the huge importance of a secure supply chain. A holistic approach to cyber-security is vital to ensure defences are as effective as possible. Having the latest and greatest technologies to secure your own network is only a partial solution if your suppliers are not doing the same. Businesses often carry out due diligence on the financial viability of core partners to ensure they are not a risk. The same has to be true for cybersecurity. Regular assessment or monitoring of all partners’ and suppliers’ cybersecurity practices must become commonplace, alongside a robust cybersecurity program to minimise the risk of falling victim to similar attacks. There is no doubt that as this attack is investigated we will see many more victims come to light. Organisations must act now if they aren’t sure their supply-chain is secure, as waiting will just increase the chances of becoming the next headline.  Read Less
December 14, 2020
Kevin Bocek
VP Security Strategy & Threat Intelligence
Venafi
It should come as no surprise that sophisticated hackers like those from Russia are seeking to infiltrate the US government. What is shocking is that adversaries are now abusing the trust that powers software updates to attack broad swaths of the US government and economy. These attacks will escape detection from state-of-the-art defense because they come with trusted machine identities that give them extreme trust. It's the same method that powered Stuxnet. What hackers have known – and.....Read More
It should come as no surprise that sophisticated hackers like those from Russia are seeking to infiltrate the US government. What is shocking is that adversaries are now abusing the trust that powers software updates to attack broad swaths of the US government and economy. These attacks will escape detection from state-of-the-art defense because they come with trusted machine identities that give them extreme trust. It's the same method that powered Stuxnet. What hackers have known – and many security teams not been aware of – is that developers must use machine identities to sign their code. But developers are easy prey. Once compromised these machine identities convey trust for every software update. This was the secret weapon in the Stuxnet attack and subsequently against Microsoft, Carbon Black, Asus, and many others. And this is the same technology that's used in the US Treasury makes sure Boeing and Airbus planes get trusted software updates just like your iPhone. Adversaries are quickly moving to attack not just one computer but entire networks. Instead of small, tedious attacks these supply chain hacks catapult the opportunity for success. All of this is typically powered by a single identity of a machine – a code signing certificate – to say if the software is trusted or not. This is the future of attacks on the cloud and IoT that’s here today. Without machine identity management to protect them, code signing developers will remain easy prey, and attacks on tens of thousands of businesses and governments will only get worse.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.