In all forms of Cyberattacks that occur, no matter how large or how smally, there are always key lessons to be learned and applied. The SolarWinds hack is no exception, and in this article, we examine some of these top lessons that have been garnered.
What Has Been Learned?
Given the large scope of this breach, there are many key takeaways an IT Security team can apply, but the following are some of the biggest lessons learned.
- Always know where your source code is coming from. As it was reviewed in a previous article, the malicious payload was inserted into the various Dynamic Link Libraries (DDLs), and then masqueraded as a legitimate software software/upgrade to the Orion Platform. In this instance, it is unlikely that any kind of tests were conducted in the source code of the software to make sure that there was no malware in them before they were deployed onto the customer’s IT/Network Infrastructure. Had this been done, it is quite probable that this kind of attack could have been stopped in its tracks, or at the very least, the damage that it created could have been contained. Therefore, it is crucial that CISOs take a proactive approach in testing all forms of source code (for example, whether it is used in creating a Web app or software patch) to remediate any gaps and vulnerabilities before they are released out to the production environment.
- Vetting of third parties. The SolarWinds security breach has been technically referred to as a “Supply Chain Attack.” This simply means that the Cyberattackers took advantage of the vulnerabilities of third parties that SolarWinds made use of, in order to inflict the maximum damage possible. This underscores the importance of one of the most basic rules: Always vet your suppliers before you hire and onboard one. This means that as CISO, you need to make sure that your IT Security is carefully scrutinizing the security procedures and policies of that particular third party that you are thinking of outsourcing some of your business functions to. It must be on par with, or even better than, what you have in place in your organization. But simply making sure of what your potential supplier has put into place in terms of controls is not a one-time deal. Even after you have hired a supplier and have a business relationship with them, you need to make sure that they are strictly enforcing these controls on a regular basis. This can take place by conducting a security audit. In the end, if your supplier becomes a victim of a Cyberattack, and the Personal Identifiable Information (PII) datasets you have entrusted the are breached, you, not the supplier, will be held legally and financially responsible.
- Keep things simple and easy to track. It is simply human nature to think that investing in a large amount of security tools and technologies means that you will be immune from a security breach. In reality, this is far from the truth. In fact, taking this proverbial “Safety In Numbers” approach simply expands the attack surface for the hacker, which was experienced in the SolarWinds breach. It is far wiser to invest in perhaps five firewalls versus 10 but making sure that they are strategically deployed where they are needed the most. By using this kind of methodology, not only will your IT Security team be able to filter out for those threats that are real, but you will also be able to pinpoint the entry point of the Cyberattacker in a much quicker fashion, versus the time it took SolarWinds, simply due to the fact of the overload of tools and technologies they had in place. Because of this, and as it was also pointed out in the last article, it took literally months before anybody realized that something was wrong. In this regard, you may even want to make use of both Artificial Intelligence (AI) and Machine Learning (ML) tools. With this kind of automation in place, false positives will be a thing of past, and those alerts and warnings that are legitimate will be triaged and escalated in a much faster time frame.
- Make use of segmentation. In today’s environment, many businesses are now seriously considering adopting what is known as the Zero Trust Framework. This is the kind of methodology where absolutely nobody is trusted in both the internal and external environments. Further, any individual wishing to gain access to a particular shared resource must be authenticated through three or more layers of authentication. But apart from this, another critical component of this the creation of what are known as “Subnets.” With this, you break up your entire network infrastructure into smaller ones. What is key here is that each of these Subnets has its own layer of defense, so it becomes almost statistically impossible for a Cyberattacker to break through each and every layer. SolarWinds did not take this approach with their network infrastructure so as a result, the Cyberattackers were able to get in the first time around.
- Update your security technologies. With the advent of the Remote Workforce, the traditional security tools such as the Virtual Private Network (VPN) have started to reach their breaking points along with their defensive capabilities. Because of this, it is important that you consider upgrading these systems to what is known as the Next Generation Firewall. These kinds of technologies are now becoming much more robust in ascertaining malicious data packets that are both entering and leaving your network infrastructure. SolarWinds did not invest properly in these kinds of upgrades, so the Cyberattackers were able to penetrate through the weaknesses of the VPNs that they were making use of.
In future articles, we will examine in detail the timeframe of the SolarWinds hack, as well as a listing of all of the victims that were impacted.