Matt Lock at Varonis describes why the SolarWinds attack was so damaging and how organisations need to defend against similar attacks
In December last year, the SolarWinds breach sent shockwaves across the business world. As more details continue to emerge, including reports of new vulnerabilities in SolarWinds products, we’re only at the start of understanding the full extent of the breach. Thought to have been perpetrated by the Russian state, adversaries targeted the supply chain to infiltrate US government networks.
Estimated to have affected 18,000 businesses along the way, the attack was sophisticated and one of the most wide-reaching in recent years. Concerningly, adversaries remained hidden for months after injecting malicious code into a SolarWinds update, which was delivered automatically to tens of thousands of customers. After infecting customer systems, the malicious code opened a backdoor, allowing the attackers to enter undetected and steal sensitive data including highly-valuable business IP.
It’s perhaps unsurprising that cybercriminals soon looked to profit from the devastating supply chain hack, setting up a new site dubbed “SolarLeaks”. The site claimed to host data dumps – including source code – from major companies. Investigators have now revealed that even organisations that had no direct connection to Solarwinds have been hit by the attacks, and it can only be a matter of time before we learn of UK organisations that have been impacted.
The nature and scale of the attack marks a watershed moment in cybersecurity and one from which lessons must be drawn. Described as a ‘moment of reckoning’, the aftermath presents an opportunity for organisations to re-group and re-examine security protocols that could protect them in the event of a similar attack.
Supply chain attacks
Supply chain hacks, where an adversary goes after a trusted vendor or product instead of attacking a target directly, are a growing risk. But it’s not always easy to tell when you have become a victim of this type of breach. All too often, attackers stay hidden – sometimes for months as they did with SolarWinds – and evade detection while they ravage systems. This makes timely response a challenge.
However, there are important lessons to be learned from the SolarWinds breach that can help limit the damage if a similar attack were to impact your business.
Cybersecurity is always a question of managing risk and this means instigating a response that is swift, but also appropriate and proportionate. In the case of SolarWinds, any organisation which had downloaded at least two recent updates of the Orion software, downloaded the backdoor. It would, therefore be tempting to decide against running updates for security reasons as this opens up the risk that attackers can use the update itself as a backdoor, scoring something of an own goal.
However, the cure should not be worse than the disease. Given that the vast majority of attacks are not zero-day, nation-state attacks, of the type we have seen with SUNBURST, blocking security updates to prevent further malicious backdoors – or even opting to close down and rebuild systems entirely – simply opens up further risks.
Instead, supply chain risks should be considered within the context of the entire attack surface, so consider how this can be managed by working with trusted and reputable suppliers who follow the highest levels of security standards and best practices to keep this risk in check.
Detecting anomalous behaviour
One of the hard lessons learnt from the SolarWinds attack was that it flew under the radar for so long; the attackers kept their footprint low to evade detection and perform lateral movement.
However, even the most advanced of adversaries don’t know how to precisely mimic the normal behaviourof every user and device they’re operating as they move through a network, accessing new accounts and touching data. This opens a new window of opportunity for detection.
One giveaway for those impacted by SolarWinds was unusual activity by accounts and systems associated with the attack.Specifically,our own customers detected strange behaviour by the service accounts associated with SolarWinds, including unusual file activity and connections to end-user computers.
Strange activity — such as someone from the HR department accessing a threat intelligence database — can give an adversary’s game away. This is especially true when looking at the SolarWinds breach, where threat actors particularly targeted service accounts rather than user accounts to gain elevated rights and move laterally within the network. Examining alerts and activity for unusual authentication and access behaviour can indicate a compromise has taken place.
It is with this in mind that behavioural modelling is recommended by organisations including the US’ Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC).
As part of its guidance around how system owners can prevent and detect lateral movement within their enterprise networks, the NCSC says implementing security controls, including monitoring to detect the early stages of lateral movement, helps reduce the potential for serious damage.
Make it more challenging for the attacker
In most cases attackers have their sights set on your data; whether it’s to hold it to ransom, for espionage, for financial gain or even as currency to further a political cause. Yet all too often the security protocols around valuable data are not as strong as they could be. This is why it’s integral to lay secure foundations including tools and best practices to protect yourself.
A particularly effective way of adding security is to ensure adequate controls over who has access to what. As well as ensuring strong authentication practices including multi-factor authentication (MFA), it’s of course important to protect high privilege accounts and maintain visibility into these.
As a matter of routine, firms need to monitor who has access, why they have access, and how they are accessing the data, making sure it looks normal for their business process.
Supply chain attacks such as SolarWinds make a strong case for adopting a zero-trust model – founded on the principle that organisations should not automatically trust anything inside or outside its perimeters – and the principle of ‘least privilege’ in which only those that absolutely need to, have access permissions to data.
SolarWinds is a warning to us all that a determined and motivated hacker can put pay to even the best defences. Be prepared for this eventuality so that, when they strike, you can not only detect their activity quickly but also prevent those data assets which are most important for your organisations from falling into the hands of the adversary.
Main image courtesy of iStockPhoto.com