As SolarWinds continues to be – and rightly so – a major discussion topic in cyber risk circles, I have noticed more conversation regarding the execution of the attack and less discussion as to what appears to be a lack of cyber hygiene at the infected organizations. This may be a bit of a bold statement, but like many breaches in the past, it appears a lack of proper cyber hygiene may have helped to propagate the attack.
Poor IT operational practices such as rushing to market new software without proper code testing, ineffective (or non-existent) monitoring of code delivery mechanisms, meager defect and vulnerability management, poorly designed backout procedures, lack of outbound packet scanning, insufficient patching practices, and even loose security around privileged accounts, appear to have played an additional role in the spread of the threat.
I believe this to be the case given recent comments from the US Cybersecurity and Infrastructure Security Agency (CISA), that along with the Orion code infection, “the majority of victims of the SolarWinds supply chain attack were breached through the compromised Orion update, some had their perimeters breached via brute force password techniques.” In short, the hacking group who breached SolarWinds used additional access vectors as well to promote the Sunburst attack.
CISA further noted that incident response techniques identified that in some cases, initial access was obtained by such hacker techniques as password guessing and spraying, and “inappropriately secured administrative credentials accessible via external remote access services”. They added that once the threat actors were inside SolarWinds they intensified their efforts by gaining access to admin rights and then created authentication tokens that would allow them to move through the network without the need to involve two-factor authentication or additional credentials. Once inside, the threat actors intentionally selected their targets and implanted malicious code into an upcoming Orion software patch which was downloaded 18,000 times.
While the initial point of compromise is still under debate, organizations must continuously revisit their IT operational practices to ensure proper cyber hygiene. They need to ensure their internal controls can address even common threat vectors such as poor or non-existent monitoring of all networks and systems (including test and Q/A environments), change management standards, patch management, version control, privileged and administrative access control, et al.
Additionally, log management and review need to be prioritized. I have personally witnessed through my many years in internal and external audit, along with performing risk assessments of both inhouse and vendors, that though many organizations do record activity, they fail however, to actually review the logs. Worse yet, some organizations who activate logs are either slow to act upon or generally fail to respond when alerts are triggered. Cyber breach history has shown us that this can be catastrophic for even the most established organizations.
So, what does this say about third parties?
In a nutshell, third parties are an extension of your organization and should – at a minimum – adhere to the same cyber security hygiene as promoted by your own organization. Assessors and auditors (by direction of the outsourcers) are rightfully increasing the level of detail required for due diligence activities to validate that such IT operational controls are in place and are operating effectively. In certain regulated industries such as banking, regulators have made it clear that they are probing deeper into the analysis performed by the outsourcer and are requiring more rigorous levels of evidence as to the effectiveness of the due diligence on vendors and their downstream vendors. In this ever-changing world with new threats appearing daily, performing detailed due diligence is the right thing to do to mitigate or lessen the impact of a potential issue in the future.
A great way to better help with your cyber hygiene is to work with organizations that have community-directed tools and techniques. Some such organizations – such as Shared Assessments – are industry agnostic, while others may provide guidance with regards to your specific industry vector. Either way, being involved is a great way to not just stay on top of the latest tools and techniques but provides valuable insight into what other organizations are doing as well; it is a true sense of community – all for the common good.
Finally, it is only fair to note that the Shared Assessments’ Standardized Information Gathering (SIG) questionnaire and the Standardized Controls Assessment (SCA) are great tools to help in your internal and third party analysis. These community-driven tools offer piece of mind that you are asking the right questions and requesting for your due diligence review the relevant documentation with your in-house and vendor teams surrounding numerous “best-practice” and regulatory IT operational controls.
My first post in response to the Solarwinds Attack can be found here.
Article on the brute force password techniques used by attackers can be found here.