Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service
Let's learn from the SolarWinds hack!
A year ago, when the whole world switched to home office and social distancing because of the pandemic, cybersecurity experts were primarily focused on managing the foreseeable effects of the sudden digitalization that had hit us. Threats such as large-scale cybercrimes that utilized the latest technologies, online frauds affecting small businesses and older internet users, ransomware campaigns hitting healthcare and education organizations, and the protection of companies that had become more exposed to security risks due to remote working. Although it was immediately visible that state-backed intelligence groups were also active in the cyberspace, no one could have guessed that a secret operation, which later became known as the SolarWinds hack, had been going on for several months. It was an event that US politicians compared to Pearl Harbor and 9/11 because it was so unexpected.
In December 2020, when the United States was burning in the fever of the presidential election, the top priority for US cyber defense was to protect the electoral system from attacks by foreign countries, learning from the lesson of 2016 intervention attributed to Russia. In the meantime, however, a breaking news hit the media: FireEye, one of the most reputable cybersecurity providers, reveal that they had been the victim of a targeted attack of unprecedented sophistication aimed at stealing their intellectual property. After a brief investigation, it was revealed that the attack also affected many US federal institutions and numerous technology companies. The primary attack vector was a malicious code built into the SolarWinds Orion software used for network monitoring, which had been implemented across 18,000 companies worldwide. Soon, it became clear that while America was busy focusing on the election, a successful and highly extensive cyber-espionage operation was taking place under the radar.
Both government and industry experts almost immediately attributed the attack to Russia, except for President Trump, who, as usual, pointed to China. Of course, the above-mentioned states immediately dismissed the charges – as they always do. This behavior is not uncommon, as cyber espionage largely takes place in a grey area of international law and its successes are not commonly declared in public. However, the attack required precise operational planning and high resources that could only be carried out by a state with a serious intelligence background. Microsoft estimates that 1,000 people took part in the operation, using a method that is still unknown today. The attackers got into SolarWinds’s software development processes to implement a backdoor in the March 2020 update that was only accidentally noticed by FireEye nine months down the line. The operation itself had been going on since the fall of 2019, and the range of organizations involved had been carefully selected. These organizations were not attacked directly, but instead through their supply chain, highlighting the high number of suppliers used by a large company can expose that company to cyber threats. The malicious code used in the attack was carefully designed to remain hidden for years. Once the discovery had finally been made, as if by magic the attackers erased all evidence, another feat that indicates the serious operational security behind the action. As a result, clear attribution won’t be easy due to the careful covering up of potential technical evidence.
After the SolarWinds breach, cybersecurity professionals felt they could do nothing but put their hands up, indicating that they didn’t really know how to deal with such attacks. The opponent simply had too many resources, and without significant state and secret service support, there was no chance of defending organizations from such attacks. That is why the steps that the Biden Administration has put forward are significant. They immediately announced retaliation for the attack and started deterring opponents from later attempts. They have also significantly strengthened the US Cybersecurity and Infrastructure Security Agency, which protects internal cyberspace. Finally, cybersecurity, which the Trump government treated with disdain, is now to be given a worthy place.
But it is true that we really can’t do anything against sophisticated cyber attacks? Should we admit our helplessness? Of course, the answer is no. It is the individual responsibility of each organization to be prepared for all relevant threats. Considering the SolarWinds hack, we propose the following seven steps:
Do you measure the risk of a nation state attack in an adequate manner? Are the profiles of your potential attackers still valid?
Do you have security controls over all your external partners and the software they use? (Do not forget the APIs, as these are usually left out of most assessments.)
Your IT security team is vital to the survival of your organization. Invest in your team, or at the very least, do not cut its budget.
If your company has an internal development team, create a designated role within the team for cybersecurity and provide them with the required resources.
Cooperate with your national Computer Security Incident Response Team (CSIRT), join an Information Sharing and Analysis Center or (ISAC) – there are many ways of teaming up.
In general, technical CTI is sufficient, but if you are an integral player in the supply chain, old-school human intelligence can also support your cyber defense.
Detection gives you a chance to discover what is happening in your IT environment. You may not explore a complete APT attack, but you’ll have some evidence that will help any investigation. Logs are essential, but traces of remote access via SSH or RDP can also support the investigation.
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
Szilárd Pfeiffer: API security: there is nothing new under the sun
With the incredible amount of data flowing through them, the security of APIs is becoming a growing concern in the IT industry. What are the best practices and proven solutions that organizations can follow in order to ensure the security of their APIs? There is really nothing new under the sun: APIs are secured by exactly the same precautions as anything else you publish on the internet.
Gábor Pék: Trusted Types: A world without XSS
XSS, or cross site scripting, is one of the most widespread security problems today, as confirmed by statistics from bug-hunting companies such as Hackerone. Although our defenses have been significantly strengthened in recent years, this attack vector is still with us. As we move away from server rendered pages towards SPAs (Single Page Applications), we are being forced to deal with a new type of XSS attack: the DOM XSS. Gábor shares the story of the creation of Trusted Types, a new browser-based protection mechanism, and his experience with implementing it into Avatao’s Angular code base. According to a study conducted by Google, the company "has zero DOM XSS among applications migrated to Trusted Types." A great result, to be sure! But is it worth the effort?
Csaba Krasznay: Wars and Cyber Warfare in the Age of APIs
A new chapter in the security of our world opened on 24 February 2022. The term ‘our world’ must also include cyberspace, as the Ukrainian-Russian war has openly demonstrated our dependence on information systems and the vulnerability of this ecosystem. Although the news of the war is still concerned with conventional armed clashes, more and more information is available concerning the activities and tools of the various state and non-state hacker groups. Companies can prepare for the re-emphasis on cyber operations as the battles in physical space subside, with the difference that perhaps less significance will be placed on financial gain and far more on destruction. Most of enterprise IT has already migrated to the cloud and solutions that exchange data through APIs, which have have become widespread. However, the rapid transition has focused on efficiency rather than cybersecurity. It is no coincidence that, according to Gartner, APIs are expected to be the most attacked interfaces in 2022.