Stephen Finn - stock.adobe.com
In December 2020, SolarWinds, a manufacturer of security monitoring and analysis products, was compromised by a supply chain hack that inserted a backdoor into its security tools. This attack was difficult to detect, eventually enabling access to customers' secure business and government networks.
The attack used SolarWinds' Orion Improvement Program to mask nefarious traffic, covertly contact external command-and-control nodes and enable backdoor access for attackers.
The sophisticated supply chain attack made detection by network teams difficult because the attack traffic was hidden among SolarWinds' legitimate traffic. Detecting it would have required network teams to analyze all the SolarWinds traffic, something few IT organizations have the budget or bandwidth to accomplish. The signature for the compromise was part of software that was digitally signed by SolarWinds, making detection even more difficult.
Because the compromise was part of SolarWinds' Orion Improvement Program that regularly sends data, including files, to help SolarWinds try to improve customer experience, enterprise network teams expected the traffic. Essentially, network teams are challenged here because they spend hundreds of thousands of dollars on tools and want those tools to be better, so sending that information is important.
In this case, compromised management and monitoring tools essentially became the fox guarding the henhouse. Detection of outbound traffic is more difficult, but that doesn't adequately address the inbound traffic. While the outbound traffic might appear more legitimate, the inbound traffic coming from the SolarWinds signature should have raised more concerns than it did.
Tips to prevent future vulnerabilities
The SolarWinds vulnerability left many network teams wondering what they can do in the future to prevent these types of situations. Below are some factors that could help.
Basic security blocking and tackling
Stricter security practices won't eliminate threats, but they can help mitigate the damage of attacks. Some of the exposure organizations faced with the SolarWinds vulnerability may have been exacerbated by their own security shortcuts.
Higher levels of segmentation make networks considerably harder to manage but, by the same token, can help blunt some of the effects of attacks. Lower amounts of segmentation can be the result of underfunded security organizations.
Better security funding
CIOs understand the value of security, but sometimes, overly stretched budgets can neglect this area. It's essential for network security teams to make sure they not only have the tools, but also the manpower to monitor traffic. No tool is a complete replacement for humans, especially when those humans ask "dumb" questions that can lead to smarter discoveries.
The SolarWinds attack clearly exploited the fact that SolarWinds was a trusted flow of data. Zero trust takes a default posture that everything is a threat and requires verification for all traffic, which can help better detect exploits.
More penetration testing
Penetration testing not only protects the perimeter by exposing vulnerabilities, but it also leads to more critical thinking about avenues attackers can use beyond just the commonly scanned exploits.
Despite how the SolarWinds exploit occurred, collaboration and sharing are essential in helping to better secure enterprise networks. But collaboration isn't important just with manufacturers; community collaboration can be just as important.