Defense Mechanisms to Consider After December Cyberattack
The cyberattack against multiple federal agencies, including those responsible for the country’s nuclear stockpile, and such prominent cybersecurity firms as Microsoft and FireEye, has caused concern for companies and customers alike since it was reported in December.
Internal networks had been accessed undetected since March, and attackers accessed documents, stole penetration-testing tools, and found their way into other systems. They initially inserted a maliciously modified version of SolarWinds Orion, a tool used by many private and public organizations to monitor large networks, into the SolarWinds update server as early as March.
When the investigation began, it was apparent that this trojanized update, called Sunburst, had spread widely, although it is still unclear whether the back door the hackers created for the attack allowed further intrusions and infection. It is known, however, that up to 18,000 customers of SolarWinds have been affected by the malware — and more will certainly discovered in coming weeks.
The hack — considered the most significant cyberattack in history — is causing customers, clients and others in the ecosystem to question whether there are lasting effects. Likewise, businesses and cybersecurity professionals wonder about lessons learned: Should they be changing operational measures and strategies? What changes should be made?
Among the recommendations and dynamics to consider:
Take care with the software. If your organization uses SolarWinds software, shut it down and don’t turn it back on until the software company publishes a third-party code audit that makes it clear vulnerability gaps are fixed. Also, adopt the rules released to detect for SolarWinds’ vulnerability and use the signatures provided by FireEye to detect Sunburst and the FireEye tools stolen in the attack.
Hacks may go undetected and cause compounded issues. The nature of the attack — that of writing a backdoor into the software and the unusually long dwell time — means that (1) it’s impossible at this point to clear anyone of risk and (2) the possibility of other secondary “infections” must be considered until dispelled.
Because of the hack’s long dwell time, lateral network movement is almost assured, prompting a lesson in protection versus detection: When protection and prevention fail, you might not know about it or be able to do anything until it is too late. In the case of this hack, the attackers had months inside networks, allowing lateral movement, secondary infection and other malicious activity that could require deep forensic investigation to uncover and repair. Many affected organizations are still trying to make up for lost time in their efforts to mitigate and prevent similar attacks.
Turning to managed detection and response (MDR) services can help. MDR services reduce dwell time and provide valuable forensic data that serves as a focal point for mitigation efforts and future plans.
Don’t forget the software supply chain. Reliance on third-party software suppliers is increasing. There has been some discussion about hardware supplied by Chinese companies, but the SolarWinds attack shows that attackers don’t need to own pieces of the supply chain to infect it.
Scrutiny — meaning code review in the case of software — must be applied where possible. Using open-source options makes review easier because a wide array of parties can collaborate on the review. APIs need to be published and open. While the U.S. government can contract from suppliers, it requires all components and licenses to meet required certifications.
Consider: As reported in a 2003 Computerworld article, Microsoft shared source code with the Chinese government as part its newly developed government security program designed to lessen concerns about the security of its software. This year, it was revealed that a Swiss company supplying secure communications to many governments included a back door for to the CIA, demonstrating a need for some sort of cyber arms treaty.
Greater collaboration with the detection process is needed. SolarWinds had been instructing clients to exclude certain Orion binaries from anti-malware scanning because false positives were produced. This could be at least one reason the attackers chose those binaries. There are reasons for exclusions — but often they are a way to avoid the harder task of collaborating with anti-malware and detection providers to supply appropriate signatures for proper scanning. Microsoft, one of the victims, quickly revoked the digital certificate for the malicious binaries. However, more care must be put into the signing and verification process as well.
Check email systems. While there is uncertainty around this hack, particularly related to the extent of the attack on organizations, some signature parts of the attack can be searched for, like email systems, which were frequent targets. Also, instances of create, execute and delete commands can be evidence of the malware covering its own footsteps. These novel stealth tactics, designed to avoid detection and increase dwell time as much as possible, mean that forensic investigators have their work cut out for them and are now put into the position of proving a negative.
In the future, supply chain attacks will be part of any organization’s threat modeling and policies will be put in place to detect and even prevent similar attacks.
If anything, however, the SolarWinds incident highlights (1) the importance of detection in the cybersecurity stack, (2) the need for greater scrutiny in the code or signing of software, (3) the use of open source and open APIs where possible and (4) the need to begin serious work on cyber diplomacy.