beebright – stock.adobe.com
As the scale of the compromise of SolarWinds’ Orion platform – which is so far known to have struck multiple US government departments and cyber security firm FireEye – continues to grow, security teams at thousands of other SolarWinds customers are on high alert.


The supply chain attack, dubbed Sunburst, involved the insertion of malicious code into Orion, giving the attacker a foothold in the network that they use to obtain elevated credentials, which in turn means they can gain access to more data and largely do as they please. The initial backdoor seems to have been distributed via legitimate automatic update platforms since March 2020.
At the time of writing, it affects SolarWinds’ Orion Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix, or 2020.2 HF 1 and hence a number of SolarWinds network monitoring products dependent on those – a full list is available from SolarWinds, while Microsoft has also published extensive guidance.
Although attribution is an uncertain science at the best of times, based on current information, the compromise was probably carried out by the Russian-state backed APT29 group, aka Cozy Bear, which has conducted a years-long campaign of cyber espionage against western targets including, perhaps most famously, the Democratic National Committee (DNC).
Kim Peretti, a former prosecutor at the US Department of Justice (DoJ) and now co-chair of the Cybersecurity Preparedness and Response Team and National Security and Digital Crimes Team at law firm Alston & Bird, described the attack as without parallel in cyber security history.
“We are only at the beginning stages of understanding the impact of this attack and may not know the true impact for many months, if ever,” she said. “It was perfect timing for a perfect storm given the contemporaneous timing of the malicious updates with the onset of Covid-19 restrictions in the US.
“The adversaries used the stealthiest of technical measures – such as a two-week dormancy, steganography, masquerading as legitimate activity, minimising malware use – to gain access and maintain persistence in the victims’ environment. This attack involved an A-plus game of a truly unprecedented nature.”
The state-based nature of the attack may provide a quantum of solace to SolarWinds users at organisatons that are less likely to find themselves in the crosshairs of international geopolitics, but even so, with upwards of 18,000 potential victims, many of them Fortune 500 organisations, there is scope for the breach to widen dramatically, and it almost certainly will. So how should you react?


Sam Curry, chief security officer at Cybereason, said the sheer scale of the incident, which is already being compared in some quarters to the 2017 WannaCry incidents, demanded a “cold, logical, rational” response.
“In general, now is not the time for security experts to panic,” said Curry. “A practical and measured response is advised. If SolarWinds is being used in your organisation, strengthen your security posture as follows:
“Isolate machines running SolarWinds until further information is available as the investigation unfolds; reimage impacted machines; reset credentials for accounts that have access to SolarWinds machines; and upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.
“In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks. Ensure your company is always on the hunt for adversaries. The sooner you do these things, the sooner you can assume no one is lurking in your network in silent mode.”
Joe Slowik, senior security researcher at DomainTools, said the campaign was a “uniquely distressing” intrusion with implications for multiple verticals.
“The ubiquity of SolarWinds in large networks, combined with the potentially long dwell time of intrusions facilitated by this compromise, means victims of this campaign need not only recover their SolarWinds instance, but may need to perform widespread password resets, device recovery, and similar restoration activity to completely evict an intruder,” he said.
“While this is concerning and unfortunate for the present circumstances, future supply chain attacks – as this will not be the last such incident to impact network defenders and operators – can be met with and detected by aggressive NSM and communication visibility.”
Slowik added: “So long as even the most complex backdoor or implant requires communication to, or instructions from, a controlling entity, defenders have opportunities to detect and disrupt operations. Through continuous monitoring of network traffic and an understanding of what hosts are communicating, defenders can leverage attacker weaknesses and dependencies to overcome these otherwise daunting challenges.”
Unfortunately for security teams at SolarWinds users, the very nature of a supply chain attack serves to highlight the lack of control that you really have over organisational security, and how easy it is to fall victim to an incident that, for all your careful preparation and attention to detail, you cannot avoid – simply because running security at SolarWinds is not within your gift, as Piers Wilson, head of product management at Australian SIEM specialist Huntsman Security pointed out.
“Many organisations have fortified their own cyber security defences, but as we have seen, a single partner or supplier being breached can undermine any positive action already taken,” he said. “The fact that a supplier was so successfully breached, putting core US government organisations at risk, highlights the huge importance of a secure supply chain.”
Wilson advocated that defenders should adopt a “holistic” approach to security, purely because having the latest and greatest solutions in place is only a partial defence if your suppliers experience a failure.
“Businesses often carry out due diligence on the financial viability of core partners to ensure they are not a risk,” he said. “The same has to be true for cyber security. Regular assessment or monitoring of all partners’ and suppliers’ cyber security practices must become commonplace, alongside a robust cyber security program to minimise the risk of falling victim to similar attacks.”


CyberGRX CISO Dave Stapleton said: “These continued attacks amplify the need for enterprises to blend social responsibility into risk management practices. Consider this: it is possible that none of your direct vendors use SolarWinds, but it is entirely likely that one of their critical third parties does, which would still leave your company at risk of outages or compromise.
“It’s very easy to become a victim of circumstance. It’s easy to be inundated by third parties and not be able to keep track of how they manage and protect their networks, or even how they characterise their risks – everyone does it differently and has different measurement criteria. Also, technology has only escalated the problem with the adoption of the cloud and a newly accelerated digital transformation.
“Most third parties try their best to report what they know about their networks to their larger enterprise partners, but gaps in knowledge, shortfalls in monitoring abilities, or lack in updated infrastructure and process tracking often end up introducing vulnerabilities.
“It’s as if they need to be walked through the process of reporting to make sure they don’t make any mis-steps. This can be accomplished, but it requires assessment based on multiple techniques, including self-assessment, external scanning, technology-led questionnaires, threat feed monitoring, and more.”
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
You forgot to provide an Email Address.
This email address doesn’t appear to be valid.
This email address is already registered. Please login.
You have exceeded the maximum character limit.
Please provide a Corporate E-mail Address.
Please check the box if you want to proceed.
Please check the box if you want to proceed.
By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.
Antitrust forces expect the Biden administration to pursue federal antitrust litigation and lawmaking. But Biden and Vice …
Heading into 2021, IT leaders must take the reins of their organizations’ digital transformation efforts. Bestselling author …
What is a proof of concept and how can it be beneficial to an organization? Here we dive into the importance of writing a POC, …
A cybersecurity strategy isn’t meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here …
Coding is an important skill across almost every technology discipline today, and cybersecurity is no exception. Learn about the …
Nation-state hackers conducted a supply chain attack on SolarWinds and planted a backdoor in software updates issued to customers…
Most enterprises have siloed departments, but SASE’s convergence of network and security functions could disrupt those constructs…
Say hello to software-defined home, a ‘branch of one’ package that combines professional-grade Wi-Fi, security, SD-WAN and …
IP addressing and subnetting are important and basic elements of networks. In this article, learn how to calculate a subnet mask …
The colocation market is poised for growth, alongside the higher-visibility cloud computing sector. Find out why with our data …
Even with structured pricing methods, there’s a lot to consider when making colocation infrastructure purchases. Account for …
It’s critical to business operations and your overall budget to know what a good colocation SLA covers, what it doesn’t and how …
At AWS re:invent 2020 the public cloud giant unveiled enhancements to its database and analytics portfolio, including the …
Firebolt, a new challenger to established cloud data storage vendors including Microsoft and Google, launched recently after …
DataStax has integrated the open source Stargate API 1.0 release into its Astra DBaaS platform, bringing GraphQL to the Apache …
All Rights Reserved, Copyright 2000 – 2020, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

Categories: SecuritySystemsTech