What we Can Learn from the SolarWinds Supply Chain Breach
Solorigate’s Far Reaching Aftermath
So far, we’re just seeing the tip of the iceberg that is the Solorigate software supply chain breach. But lets take a step back. For those still wondering what this means, SolarWinds Orion is part of a network and computer management suite that’s widely used in IT shops. It not only provides monitoring for critical systems’ uptime, but also the ability to automatically restart services. To do this, the software is often installed with “superuser” privileges on the most critical systems in the enterprise.
Researchers from SolarWinds, FireEye, and Microsoft believe that in March, 2020 a Russian cyberattack modified the SolarWinds Orion software during the build process to insert a remote access trojan (RAT) horse program. The “rats” have now spread via SolarWinds software updates to potentially 18,000 customers, including the U.S. Treasury, the U.S. Departments of Commerce and Homeland Security, and other government or commercial organizations.
If it isn’t bad enough that Russian spies are running amuck in these sensitive networks, there’s worse news still. Here’s why Solorigate’s called a “supply chain breach”: Think of what the attackers could do with some of the critical systems SolarWinds has access to.
For example, many organizations use SolarWinds to manage Active Directory uptime. With a privileged Active Directory service account in hand, cyberattackers could potentially compromise other domain accounts or forge credentials such as Security Assertion Markup Language (SAML) tokens to impersonate other users or services. Because IT systems use SAML and similar protocols not only for sensitive internal access, but also for access to business partners’ systems, we have quite literally lost some of the keys to the kingdom.
Purging your Networks
Remediate Immediately: What should IT and security at breach-impacted organizations do? Cancel Christmas, burn down and rebuild the network or just patch, fix, and move onto the next service ticket? That depends. U.S. government agencies are likely targets for further exploitation. They have received prescriptive directives from the U.S. Cybersecurity and Infrastructure Agency (CISA) to discover and disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network, quarantine any potentially-infected systems, and remove compromised accounts or other artifacts. That’s a reasonable and prudent break-fix for any impacted organization.
Burn it down? Patch-and-fix is just the first step. If an organization’s SAML or Active Directory servers have been affected, attackers may have seeded backdoor accounts and other artifacts throughout the IT environment. The only way to restore assurance may be to completely reinstall systems and then re-create all privileged user and service accounts from scratch.
Assess the risk: Organizations not covered by CISA guidance, with no reason to suspect they or their customers and partners are Russian targets, and no apparent indicators of compromise (other than having installed the affected SolarWinds Orion products) should still remediate immediately, conduct a thorough risk assessment, and continue threat hunting for further indicators of compromise. My book, Rational Cybersecurity for Business, details strategies you can use for Enterprise Risk Assessment, Contingency Planning, and Threat Hunting in Chapters 5 and 9 (available for download).
Clean up Your Supply Chain
There’s more Trojan horses out there: You can purge your network (or deem it clean) but what about your suppliers? Third party risk is ever-present, as many of us will remember from the Target breach via an HVAC vendor in 2013. However, we haven’t had to reckon with big risks in our software (or hardware) supply chain nearly as often.
Solorigate is an industry wake up call to the urgency of reducing third party risk and software supply chain risk. For more information, check out the sections on third party risk management in the book and in blog posts such as this one for Security Boulevard. I also penned a two part post on how to keep bad actors from getting control of privileged Active Directory accounts.
By the way, high technology companies that supply critical software (or hardware) infrastructure should be sweating bullets. Especially if they were among the 18,000 effected by this breach. There’s much more to say about risk aggregation and software supply chain risk in a future post. But for now, let’s move on to our third and final topic.
Rationalize Your Security Architecture
The SolarWinds breach is an object lesson to us that:
Any privileged IT management or security tool can pose high risk unless it can be segmented out of the parts of an organization’s IT environment that contain crown jewels, critical infrastructure, or other high value targets.
It’s not enough to specify security controls using a compliance checklist and call it a “security architecture.” Checklist compliance and even buying the best tools from Gartner’s Magic Quadrants won’t help unless organizations also do risk management and thorough architectural analysis and planning. We have to go a few steps deeper to align solutions with people, process, technology assurance practices appropriate to each domain/location. And we only know what’s “appropriate” if we measure the risk in those areas through business impact analysis (BIA) and quantified risk assessments.
Doing a full BIA and inter-dependency analysis, dis-aggregating risks, and segmenting IT assets requires a level of architectural diligence most organizations have been avoiding.
In my post on network segmentation for the zero trust era, I wrote about a consulting project for a client that takes a rigorous approach to defining network security zones, or segments, and enforcing system placement rules within those zones. This client follows network security architecture patterns my former team at Gartner for Technical Professionals (from Burton Group) developed and validated with hundreds of other customers.
In our experience, however, we found most clients stuck to “flat networks” with few internal zones, or perimeters. Perhaps it seemed easier to allow IT to sprawl (like Los Angeles if we could compare IT to cities) rather than plan it out (like Seoul, or Brasilia) in an orderly way. The resulting lack of boundaries between IT environments, or levels of asset criticality, has left many organizations less able to contain Solorigate’s systemic failure.
Like city planning, a network zoning model that meets both business and security needs requires a skilled architecture. It must be modern, based on software-defined or identity-based perimeters rather than old school network firewalls. Just like networks, privileged account management tiers must be segmented using patterns such as Microsoft’s Red Forest Design. This, and much much more is what it takes to contain the risk of a widespread compromise like we’ve seen with Solorigate.
On December 1, 2020 I posted Working Together to Create the Future of Security Architecture, not quite anticipating that in just two weeks Solorigate would provide the perfect object lesson it has. “The world really needs to take security architecture more seriously!” I wrote. “If physical buildings were anything like security systems (experiencing a major breach practically every month), the news would be full of collapsing buildings and crumbling bridges.” This week, its as if we’ve seen an entire city fail.
“Working together” also showcased two resources – the “Practical Cybersecurity Architecture” and “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment” books – that can help improve security practices. Diana Kelley and I also shared the December 1st post on the Linked Security Architecture group where we had a robust discussion of security architecture certification. I hope you’ll check these resources out and together, we can help create a more secure IT ecosystem.