SolarWinds hack is a wakeup call for taking cybersecurity action

Advanced Persistent Threats (APTs) have long been a concern of the cybersecurity community. Well-organized teams with significant resources and targets they are not willing to give up attacking until their mission is accomplished are certainly not a threat to be underestimated. The tactics deployed by such groups involve a combination of attack types, from exploiting zero-day vulnerabilities to social engineering, gaining access, establishing a foothold and deepening access, and then remaining in a target’s systems undetected until realizing their goal.

The recently detected, high-profile SolarWinds hack is a typical APT attack. It has targeted several US federal departments, private companies and critical infrastructure organizations, going undetected since at least March of last year. The initial infection vector identified so far relates to a zero-day vulnerability of an update of SolarWinds Orion — a platform that provides full IT stack monitoring services — that permitted the attackers to gain access to network traffic management systems. FireEye, which detected the attack, discovered SUNBURST, a malware that was trojanizing the SolarWinds Orion updates.

As is common in APTs, the list of vulnerabilities exploited will probably grow, both in the supply chain and in the internal systems of the targeted entities, as the APT was deepening and escalating. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), other initial infection vectors are being investigated on top of the SolarWinds-related one. While the initial infection vectors may relate to more entities of the supply chain and/or vulnerabilities of the targeted entities themselves, when the actors of the attack were deepening their access, internal system vulnerabilities should have been exploited for increasing the attack surface. Cybersecurity reporter Brian Krebs has linked a recently identified VMware vulnerability to the SolarWinds attack as a possible attack escalation method, taking into account that access to internal systems has already been achieved through the SolarWinds vulnerability exploitation.

Many questions are yet to be answered as the investigation and response continues. Asking the right questions is key in order to learn from this breach and improve cybersecurity both in the governmental and private sectors. Cybersecurity can only be seen from a holistic point of view and not in isolation, meaning that we have to analyze and understand flaws in identification, protection, detection, response and recovery. Especially in the case of APTs, due to their sophistication and complexity, we need to understand that detection, response and recovery are increasingly important, as protection may at some point fail.

The identification and protection aspects of cybersecurity in this particular case focus on the supply chain, not excluding internal system vulnerabilities. In a previous post, I wrote about the importance of a resilient supply chain, taking into account that nowadays we are dealing with complex ecosystems. In mid-December 2020, the US Government Accountability Office issued a report urging federal agencies to take action for managing supply chain risks. Doing so requires a level of sophistication similar to that of the attackers. Supply chain cybersecurity should be addressed not only through contractual agreements and liability clauses but through continuous testing and monitoring.

While APTs may succeed in gaining access due to their high level of sophistication, cybersecurity relies on timely detection that minimizes damage through appropriate response and recovery. Centralizing the correlating events for tracing patterns is of paramount importance. Yet in this particular case, the New York Times reported that Einstein, the Department of Homeland Security/US-CERT Program that collects data from federal agencies (including contractor services), correlates and analyzes them to provide threat intelligence back to federal agencies, failed to identify the attack. It is notable that the malware was masquerading as the Orion Improvement Program (OIP) protocol and blended itself to the legitimate Orion traffic, going unnoticed.

In terms of response, CISA has issued an emergency directive for mitigating the attack, while Microsoft, FireEye and GoDaddy created a kill switch by seizing the domain that the malicious software was using for controlling the compromised machines. Public-private groups also have been formed to respond, gain a better understanding of the impact and form recovery strategies based on the damage done. President-elect Biden has issued a statement promising that cybersecurity will be a top priority at every level of government, with substantial costs for the attackers and coordination with allies and partners.

As security leaders know well, cybersecurity hits the spotlight when attacks are surfaced and underestimated when cybersecurity is working effectively. But APTs are certainly not the typical kind of cyberattack: They are hard to protect against, trace, respond and recover from. Reducing complexity in ecosystems should also be a priority in supporting cybersecurity effectiveness. To further deal with threats posed by APTs, corporations need to take immediate action in improving cybersecurity capabilities, putting special attention on their supply chain, especially as digital technology adoption is dramatically accelerated in a pandemic-impacted business environment. The rapid proliferation of information technology and related ecosystems need proportionate investments in research for improving protection and detection and in training and education for creating a cybersecurity workforce that can cover the demand, among other areas.