If you compare cyber firefighting with battling wildfires, then the recent SolarWinds security breach is like an incredibly serious blaze that demands all hands to the pumps. Former federal officials say the attack could turn out to be the worst ever cyber breach of U.S. government systems.
More details of the hack will likely emerge as investigators continue their work, but the broad outline of what happened is already reasonably clear. The attackers, who are widely believed to be linked to Russian intelligence, found a way to hide malicious code in a software update for a product called SolarWinds Orion, which enables IT teams to monitor and manage the operation of computer networks through a single digital dashboard. Having gained access through this route, they were able to then compromise other areas.
The intrusion let the attackers monitor internal email traffic at a number of different agencies and it’s possible they were also able to get their hands on other sensitive information too. The incident has already triggered a far-reaching review of systems across U.S. government departments, including the Pentagon, the Treasury and the National Security Agency (NSA). According to a report in Politico, the hackers were even able to breach the the government agency in charge of the U.S. nuclear weapons stockpile. President-elect Joseph Biden has said he will “not stand idly by” while the U.S.’s national security is jeopardized.
A grave risk
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that federal agencies “disconnect or power down” SolarWinds Orion products. On December 17 it issued an update saying that it had determined that the federal government, state, local, tribal and territorial organizations, as well as critical infrastructure entities and private sector organizations all face a “grave risk” from the threat.
Although government agencies are in the eye of the storm, CISA’s warning makes clear businesses also have plenty to worry about. SolarWinds, which has said in an S.E.C. filing it believes 18,000 customers downloaded Orion-related code containing the malware, also counts plenty of large companies among its clients. The malware was present between March and June this year, but the hackers will have had access for far longer to Orion.
The hack could not have come at a worse time, with companies stepping up tech-driven innovation in response to the pandemic and government agencies leaning more heavily on digital solutions. Security experts and CIO-watchers say that tech leaders will need to focus on multiple priorities as part of response efforts. Some of the most important are:
Rolling back changes made to networks
Clearly any organization that thinks it may have been affected should follow the CISA recommendation and stop using the Orion software. But the challenge goes further than that. The attackers will almost certainly have used the malware to establish a persistent presence inside companies’ networks.
The challenging task facing CIOs and CISOs, says one former U.S. homeland cybersecurity executive who requested anonymity because of the sensitivity of the topic, is to work out what was the last “known good” state when they can be sure the hackers were still on the outside. “These [hackers] appear to be pretty good at erasing their tracks, so it’s going to be a tough risk calculus figuring out that point.” Once decisions about how far back to go have been made, CIOs may have to rip and replace significant amounts of software and hardware in an effort to create “clean” environments.
Taking steps to contain hackers that have accessed networks
CIOs and CISOs should be looking at ways to minimize the interconnectivity of vendors’ software into their computing environments, say security experts. They should also be reviewing egress controls and the set of assets, from network servers to internal databases, that should not be able to communicate externally in order to reduce the risk that hackers can export sensitive information from them.
Finally, they should be limiting access to digital credentials such as administrator passwords that can be stolen to gain admission to other areas inside a network. “You want to keep the attacker stuck on the asset they initially ‘pop’,” says the CISO of one large U.S. company who also requested anonymity given the sensitive nature of the subject. “They literally can do nothing of harm if they can’t move laterally.”
Working out what else hackers may have accessed
CIOs and CISOs will be leaning heavily on backup plans and scrutinizing other areas of their tech infrastructure—as well as the applications running on it—for evidence of intrusion. Spotting this will partly depend on the quality of the digital records that companies keep. “Organizations should not only know their environments now,” says Alex Holland, senior malware analyst at HP, “but [also be] retaining enough data to retrospectively look for attacks.”
Striking a balance between short-term innovation and security
With the pandemic getting worse before it hopefully gets better, business leaders will want to keep digital innovation engines running in top gear. But CIOs who have been using the Orion software in question will likely want to throttle back digital projects while they are still conducting emergency reviews. Managing this tension will test tech leaders’ diplomatic skills in the weeks ahead.
Assessing whether other supplier code has been compromised
CISA’s statement today revealed it has discovered additional “access points” that the hackers had exploited. It didn’t say what these were but did make clear that it expects to uncover more. Some of these could well be in the form of other software supply-chain vulnerabilities.
Microsoft has revealed that it has notified more than 40 customers whose systems it believes were targeted and compromised by the hackers using what it calls “additional and sophisticated measures.” It said its investigations, which are ongoing, have found no evidence that its own systems were used to attack others. Other big tech suppliers are also conducting internal reviews. On December 18 Cisco said that while it doesn’t use SolarWinds for its enterprise network management or monitoring, it had “identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints.” It added that there had been “no known impact to…offers or products” so far and that it would contact customers if it uncovered any need for them to take remedial action.
“When you buy software, you’re buying a matryoshka doll of various vendors’ products nested inside and connected to the product [that] you think you’re buying,” says Joel Fulton, who was the CISO of data company Splunk before leaving to build a startup called Lucidum. “Your relationship is between you and your supplier’s unseen tertiary pyramid.” Combing through all of those pyramids is practically impossible, so CIOs will likely have to rely on random checks.
Racing against time
Unfortunately, it may already be too late for some organizations to frustrate the intruders, who will have used the access gained through SolarWinds Orion to blow away or bypass other digital defenses. Given the headstart the hackers had, CISA’s comment in its statement that it will be “highly complex and challenging” for organizations to remove the intruders from compromised environments is likely to be one that plenty of CIOs and CISOs find themselves repeating in the weeks ahead.
Source : https://www.forbes.com/sites/martingiles/2020/12/17/solarwinds-hackers-five-cybersecurity-challenges-for-cios/?sh=3e865da421b6