SolarWinds Hack Lessons Learned: Finding the Next Supply Chain Attack


The SolarWinds provide chain compromise won’t be the last of its kind. Suppliers and enterprises alike must learn and refine their detection efforts to find the next such attack.

Even though investigations and analysis of the recently discovered SolarWinds hack stay ongoing, it is already clear that the scope is extensive, and the full impact may likely prove to be devastating.

To recap, FireEye last 30 days discovered what it described as the ” global intrusion marketing campaign ” perpetrated via harmful, trojanized updates to SolarWinds’ Orion network management software. The latest estimates indicate that the compromised SolarWinds software made its way straight into approximately 18, 000 enterprises, government agencies, and other entities globally.

It is because yet unclear the number of individuals victims suffered damages consequently.

Vulnerabilities in the software supply chain are certainly not new; according to Imperva , there have been more than 150, 000 documented Common Vulnerabilities or Exposures (CVEs) in software applications and your local library since 2000. However, the SolarWinds incident has served to clearly illustrate that supply chain vulnerabilities represent significantly greater risk associated with compromise — and potential to get damage — than most previously thought.

An actually scarier proposition is this: when SolarWinds’ flagship product could be compromised and go unnoticed for weeks or months by countless numbers of enterprises, including some associated with the world’s top cybersecurity firms, how many more software supply chain compromises may already take the wild right now, simply waiting to be discovered?

A supply string ‘kill chain’

Enterprises and vendors alike must account for the risk of supply string attacks, and adjust both strategically and tactically. Organizations should make an effort to create a ” cyber kill chain inch for supply chain compromises, therefore creating as many opportunities since possible to prevent, disrupt, or with least quickly detect such incidents before weaponized software has got the chance to cause damage.

Omdia recommends adopting a long-term, programmatic approach to software provide chain security. Such an strategy should be depending on an audio risk management best practices, this kind of as NIST’s Cyber Supply Chain Risk Management (C-SCRM) guidance.

However, there are three especially notable areas where enterprises have opportunities to affect positive alter within the near term.

Software supply chain governance

Most organizations do not have practical visibility or manage over the safety practices of their particular third-party software vendors. Even if enterprises had the wherewithal to pursue it, from the perspective of the software vendors, delivering customers (or anyone) with that will opportunity often introduces too much risk into their own processes, by way of exposing system access or security tactics, not to mention the added expenses of doing so.

That said, organizations should look for to leverage their influence since customers to improve software supply chain governance.

In practice, this is executed by generating a baseline group of software security best practices that serve as primary requirements that must be met by any software vendor previous to purchase.

These requirements might be more or less detailed or technical in line with the class of supplier or the size from the enterprise. Again, industry greatest practices should be the starting point regarding any software supplier, including yet not necessarily limited to particular practices for code sourcing, code review (manual and automated), consistent software security testing both pre- and post-runtime, and detail on its practices to detect unsourced and/or anomalous code insertions like the one that affected SolarWinds and may go undetected by conventional security measures.

Since part of any purchasing agreement, vendors must be required in order to not only pledge to reside up to these guidelines, but also validate that they are doing so on an ongoing schedule. Some high-value purchases might also potentially require indemnification for affected or compromised customers in the occasion of a security incident.  

The governance angle is definitely the linchpin here because this approach requires buy-in throughout the company, from the C-suite to the IT and cybersecurity groups in order to all line-of-business managers and various other software decision makers. It is definitely not a technical control just as much as it is a business danger management control.

Whilst the approach will no question add time, complexity, and cost towards the software acquisition process, once refined it can become the standardized process in order to ensure that software makers with undocumented or even unclear security practices are weeded out of the purchasing process.

Behavioral analytics-based threat detection

It is interesting to note that FireEye’s initial detection of the SolarWinds compromise did not find complex lateral movement, or even data exfiltration.

Exactly what triggered FireEye’s deeper investigation, based on reports, was an unusual remote user login from a previously unknown device with the IP address within a suspect location. It was only upon further review that FireEye discovered the intrusion plus ultimately traced it back to SolarWinds.

This scenario, now all too real with regard to thousands of enterprises around the world, underscores the importance — otherwise necessity — of getting behavioral analytics as an essential component of contemporary enterprise cybersecurity product architectures.  

Behavioral analytics supercharges threat detection by not only analyzing occasion input based on activity through users and devices, but furthermore by using machine learning, record analysis and behavioral modeling to correlate and enrich events.

World-class behavioral analytics technology can factor in a wide variety of data points — such as peer groups, IP association, personal emails, and kinetic identifiers like badge reader activity — to recognize a malicious intrusion by sewing together a half dozen or more events that, by themselves, would seem benign.

In this case, FireEye obtained a warn because its analytics systems could automatically correlate the login attempt with the user qualifications and likely other factors, such as location, time of day, and overall pattern of program access by that user. This particular anomalous activity likely triggered a high-priority alert, signaling to protection analysts that the login within question required further scrutiny.  

Without this technologies, this malicious login and many the activity associated with it would likely have blended within with every other login, as is typically the case in most enterprises today. The absence of widely deployed behavioral analytics technology is perhaps one of the largest and most dangerous gaps in enterprise cybersecurity applications today, a gap attackers are clearly exploiting.  

Data exfiltration detection plus prevention

When all else fails, a business requirements to be able to rapidly identify when valuable data is definitely being exfiltrated from its endpoints, servers, and networks, even in the most unusual ways.

Most enterprises have extensive network traffic logs to pull from, but the challenge will be that command-and-control traffic is usually obfuscated, plus the exfiltrated information itself is often encrypted just before it leaves an organization, producing its contents almost invisible. This particular is especially true when program traffic is involved.

Indeed, according to reports, adversaries used Trojan embedded in SolarWinds to initiate the process associated with exfiltrating some victims’ sensitive documents and communications. It used founded domains that seemed legitimate in order to initiate the exfiltration operations.

Interestingly, numerous security vendors have published reports stating that, upon review, their various intrusion detection technologies did detect the particular activity, but that the significance of the alerts did not really rise for an actionable level.

As the SolarWinds incident clearly represented an unique detection challenge, the lesson is the fact that organizations cannot suppose that unusual outbound network traffic is benign, even if sourced to a trusted application. Vendors require to tune their detection methods to account for the extremely real chance of malicious actions from trusted applications, and enterprises need to update their monitoring tactics to watch for anomalies where they typically haven’t focused a lot before, such as their network management software.

Traditional network security best practices may also blunt the possibilities of a SolarWinds-style data exfiltration, namely network segmentation and perimeter firewall policies that will restrict application visitors pre-approved domains.

It remains in order to be seen whether SolarWinds symbolizes the beginning of a wave of high-profile software supply chain attacks. Regardless, enterprises would be wise in order to learn from this incident, plus prepare as if the next supply chain attack is just a matter of time.

Eric Parizo supports Omdia’s Cybersecurity Accelerator, its research practice supporting vendor, service provider, and enterprise clients in the area of enterprise cybersecurity. Eric addresses global cybersecurity trends and top-tier vendors in United states. He offers been… View Complete Bio

Recommended Reading:

More Insights