7 tips to prevent breaches like the SolarWinds hack

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at University of Public Service

Created: 2021-05-12

Let's learn from the SolarWinds hack!

A year ago, when the whole world switched to home office and social distancing because of the pandemic, cybersecurity experts were primarily focused on managing the foreseeable effects of the sudden digitalization that had hit us. Threats such as large-scale cybercrimes that utilized the latest technologies, online frauds affecting small businesses and older internet users, ransomware campaigns hitting healthcare and education organizations, and the protection of companies that had become more exposed to security risks due to remote working. Although it was immediately visible that state-backed intelligence groups were also active in the cyberspace, no one could have guessed that a secret operation, which later became known as the SolarWinds hack, had been going on for several months. It was an event that US politicians compared to Pearl Harbor and 9/11 because it was so unexpected.

In December 2020, when the United States was burning in the fever of the presidential election, the top priority for US cyber defense was to protect the electoral system from attacks by foreign countries, learning from the lesson of 2016 intervention attributed to Russia. In the meantime, however, a breaking news hit the media: FireEye, one of the most reputable cybersecurity providers, reveal that they had been the victim of a targeted attack of unprecedented sophistication aimed at stealing their intellectual property. After a brief investigation, it was revealed that the attack also affected many US federal institutions and numerous technology companies. The primary attack vector was a malicious code built into the SolarWinds Orion software used for network monitoring, which had been implemented across 18,000 companies worldwide. Soon, it became clear that while America was busy focusing on the election, a successful and highly extensive cyber-espionage operation was taking place under the radar.

michael-geiger-JJPqavJBy_k-unsplash.jpg

Both government and industry experts almost immediately attributed the attack to Russia, except for President Trump, who, as usual, pointed to China. Of course, the above-mentioned states immediately dismissed the charges – as they always do. This behavior is not uncommon, as cyber espionage largely takes place in a grey area of international law and its successes are not commonly declared in public. However, the attack required precise operational planning and high resources that could only be carried out by a state with a serious intelligence background. Microsoft estimates that 1,000 people took part in the operation, using a method that is still unknown today. The attackers got into SolarWinds’s software development processes to implement a backdoor in the March 2020 update that was only accidentally noticed by FireEye nine months down the line. The operation itself had been going on since the fall of 2019, and the range of organizations involved had been carefully selected. These organizations were not attacked directly, but instead through their supply chain, highlighting the high number of suppliers used by a large company can expose that company to cyber threats. The malicious code used in the attack was carefully designed to remain hidden for years. Once the discovery had finally been made, as if by magic the attackers erased all evidence, another feat that indicates the serious operational security behind the action. As a result, clear attribution won’t be easy due to the careful covering up of potential technical evidence.

After the SolarWinds breach, cybersecurity professionals felt they could do nothing but put their hands up, indicating that they didn’t really know how to deal with such attacks. The opponent simply had too many resources, and without significant state and secret service support, there was no chance of defending organizations from such attacks. That is why the steps that the Biden Administration has put forward are significant. They immediately announced retaliation for the attack and started deterring opponents from later attempts. They have also significantly strengthened the US Cybersecurity and Infrastructure Security Agency, which protects internal cyberspace. Finally, cybersecurity, which the Trump government treated with disdain, is now to be given a worthy place.

But it is true that we really can’t do anything against sophisticated cyber attacks? Should we admit our helplessness? Of course, the answer is no. It is the individual responsibility of each organization to be prepared for all relevant threats. Considering the SolarWinds hack, we propose the following seven steps:

1. Rethink your risk assessment.

Do you measure the risk of a nation state attack in an adequate manner? Are the profiles of your potential attackers still valid?

2. Be aware of the risks of your supply chain.

Do you have security controls over all your external partners and the software they use? (Do not forget the APIs, as these are usually left out of most assessments.)

3. Make sure that your IT security team is no longer considered as a cost center.

Your IT security team is vital to the survival of your organization. Invest in your team, or at the very least, do not cut its budget.

4. Invest into software and application security!

If your company has an internal development team, create a designated role within the team for cybersecurity and provide them with the required resources.

5. Be part of cybersecurity information sharing.

Cooperate with your national Computer Security Incident Response Team (CSIRT), join an Information Sharing and Analysis Center or (ISAC) – there are many ways of teaming up.

6. Cyber threat intelligence should be an integral part of your security operation.

In general, technical CTI is sufficient, but if you are an integral player in the supply chain, old-school human intelligence can also support your cyber defense.

7. Prevention is just one part of the cyber defense. Detection is equally important.

Detection gives you a chance to discover what is happening in your IT environment. You may not explore a complete APT attack, but you’ll have some evidence that will help any investigation. Logs are essential, but traces of remote access via SSH or RDP can also support the investigation.

See here how Balasys can help.