How to Prepare for the Post-SolarWinds Future

December 24, 2020 | By IANS Faculty

What does the SolarWinds Orion breach mean for the future? At the time of this writing, it is difficult to know for certain, but in this piece, we outline short-term - and aim to identify potential long-term - ramifications of the SolarWinds breach for enterprises, the technology industry and the U.S. in general.

Targets of SolarWinds Orion Breach

In late 2020, it was discovered SolarWinds Orion had been compromised since March, with attackers possibly having had presence on the network since October 2019. Numerous organizations installed the compromised versions of Orion, providing extensive access to a presumed highly skilled nation-state adversary.

In fact, SolarWinds reports up to 18,000 downloads of the compromised software. However, it possible the number of true compromises is lower, for two reasons. First, the attackers may lack the resources to explore and fully compromise each environment accessed. Second, not all SolarWinds updates are installed, and some are installed on test networks or blocked by egress controls.

Based on what is currently known at the time of this writing, it appears the attackers were focused on high-profile technology firms and U.S.-based federal government agencies. The target selection combined with the obvious technical skill of the attacking group supports the belief the group was state affiliated out of Russia. This knowledge forms the basis for both our short- and long-term analysis.

Post SolarWinds Breach Issues

At a purely technical level, it is necessary to improve several practices in both the short and long term. While organizations that are part of the supply chain will have even more to do, all organizations must improve their detection and forensics capabilities.

Near-Term Recommendations

Security and governance groups are putting forth several recommendations. As happens in the wake of most well-publicized cyber attacks, we expect these to move into "best practice" status and to eventually be codified into regulations and standards. Some early recommendations include a focus on:

Impossible behaviors: At a detection level, organizations should analyze user behavior and look for "impossible" situations, such as the same token or login being used in two different geographies or separated against significant time intervals.

Unusual behaviors: It is also important to recognize the attackers engaged in anti-forensic techniques, such as leveraging existing credentials, elevating privilege through existing mechanisms, and only working during "normal" working hours. Detection capabilities must improve to include behavioral analytics, such as users accessing systems and services not usually accessed or used.

Log storage/credentials: Additional effort should be placed into verifying logging systems are provisioned to retain up to a year's worth of raw logs and to ensure credentials to access logging systems with delete privileges are not the same credentials used elsewhere in the organization.

Incident response: Effort must be spent to ensure the ability to create forensically-sound images on all necessary systems, as well as being able to quickly rotate through credentials, including less commonly rotated elements, such as private keys for HTTPS, SSH and virtual private networks (VPNs), as well as resetting Kerberos Golden Tickets.

Secure systems development lifecycle (SSDLC): Review internal processes and identify areas where security checks could be made. Merging security into business-as-usual practices instead of performing security checks at the completion of a process helps close vulnerability windows significantly. Additionally, such an approach gives the security team the critical knowledge needed to implement strong controls without interfering with operations, and supports all the recommendations above.

Longer-Term Recommendations

The longer-term response to this issue will likely involve more fundamental changes. Many of these recommended changes are traditionally viewed as “nice to have,” but due to cost and complexity, are often pushed out into the future. These long-term recommendations include:

Eliminating/isolating legacy systems: Consider the removal of legacy systems, if possible. If they cannot be removed, consider re-scoping to internal VPNs that are user-restricted to only those with a need to access.

Simplifying identity providers: Through acquisition and growth, it is common for larger organizations to accumulate multiple sources of truth. Having a complex identity environment makes it far easier for attackers to inject or takeover credentials. Be aware, auditors might push harder on this issue in the future.

Shoring up egress controls, micro-segmentation and zero trust: Modern attacks work through beaconing, in which legitimate-looking traffic is sent to non-legitimate servers on the internet. The only way to address this issue is to go through the effort of inspecting outbound traffic from each critical system and tightly restricting both inbound and outbound traffic using network-level controls. Where possible, this effort should be aligned with more comprehensive micro-segmentation and zero trust efforts. Such an effort will likely require a dedicated analysis team, possibly one that is outsourced.

Addressing token verification: Modern systems typically handle authentication through tokens, but to maximize performance, the validity of such tokens is often not verified at each step of a transaction. Worse, in many systems, the validity is only verified at the initial login, and serves as a skeleton key to all services available after login. Token verification with periodic multifactor authentication (MFA) challenges on higher risk operations will be required for systems containing critical data or that provide access to critical systems.

Investing in forensics: Finally, many organizations have taken a stance that if forensics is needed, a forensics firm will be hired. However, a global supply chain attack functions much like a global pandemic, and resource availability becomes an important issue. It may be necessary to invest in internal forensics capabilities or engage in a more formal retainer model with an outside forensics firm.

Impact of SolarWinds Breach on U.S. & Tech Industry

In the near term, attacker motivation and the supply chain should be considered. Many organizations are accustomed to working with attackers focused on immediate gain. While such attackers can focus on the supply chain, they usually target managed service providers, with the goal to engage in extortion demands against many organizations at once. The economics of such attacks balance against the number of organizations serviced by the provider vs. the defense level of the provider. This point tips at the level of effort and skill needed to compromise a core supply chain provider like SolarWinds.

Market/Culture Motivations

Core supply chain attacks involve a different level of attacker, one that is often interested less in short-term gain and more on changing markets and culture. If, as is currently believed, the attack group behind the SolarWinds attack was SVR (a branch of Russian intelligence), then we can extrapolate motivation based on previous behavior. The group likely aims to:

Enrich disinformation: Expect the data gathered during this effort to be used to help make Russian-led disinformation campaigns seem more realistic, to better undermine public trust. Data collected can also be used to feed deep-fake artificial intelligence (AI) systems to generate more convincing videos and postings of existing, trusted individuals.

Impact tech competition: Expect the technical data gathered to accelerate less Western-friendly and more surveillance-focused technological competitors.

Beware Security Theater

Looking away from attacker motivations, the impact of this attack on the immediate technology market is significant. In addition to stock prices and likely job changes within information security, expect a renewed effort around supply chain vetting, slowing down sales cycles to allow time for due diligence. However also recognize that many such efforts will be "security theater," because there is little any firm can do about supply chain issues. They can only attest to their own level of security, and even then, only to the level at which they are capable of analysis.

A State of Perpetual Compromise

Looking further out, consider the likelihood organizations could be in a state of perpetual compromise. It is notoriously difficult to extract state-level actors from business-class networks and, while federal agencies have more capability in terms of network defense, the need for their systems to operate 24/7 makes for similar difficulty. Having long-term access to such data as well as the possibility of compromising other supply chain entities places Russia in a position to make serious changes to the U.S. and how we do business. For example, we will see a range of effects across:

Politics: On the political level, it is possible for a third party to slow down or derail sensitive talks through carefully timed data leaks or fraudulent messaging. Larger political issues could be impacted through more comprehensive misinformation campaigns, as are seen during elections. More directly, information collected could be used to blackmail individuals in power and to strengthen negotiation positions that would otherwise rest solely on economic and military power.

Emerging technologies: Living in a world of permanent compromise fundamentally changes the nature of emerging technologies. If a country gains, by whatever means, insight into new technologies, it can more profitably compete, because companies in the original country must sink funds into research and development, while countries acquiring technologies by other means, do not.

It is now quite possible for a country to profit from selling this intelligence directly to other firms and countries, gaining immediate profit as well as potentially favorable trade terms once the new product has been developed. The U.S. is already losing ground to Asia in this area, and the trend is now likely to accelerate.

Critical infrastructure: A state of permanent compromise means the possibility of a high-availability system could be interfered with at will. While, thus far, there have been few incidents of outright cyber warfare, foreign adversaries could disable power and communications at will, inject or alter messages in legitimate emergency communications, or leverage operational technology (OT) inputs to over-drive equipment and cause damage in critical infrastructure.

Mitigating Factors

Other aspects on the technology front are, fortunately, more favorable. Consider:

The cloud: Cloud technology from the major vendors is very well-architected, so if workers within cloud companies are compromised, they would have difficulty accessing customer data. Any attackers that successfully breach a cloud provider would face the same barriers as a malicious insider. While it is certainly possible for such an attacker to access a customer account and change resource permissions or clone data stores, companies like Amazon, Microsoft and Google all have strong programs in place to prevent and detect such action. Moreover, those companies are well positioned to provide better security than their average customer would be able to provide for themselves in traditional data center hosting.

Autonomous vehicles: In practice, network-connected components are tightly isolated from the driving/safety system. Even if it were possible to apply a compromised update to an autonomous vehicle, it would be difficult for that update to weaponize the vehicle. The most realistic threat would be alteration of the navigation function to mis-deliver people and packages. Attempts to cause direct harm to passengers would require a simultaneous modification of the vehicle's firmware along with navigation change, so the car would not detect the dangerous condition itself and simply stop before the final dramatic scene.

It is essential to map the capabilities provided by an attack to the attacker's motivation. A country like Russia would have little to gain through large-scale dramatic action. An attack against all cloud infrastructure or on all self-driving cars would have the net effect of slowing the U.S. economy. As all economies are interconnected, such an act would negatively impact the attacking country as well.

Leveraging a supply chain compromise to gain access to specific targets within that supply chain, minimizing overall damage, allows for a longer attack cycle, which aids the attackers in getting more of the information they care most about. In the end, the success of the attack will be at the micro-scale, even if the attack pattern used is itself at the macro level.

SolarWinds Breach: Preparing for the Future

In many respects, this attack pushes ahead some security elements the industry was already considering, but there are a couple additional elements enterprises should now consider:

  • Being wary of the “patch and move on” mentality where minimal effort is spent on identifying the scope of any compromise unless there is clear evidence to do so. However, for an attack group with this skill level, it is imperative to remember that once in, they attempt to establish one or more points of presence that persist after the patch is deployed. The standard pattern of pushing a patch and closing a ticket could produce a false sense of security in this case.
  • Extending due diligence will be difficult. There will be a natural movement within the industry to extend vendor due diligence programs to consider this risk factor. The critical thing to remember is that SolarWinds did not know it was compromised until it was notified by FireEye. Thus, any voluntary due diligence program would have marked SolarWinds Orion as "safe" up until Dec. 13, 2020, when we know, in retrospect, this was not true.
  • A non-voluntary due diligence program, such as one involving software composition and network analysis, to help try and catch issues like this. However, such programs are expensive to run and can be prone to potential false positives as well as false negatives. In the end, this risk must be accepted as a cost of outsourcing business.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Find additional resources from our security practitioners.

Learn how IANS can help you and your security team.