Was the SolarWinds Hack Preventable?
The scope of the SolarWinds hack continues to expand as SolarWinds has updated their security advisory to show that more versions of the company’s Orion server software were impacted by the vulnerability than was previously thought.
Furthermore, the Department of Homeland Security issued an emergency directive about the endpoint security breach telling federal agencies to shut down their servers until further notice. SolarWinds provides network administration, monitoring, and security software that is used by a large number of state and federal agencies in the United States.
What is Orion and how did the SolarWinds Hack exploit work?
Orion platform is a network services management tool designed to help IT managers review key configuration and performance metrics about their network. The tools are a component in the IT supply chain of many large organizations across the globe.
FireEye, one of the US’s largest cybersecurity companies that was also affected by the breach, published the following report on SUNBURST, a trojan embedded in a SolarWinds Orion plugin that is responsible for the exploit.
With the server endpoint security compromised, Microsoft reports that attackers in the FireEye attack used administrator permission rights to gain access to an organization’s trusted SAML token- signing certificate, allowing them to impersonate existing users and accounts, including those with elevated privileges.
SolarWinds recommends users of Orion platform version 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1 should update to the latest patch immediately. Customers who have already applied the security patch from the SolarWinds customer portal should no longer be impacted.
How can a supply chain attack like the SolarWinds Hack be prevented?
SolarWinds published a hotfix patch for Orion v2020 back in October of this year that addressed the vulnerability, so why were so many devices impacted? Many in the cybersecurity field acknowledge the unprecedented scale and nature of this exploit made it virtually impossible to detect and prevent ahead of time.
That said, security researchers have been aware for some time that supply chain attacks are some of the hardest to prevent. Taking advantage of the trust organizations have with their software suppliers through what appear to be critical functions, like software updates, will take a lot of work to repair.
A possible solution is for software engineers to prioritize code infrastructure that minimizes the impact of internal security threats. Some researchers are also pushing for wider adoption of zero-trust frameworks that require both internal and external services to be properly verified before being granted access.
Moving forward, there will be more stringent requirements for supplier services in terms of their cybersecurity posture. Top of mind for CISOs in 2021 will be how third-party services are integrated into their organization’s IT infrastructure and how recently (if ever) they provided a security audit.
Another takeaway should be that threat actors of all sizes, from sponsored nation-states to smaller groups with less funding, increasingly rely on automation and machine learning to do their dirty work. As a result, it only makes sense to defend your organization against supply chain attacks (which can lead to a costly ransomware attack) with similar technology, like automating patch management with the use of artificial intelligence, to maintain a robust cybersecurity posture.
It should also be acknowledged that increased transparency about breaches from affected parties, whether in government or private sectors, can only help threat response and detection down the road. There are many ways IT and cybersecurity leaders can use breach disclosures to their benefit, including hardening different aspects of their company’s IT infrastructure to making plans to reduce their overall attack surface.
Join us in taking the #globalcyberpledge to increase cyber awareness and make ourselves, as well as our communities, safer against future cyber attacks.
Get Updates Right In Your Inbox
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
