SolarWinds hack is a wakeup call for taking cybersecurity action

Many questions are yet to be answered as the investigation and response continues, but one thing is clear: managing supply chain risks requires a level of sophistication similar to that of the attackers.

Advanced Persistent Threats (APTs) have long been a concern of the cybersecurity community. Well-organized teams with significant resources and targets they are not willing to give up attacking until their mission is accomplished are certainly not a threat to be underestimated. The tactics deployed by such groups involve a combination of attack types, from exploiting zero-day vulnerabilities to social engineering, gaining access, establishing a foothold and deepening access, and then remaining in a target’s systems undetected until realizing their goal.

The recently detected, high-profile SolarWinds hack is a typical APT attack. It has targeted several US federal departments, private companies and critical infrastructure organizations, going undetected since at least March of last year. The initial infection vector identified so far relates to a zero-day vulnerability of an update of SolarWinds Orion — a platform that provides full IT stack monitoring services — that permitted the attackers to gain access to network traffic management systems. FireEye, which detected the attack, discovered SUNBURST, a malware that was trojanizing the SolarWinds Orion updates.

As is common in APTs, the list of vulnerabilities exploited will probably grow, both in the supply chain and in the internal systems of the targeted entities, as the APT was deepening and escalating. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), other initial infection vectors are being investigated on top of the SolarWinds-related one. While the initial infection vectors may relate to more entities of the supply chain and/or vulnerabilities of the targeted entities themselves, when the actors of the attack were deepening their access, internal system vulnerabilities should have been exploited for increasing the attack surface. Cybersecurity reporter Brian Krebs has linked a recently identified VMware vulnerability to the SolarWinds attack as a possible attack escalation method, taking into account that access to internal systems has already been achieved through the SolarWinds vulnerability exploitation.

Many questions are yet to be answered as the investigation and response continues. Asking the right questions is key in order to learn from this breach and improve cybersecurity both in the governmental and private sectors. Cybersecurity can only be seen from a holistic point of view and not in isolation, meaning that we have to analyze and understand flaws in identification, protection, detection, response and recovery. Especially in the case of APTs, due to their sophistication and complexity, we need to understand that detection, response and recovery are increasingly important, as protection may at some point fail.

The identification and protection aspects of cybersecurity in this particular case focus on the supply chain, not excluding internal system vulnerabilities. In a previous post, I wrote about the importance of a resilient supply chain, taking into account that nowadays we are dealing with complex ecosystems. In mid-December 2020, the US Government Accountability Office issued a report urging federal agencies to take action for managing supply chain risks. Doing so requires a level of sophistication similar to that of the attackers. Supply chain cybersecurity should be addressed not only through contractual agreements and liability clauses but through continuous testing and monitoring.