How SolarWinds attack will change CISOs' priorities

Conventional wars fought with physical weapons in defined periods of time and geographic boundaries are perhaps behind us. Today's battles between nation states are being fought beyond the definitions of the Geneva Convention, in cyberspace, using digital weapons. Hackers conducted a supply-chain attack via SolarWinds and breached the networks of several U.S. government departments, including the agency in charge of the country's nuclear weapons stockpile, as part of a months-long global cyberespionage campaign revealed in December 2020.

The intrusion, allegedly bearing the hallmarks of Russian tradecraft, let the attackers monitor internal email traffic at a number of different U.S. government agencies, accessing sensitive information. The incident has already triggered a far-reaching review of systems across U.S. government departments, including the Pentagon, the Treasury and the National Security Agency.

Hackers managed to hide malicious code in a software update for a tool called SolarWinds Orion, typically used to make IT simpler with a single panel for monitoring various parts of a network. They managed to inject malicious code into Orion updates released between March and June 2020, gaining access to their customer networks, including government and private organizations. What is novel about this supply chain attack is that instead of directly attacking the federal government or a private organization's network, hackers targeted a third-party vendor. SolarWinds has admitted that 18,000 of its clients have been impacted.

CISO nightmares continue

The use of a compromised software supply chain as an initial access technique is particularly dangerous, as the attack uses assumed trusted paths and can go undetected for a long period. This attack leveraged several techniques, such as trusted software, signed code and stealthy hiding-in-plain-sight communication, allowing the attacker to evade even strong defenses and spend a long time undetected. If CISOs were already having sleepless nights due to the sudden proliferation of remote work that compromised endpoint security, the shockwaves from the SolarWinds event risk giving them permanent insomnia.

What is especially worrying for CISOs is the evolution in methodology sophistication among hackers, who are now leveraging machine learning and artificial intelligence capabilities to evade detection. In the SolarWinds case, the installed backdoor -- Sunburst -- stayed dormant for up to two weeks before retrieving and executing commands. Other obfuscation techniques used include slow and low probes for network reconnaissance, and the ability to move laterally across the network, customizing payloads. It also masqueraded its networking traffic as Orion protocol and stored reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity.

The attack also involved numerous post-exploitation actions such as typosquatting, impersonating normal update traffic, additional payload transfers, system discovery, credential harvesting and potentially moving to other systems, even cloud-hosted infrastructure systems. What is especially confounding to IT security teams is that the attack used cybersecurity best practices against the victims, by piggybacking on otherwise trusted regular software updates. Sowing such seeds of confusion, which means conventional best practices will now be doubted and questioned, is perhaps even more damaging.

New countermeasures for new cyber threats

Cyber criminals have demonstrated that they can spend a lot of time in creating custom malware and infrastructure. What then can organizations and CISOs do to protect and defend themselves? Can they continue to rely on best practices, or do they need to go back to the drawing board?

CISOs will need to redraw contracts with third-party providers for software, hardware and services to explicitly demand that the providers have a commitment to securing their own environments. This includes ensuring they use third-party static code analysis, regular security scanning of local and cloud-based environments, DevSecOps and integrity check of codes. They must adopt the latest encryption and authentication technologies.

Organizations will also be forced to rethink their software management principles. All companies and organizations use software. Software developers, in turn, increasingly rely on open source components that are hosted by an Nth party -- often a cloud-service provider. Thus, just in the scope of using software, most companies are dealing with third, fourth and fifth parties as part of a single ecosystem. This will further reinforce the need to demand tighter controls and higher scrutiny levels to manage in this new environment.

Some of the recommended practices to ensure peak defense effectiveness include:

• limiting the usage of unapproved software;
• restricting the local administrator privilege;
• least required privileges and time-bound access to be granted on need-to-have basis;
• administrative activities to be carried out through privileged access management and privileged access workstation;
• heightening the security monitoring to track any suspicious inbound and outbound communication (pattern-based solutions can give visibility into the domain registration and the traffic toward recently created domains);
• monitoring the traffic toward cyber squatting and domain squatting domains;
• due diligence process on software installation and usage of open source;
• proactive monitoring of the organization's exposed credentials; and
• effective and strong password policies.

This doesn't mean that basic protocols can be left behind. Basic security hygiene, including basic access-management controls, will never stop being important. From a structural perspective, restricting access rights to build environment and build pipeline, regular auditing and surveillance, refreshing all employee and contractor credentials and credential security and elevating access restriction, and reassigning all release code with new certificates are some of the immediate steps that can be taken.

IT security departments shouldn't just update the endpoint with the latest antivirus definitions and signatures and consider themselves secure. They need to look for other ways to disrupt or detect an attack throughout the whole attack chain, leveraging both prevention and detection capability and keeping the end goal in mind to reduce impact to the business. Some technologies that can give more visibility on suspicious or anomalous activities include:

• Deception. Capable of detecting threats during the reconnaissance phase, if it is strategically deployed.
• User and entity behavior analytics. Behavior-based monitoring of all identity usage from unknown locations and also can identify dormant accounts and reused passwords.
• Cloud access security broker. Used to understand any shadow IT access and focuses on the unapproved category.

The SolarWinds attack has unleashed seismic forces in the cybersecurity world that will certainly strengthen existing practices, as well as prompt a rethink of cyberdefense practices. From political leaders to CEOs and CISOs, the hanging sword of the ever-impending cyber attack is bound to give all of them insomnia.

About the author:
Vishal Salvi is CISO at Infosys. He is responsible for the overall information and cybersecurity strategy and its implementation across Infosys. Vishal has over 25 years of industry experience in cybersecurity and information technology across different industries. Prior to joining Infosys, he performed various leadership roles in cybersecurity and information technology at PwC, HDFC Bank, Standard Chartered Bank and more.