The SolarWinds breach rocked the cybersecurity world, with nine U.S. government agencies and roughly 100 private sector organizations compromised through a poisoned update to the company’s Orion network monitoring software.
The colossal campaign was carried out by the Russian foreign intelligence service (SVR), and proved that even elite security and technology firms could be compromised.
Nearly 18,000 organizations downloaded versions of Orion between March and June 2020 where Russian hackers had injected malicious code, though the SVR only took advantage of the access they had gained in select cases. It wasn’t until FireEye was compromised on Dec. 8, 2020, and traced the hacker’s initial intrusion back to a server running SolarWinds Orion that the entire campaign came to light.
CRN spoke with 12 prominent C-suite executives at RSA Conference 2021 about the biggest lessons learned from one the most infamous cyberattacks of all-time. From applying far greater scrutiny to technology suppliers and code used during the application development process to eliminating the use of on-premise Microsoft Active Directory, here are 12 major takeaways from the SolarWinds breach.
Dump on-premise Microsoft Active Directory
Companies with both an on-premises version of Active Directory as well as Azure Active Directory are living in the worst of all possible worlds since they’re having to defend against cloud threats, on-premise threats, as well as the mechanisms that Active Directory uses to stay in sync across cloud and on premises, which were exploited by the SolarWinds hacker, according to Proofpoint’s Ryan Kalember.
Kalember, who is Proofpoint’s executive vice president of cybersecurity strategy, urged organizations to fully migrate to Azure Active Directory or Okta Universal Directory to eliminate both on-premise threats as well as hybrid threats like delegated admin abuse, which Kalember said is a vulnerable configuration that Microsoft had been aware of for years and didn’t actually fix.
Companies that get their directory fully in the cloud go from dealing with three different categories of very complicated to model risk to just one, Kalember said. Companies often have many applications that have always talked to the on-premise domain controller, and following Microsoft or Okta’s protocols to move that user identity and authentication to the cloud can be time-consuming, but he said it’s worth it.
Know where code is coming from
The SolarWinds attack has prompted businesses to question the security of the build cycle and scrutinize where they’re getting code from as well as the applications they’re using, according to Mary O’Brien, general manager of IBM Security. Specifically, O’Brien said customers have become more sensitive to where their code is coming from as well as regulating what code is used within the development cycle.
In a post-SolarWinds world, businesses should also put guardrails around their code vaults and protect it like they would a significant database since it’s clear the code repository should be considered a crown jewel, O’Brien said. The SolarWinds attack made it clear the chaos hackers can cause by getting deep into the development cycle, and drove awareness of just how sophisticated and patient they can be.
O’Brien said she’s seen huge levels of investment in recent months around vulnerability assessments, with company bringing in security experts to analyze the maturity of their operations and look for holes and openings. She also urged businesses to invest in network segmentation to minimize the amount of lateral movement that can occur in the event a company is successfully breached.
Scrutinize suppliers on a continuous basis
Most businesses do a thorough inspection of a supplier’s security practices before agreeing to work with them, but very few organizations maintain that level of scrutiny on an ongoing basis, according to OneTrust Chief Revenue Officer Kevin Kiley. Companies must continuously assess the security practices of their suppliers and use that to recalibrate the level of risk each supplier might represent, Kiley said.
Organizations need to move beyond simply asking for security certifications when putting out a request for proposal and make supply chain security an ongoing practice. Specifically, he said companies should examine how third parties are being used, what data is being shared with them, whether it’s necessary to share all that data with them, and if/how data is being destroyed after it’s no longer being used.
From there, Kiley said businesses should examine the risk represented by fourth and fifth-party companies that work with their suppliers or their suppliers’ suppliers. Since the SolarWinds attack, Kiley said organizations have invested heavily to gain more insight into who they’re working away and what kind of risk they represent.
Track and test components used in products
Organizations must have a clear and clean understanding of the different components that are part of their IT and cyber infrastructure, according to Splunk President and CEO Doug Merritt. Most products businesses use are complex, and have an array of different elements within coming from both open source software as well as commercial vendors, Merritt said.
Vendors should be tracking and tracing everything that’s part of a product being delivered to customers along with consistently evaluating and performance testing each element in the offering, Merritt said. Procedure and protocol are very important when verifying that none of the components in a product have been tampered with, and the process requires a lot of human discipline, according to Merritt.
Development teams need to set a high bar when it comes to security hygiene, and should be swapping out credentials on a regular basis so that anyone with access to code is having to consistently revalidate or recertify themselves, Merritt said. Customers have also set aside a lot more money following the SolarWinds attack to ensure they’re gathering, interrogating, and analyzing the right data, Merritt said.
Rigorously examine traffic leaving network
Organizations need to have the same rigorous protection rules and policies in place for traffic leaving the network as they do for traffic that’s coming into the network, according to RSA Security CEO Rohit Ghai. If organizations had configured their software servers to only allow access to known good entities, Ghai said the SolarWinds hackers wouldn’t have been able to be nearly as disruptive.
Companies face a polymorphic threat environment, with adversaries constantly compounding and changing their configuration protocols, which Ghai said makes identifying known bad configurations a very human-intensive process. Even allowing access to only known good actors can be challenging since new devices and systems are constantly being added to the network, making automation necessary
Disrupting the spread of malware actors and viruses by tightly monitoring outbound network traffic will help make the world a safer place even if the organization in question doesn’t directly benefit, Ghai said. Organizations should leverage sophisticated artificial intelligence and machine learning to monitor configurations since human diligence alone isn’t enough to ensure things are configured right, he said.
Break infection chain to stem bleeding
The more places defenders break the kill chain or infection chain, the better chance they have of halting attacks like SolarWinds, said John Maddison, Fortinet’s CMO and EVP, Products. It can be hard to reconstruct the entire outbreak cycle even if some details are known, so Maddison urges companies to break down every stage of the kill chain and determine where the attackers can be stopped.
If an organization decides to give a piece of third-party software like SolarWinds Orion privileged access to everything, Maddison said they need to build a lot of security around it and pay close attention to what systems have access to what data. Companies should raise the level of their network monitoring software so that it’s more integrated with the Network Operations Center (NOC), Maddison said.
Ultimately, Maddison said the best defense would be identifying campaigns in the wild using artificial intelligence before they strike by examining reconnaissance on the dark web and relating zero-day exploits to specific threat actors. Hackers typically conduct reconnaissance on a targeted organization’s systems for months before developing a zero-day exploit, according to Maddison.
Understand where sensitive data resides
Organizations have a massive blind spot if they’re unable to see what data has been touched by who and when, according to Varonis CMO David Gibson. Companies should start their security journey by determining what within their organization would be most valuable to hackers, which Gibson said is almost always the data.
From there, Gibson said businesses should figure out where their sensitive data resides, who has access to it, how (if at all) the organization would know if someone accessed that data in an unusual manner, and which specific accounts within the company have the most expansive access to that data. Companies should ensure they have a zero trust strategy in place around their most privileged accounts.
If businesses have a compromise anywhere on their network, Gibson said they should be able to see where the adversaries are going to go next. Organization should also monitor the authentication piece to ensure hackers aren’t taking advantage of common weaknesses in Active Directory, and can conduct reconnaissance work using command and control servers and DNS if an account has been compromised.
Businesses can’t stop what they’re unable to see
Organizations need to understand every process, network connection and system change inside their environment, and should be able to index and search events with threat intelligence and updated information about indicators of compromise, according to CrowdStrike CTO Michael Sentonas. But visibility comes first, Sentonas said, since businesses can’t stop what they’re unable to see.
Specifically, Sentonas said every device inside an organization’s network should be instrumented to get the necessary telemetry to determine if something is malicious or out of the ordinary. From there, Sentonas said runtime security is vital to stop malicious code execution, while attack surface minimization will play a key role in reducing the opportunity for an adversary to get on the network.
From an intelligence standpoint, Sentonas said businesses should know what techniques adversaries are most likely to use and go hunt for them, while managed threat hunting services available to companies that don’t have the skills to do themselves. Doing threat hunting requires hiring and training specialists as well as having the ability to orchestrate staff to search around the clock for potential attackers.
Increase network visibility and segmentation
Customers need more visibility and segmentation within their networks to identify what assets are running where and ensure that critical assets are prioritized, according to Qualys President and CEO Sumedh Thakar. If there’s a system with a software binary running on it, organizations should know how quickly it can access the other systems in its environment, Thakar said.
Since the SolarWinds attack was publicized, Thakar said customers have tightened their security programs to identify their assets, mapped their criticality, prioritized what systems need to be protected, and doubled down on patching and spotting misconfigurations.
Given that adversaries have many innovative ways to get inside a victim’s environment, Thakar said the most effective way organizations can blunt attacks is by making sure the right mitigation and threat monitoring systems are in place. This will help prevent the adversary from moving laterally across their systems, according to Thakar.
Ensure Right Security Architecture Is In Place
It’s not realistic for most customers to audit all their vendors and for vendors to have all their customers auditing them, according to Nir Zuk, Founder and CTO of Palo Alto Networks. Outside of specific vendors that are core to a customer’s business, Zuk said organizations can get a better return on their time and money by ensuring that a comprehensive security architecture is in place.
Organizations should take a zero trust approach to the third-party software they deploy and assume it’s infected, and from there determine what controls can be put in place to minimize damage and fallout, according to Zuk. It’s very hard for companies to live without applications from third-party vendors, and few companies have the time and resources to build every piece of technology they use themselves.
From a technology standpoint, Zuk said businesses should walk in the footsteps of an adversary and see what their organization’s security looks like from the outside. Companies should also took a closer look at what their internal processes look like from a security standpoint, according to Zuk.
Emphasize Security During The AppDev Process
Addressing critical issues like SolarWinds comes down to having the right vulnerability management program in place that provide visibility, an understanding of risks, and workloads and processes to resolve problems, according to Lou Fiorello, ServiceNow’s vice president and general manager of security products.
Organizations should maintain efficient operations and an audit trail of how they’re responded to threats to track what they’ve done and assess that they’ve met their own policies set both internally and externally, Fiorello said. Manual processes when handling security incidents like SolarWinds are a huge pain, and Fiorello said companies face a lot of pressure to ensure they’re doing things in the right way.
Businesses should document that vulnerability scans took place at certain points during the application development process as well as any exceptions that were made and why, Fiorello said. The security organization also needs to coordinate with distributed development teams to ensure that visibility and central policy control is maintained regardless of which tools the developers pick, according to Fiorello.
Ditch Firewalls And Traditional Security Appliances
A castle and moat approach to security is the wrong model for today’s threats since it allows anyone that breaches the perimeter broad access within the victim’s environment, according to Zscaler CEO Jay Chaudhry. Yet despite the glaring weaknesses of a firewall-based approach to security, Chaudhry said businesses are still investing more in firewalls than any other security technology.
Firewalls assume that anyone inside the corporate network is trusted without requiring further verification, and requires the buildout of separate branches onto a wide area network (WAN) to support satellite locations, Chaudhry said.
Instead of connecting users to the corporate network, Chaudhry said it’s more secure to connect users directly to the application they need to use. By having all users accessing applications through an exchange that verifies their identity, Chaudhry said organizations can eliminate the need for WANs, firewalls, and traditional security appliances.