We all need to learn the hard way sometimes. Whether it’s forgetting to stretch after a workout, or creating the conditions that led to one of the largest and most sophisticated cyber security breaches ever seen, there’s always a valuable lesson to be learned. Having had some time to reflect on the particular set of conditions that led to the December 2020 SolarWinds cyber attack – which saw around 100 companies and 9 US federal agencies compromised – it’s clear that the hack isn’t one to be treated as an isolated incident, but rather a stark warning of what’s to come if decisive action isn’t taken.
How it happened
To recap, in December last year, investigators discovered an extensive supply chain cyber attack compromising US government agencies including the Pentagon, the Department of Homeland Security and the Department of State, as well as around 100 US companies.
Those behind the hack – who are believed to have been acting on behalf of Russia’s External Intelligence Service (SVR) – leveraged the element of surprise in their approach. First, they compromised the update mechanism for SolarWinds software, which is widely used for IT monitoring by a vast number of public and private organisations, including nearly all Fortune 500 companies. They then exploited that vulnerability to deliver a backdoor Trojan, gaining high-level access to their targeted client systems.
At this stage, it’s hard to determine the scale and complexity of the cyber attack, but it is widely thought to be global in scope, and one of the most sophisticated the world has ever seen.
Creating and rolling out an effective cyber security strategy
What does this mean for business?
The hack clearly demonstrates why organisations need to elevate their cyber security strategy to the top of the priority list and conduct a thorough examination of their cyber defences. Just as Stuxnet represented a turning point by providing the first true example of a cyber-kinetic attack, SolarWinds marks the first cyber attack which bypassed all security controls implemented by the targeted companies. As a security professional, it pains me to say it, but the attackers were smart, figuring out that by targeting the supply chain, they could evade even the most sophisticated of defenses.
The hijacking of SolarWinds’ infrastructure, where attackers exploited its victims’ own software and patching process, introduces a new challenge – not only for companies in the software industry, but for any company that uses digital services. And it doesn’t end there: just as we saw with SolarWinds, attackers might choose to target any company’s software supply chain and use that channel to distribute their malware to infiltrate third-party partners and customers.
The UK Government must keep an eye on its vulnerable supply chain
What should you do?
The enemy of security are the stones left unturned. If you do 90% of what could be done, that remaining 10% will be what is likely to burn you. Whilst the full extent of the SolarWinds catastrophe unfolds, don’t be fooled into thinking it couldn’t happen to you. Create your cyber security strategy on the assumption that everyone – you included – is a potential target.
Never underinvest in security
Any security shortcomings, no matter how minor they seem, leave companies vulnerable to attack. As was the case with SolarWinds, these shortcomings meant that the company was unable to detect the injection of bad code sent to customers. The clear lesson here shouldn’t surprise anyone: if you cut corners and fail to maintain a robust cyber defence, rest assured that bad actors will eventually find out. To mitigate risk, companies should establish a clear budget for cyber security defenses, and this should be reviewed as often as possible and with looming threats in mind. By making cyber security a priority and not merely an afterthought, companies are already better equipped to deal with potential threats when they do arise.
Finally, comprehensive cyber security training should not only be made available to staff, but mandatory for those on all levels, operating across the industry. The targeting of SolarWinds’ supply chain clearly demonstrates the unconventional routes hackers are willing to take and, for this reason, all staff, including product engineers, should be made aware of the crucial role they play in security.
CISOs must do what they can to get others on board
If addressing the board and scaring the hell out of them is what it takes, then do just that! More than ever, CISOs need to drive home the message that SolarWinds constitutes a wake-up call for everyone. And whilst cyber security was likely already on the radar of software companies, I would be surprised if senior management teams had been aware of the security risks their company’s software supply chain posed prior to the SolarWinds hack. As a CISO, it’s now your responsibility to ensure these risks stay on the radar of companies and remain high on the boardroom agenda going forward.
What working from home means for CISOs
Other examples of best practice
When scanning code or applications, be sure to scan (Static and Dynamic scans) thoroughly, and never use features that are whitelisted or could be used to hide bad code. Likewise, it’s important to pay attention to who is working on your code or software development environment. If you or others in the company are unaware of who is working on your IP, or who has authorised access, getting a vetting process in place of who is working or has access to your code should be a priority. This can go on to create a framework for colleagues across the network to use in hiring processes, for temporary staff or otherwise.
Whilst many of these actions would normally fall under the general best practice for security professionals, far too many companies are leaving cyber security up to fate, particularly if they’ve never experienced a breach themselves before. However, if we’re to learn anything from SolarWinds, it’s that breaches of this kind are becoming increasingly sophisticated, are impacting more people, and ultimately, that you can never be too careful.