SolarWinds breach underscores the need for monitoring third parties’ security
If we are learning anything from the still-developing story of the cybersecurity incident known as the SolarWinds breach, it’s that third-party and supply-chain risks are becoming increasingly dangerous – and are capable of quickly spreading up and down the supply chain.
While new information continues to emerge almost daily, and we won’t know the full impacts or implications for months or years to come, it’s worth taking a look now at what is known so far and what actions companies should be taking to protect themselves against attacks on their providers. Whether your company is a SolarWinds customer or not, these incidents amplify the need to fully understand your third-party landscape – and the security controls your company itself has deployed enterprise-wide.
In December, cybersecurity firm FireEye discovered a breach that it traced back to malicious code inserted into software provider SolarWinds’s commercial Orion network-monitoring product. This vulnerability, known as Sunburst, is at the heart of this issue. It was determined that nation-state actors, now believed to be affiliated with Russia, had infiltrated the Orion development environment. Once they gained access, they injected stealthy malware in a pre-production version of the product, incorporating it into a software update that was downloaded by roughly 18,000 SolarWinds customers. Once implanted, the malware was dormant for some time, allowing the threat actors to blend into the environment, evade detection, and laterally move between systems.
While it is not yet fully clear what networks were compromised or what information may have been stolen, the breach is an unprecedented national concern because SolarWinds is used across industry – including numerous government agencies, non-for-profits, and Fortune 500 companies. The Justice and Treasury departments have confirmed that they were affected; so has Microsoft, which along with a coalition of tech companies shut down the domain that served as a command-and-control server for the malware delivery. Big tech companies rarely take this kind of direct action, showing just how impactful this breach is.
As more details are uncovered, it is becoming clear that Orion was not the only avenue for these attackers. Cybersecurity and Infrastructure Security Agency (CISA) acting director Brandon Wales recently told the Wall Street Journal that some victims were compromised before the malware-infected version of Orion was deployed. Additionally, Wales stated that about 30% of victims had no direct connection to SolarWinds (though many used other software created on systems that themselves used SolarWinds, according to New York Times sources). CISA is investigating cases where initial access may have come through other means, and Malwarebytes reported that they were attacked via “another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”
The attack on SolarWinds went undetected for over a year, and the full impact is not yet known. It was recently announced that the federal response is being overseen by Anne Neuberger, an NSA veteran and the recently appointed deputy national security adviser for cyber and emerging technology; the Office of the Director of National Intelligence is also assessing the incident.
But all accounts are pointing toward the attack and the malware it deployed being the smartest, most sophisticated intrusion we’ve seen in a very long time.
Meanwhile, another incident tied to SolarWinds is also coming to light. There had previously been reports of a second group of hackers abusing SolarWinds’ software at the same time as the alleged Russian hack, but details were unconfirmed. In early February, Reuters reported that a different set of hackers connected to a separate nation-state actor had “exploited a separate bug in Orion’s code to help spread across networks they had already compromised,” sources told Reuters.
Hackers reportedly used the now-patched flaw to “help break into U.S. government computers.” Again, full details are not yet known; Reuters sources said a federal agency responsible for multiple agencies’ payroll had been affected, but a spokesperson later said it had not been hacked. SolarWinds said that it was aware of a single compromised customer but that the attackers “only abused its software once inside the client’s network,” and that they had got in “in a way that was unrelated to SolarWinds,” according to Reuters.
Know your third parties
Software supply chain attacks have increased significantly over the past few years. The overarching lesson to be learned from these incidents is that it’s critical to fully understand the security of all of the third parties in your business ecosystem. Each partner represents an individual point of risk, and a breach of one can spread to other partners, vendors, and customers. Nonetheless, you own the risk and responsibility for protecting your assets, and it only takes one vendor breach to impact your business on a wide scale. While much remains to be seen about the steps that companies take in response to these particular breaches, there are a few general actions that should be taken.
The first thing you should do is make sure you know who your third parties are. It’s a good idea to create and maintain an inventory of third-party relationships. Next, assess the security of your third-party vendors and supply-chain partners. Verify that vendors have cybersecurity safeguards that meet or beat your security and compliance requirements. In most cases where there is maturity surrounding procurement, companies (private or public) generally have a sense of security requirements that they demand from service or product providers. This includes the requirement of product vendors to be utilizing secure software development life cycle (SDLC) methodologies, conducting secure code reviews prior to any releases of code, and at a minimum conducting security impact analyses (SIA) of products prior to release (if not on an ongoing basis).
It’s equally critical that you assess security access controls to make sure that third parties have access to only the applications and data they need. Also, carefully analyze your vendors to determine if any are duplicated or unused. Determine which vendors can be eliminated, and revoke their access permissions.
For the long term, now’s a good time to start implementing a third-party risk-management solution to control risks associated with outsourcing to vendors or service providers. This program should also evaluate fourth parties, the downstream vendors and suppliers used by your third parties. To strengthen management of these external relationships, risk management should be considered a critical business requirement and have the buy-in and support of executive leadership.
It’s not uncommon to hear that these programs require new efforts or capital to support. Though that may be true, there are additional considerations – what happens if you don’t implement them? Breaches are a direct impact to a business; they can disrupt a company’s ability to continue operating, damage the brand’s reputation, and create additional expenditures to respond to and investigate the incident. It takes time, effort, and materials to rebuild after an attack.
Understand your environment
Beyond third parties, fending off sophisticated threats will require that you understand the security controls deployed across your entire environment. We recommend a cybersecurity risk assessment to help you understand where critical data is located, how that data is classified, and who can access it. It’s also important to know which applications are running and whether they are patched and up to date. In the practice of developing capabilities, it is critical (whether for in-house or procured applications) that secure coding best practices are leveraged and that security impact analysis is done prior to pushing to production.
Certain technologies and processes are critical to protecting your applications, systems, and data. One of the most essential is a security information and event management (SIEM) solution that automates threat detection. Other essential technologies and processes include:
- Network-monitoring tools
- Anti-malware software on all devices and the network
- Ongoing vulnerability scanning
- Frequent penetration testing
- Automated patch management tools for applications and operating systems
- Situational awareness of the latest threats
- Ongoing employee training and awareness programs
The SolarWinds story and the complex and distributed nature of the Sunburst vulnerability have underscored the criticality of preparing for and monitoring potential attacks that can cascade from third parties and vendors. It also highlights the need for government agencies and the private sector to band together to share threat intelligence and response procedures.
Ultimately, these reports prove the point that cybersecurity can no longer be a just a line item in your budget. It’s a business-critical imperative that deserves a seat at your boardroom table.