The Implications of the SolarWinds Cyberattack
Building a Zero-trust Framework for Security
The cyberattack on SolarWinds that was announced last week inserted a vulnerability (SUNBURST) within its Orion® Platform software. This attack has thrown a great many U.S. government agencies and technology companies into crisis mode. Microsoft announced on Friday, Dec. 18 that it has uncovered that at least 40 of its customers are victims, 80 percent in the U.S. The attack using a backdoor, SUNBURST, brings to light critical issues related to security best practices with both customers and software vendors alike. It is a reminder that we all have a role to play when protecting ourselves and our workplace from these vulnerabilities, especially now, when the temptation to sacrifice security for easier connectivity is higher.
Allowing important systems to auto-update and connect to the internet at all is a large problem. The customer has to think long and hard about the trust that they put into any software vendor. Implicit trust is a mistake in today’s hyperconnected world, and this incident shows a need to employ an expanded shared responsibility mindset to verify trust.
Behavioral analysis of software, once it is in place, is clearly needed. The cyber security industry runs malware in a highly instrumented sandbox environment to understand its behavior, how is it connecting to its command-and-control servers (C2s) and what is its lateral connection behavior. Clearly, a customer would benefit by doing the same for trusted software. In the SolarWinds case, the infected host beaconed to outside systems that it had never connected to historically. These were systems with different host names but a common domain, in this case avsvmcloud.com, locations, and networks that this host had not previously connected to. It is critical to watch this behavior both on the host but also on the wire to ensure that the security team has a well-rounded understanding (host and network) of the behavior that is occurring. This is especially important when these attacks, including SUNBURST, purposely disable monitoring tools to evade detection. Multiple monitoring tools and methods are desirable.
While this sort of connection behavior is periodic and low volume by its nature, understanding IF this sort of thing happens and how to combat it is important. Lateral connection attempts to find far more interesting data happened in this scenario as well. Should these systems ever connect laterally to internal systems for this? Probably not.
The software vendor in this case has to keep a very close watch on systems in the supply chain network. The behavior of systems used to distribute software to customers, systems used to house source code, and systems allowed to work with the source code should be monitored at all times for anomalies. It is clear that “dogfooding” your own software as a vendor is key. Who is better at finding this sort of anomalous behavior than the maker of the software itself? Will this increase the time it takes to complete a release? Of course, but if we want to learn from SUNBURST and extend the monitoring time beyond its dormant period, typically two weeks, it is time well spent to ensure that something this negative and widespread is less likely to happen.
There is no panacea to all attacks, but employing best practices, such as a Zero Trust approach combined with a shared responsibility mindset can aid InfoSec professionals in the fight against cyber threats. Specifically, this threat leveraged a trusted vendor with a sophisticated attack that manifested unusual activity originating from the inside of the network from trusted infrastructure. Thus, a Zero Trust framework incorporating outbound connection monitoring and access control of systems behind the firewall infrastructure, as well as lateral (east-west) for critical trusted infrastructure is key. Additionally, as attacks frequently obfuscate themselves in SSL/TLS to avoid detection, outbound decryption for all security devices should be a top priority as well, for the data, and management networks.
Will this be the last attack of this type? No, motivations and potential rewards for perpetrators are too valuable to them, and they are patient. In addition, attacks are getting more sophisticated, and as a global InfoSec community, we all need to play our part to shore up our defenses, know how our networks are behaving/interacting, and ensure we are following best practices, vendor, and customer, alike.