informa
/
Omdia
Commentary

SolarWinds Hack Lessons Learned: Finding the Next Supply Chain Attack

The SolarWinds supply chain compromise won't be the last of its kind. Vendors and enterprises alike must learn and refine their detection efforts to find the next such attack.

Even though investigations and analysis of the recently discovered SolarWinds hack remain ongoing, it is already clear that the scope is extensive, and the full impact will likely prove to be devastating.

To recap, FireEye last month discovered what it described as a "global intrusion campaign" perpetrated via malicious, trojanized updates to SolarWinds' Orion network management software. The latest estimates indicate that the compromised SolarWinds software made its way into approximately 18,000 enterprises, government agencies, and other entities globally.

It is as yet unclear how many of those victims suffered damages as a result.

Related Content:

SolarWinds Hires Chris Krebs and Alex Stamos for Breach Recovery

FireEye's Mandia: Severity Zero Alert led to Discovery of SolarWinds Attack

Next-Gen Supply Chain Attacks Surge 430%

Vulnerabilities in the software supply chain are not new; according to Imperva, there have been more than 150,000 reported Common Vulnerabilities or Exposures (CVEs) in software applications and libraries since 2000. However, the SolarWinds incident has served to clearly illustrate that supply chain vulnerabilities represent significantly greater risk of compromise -- and potential for damage -- than most previously thought.

An even scarier proposition is this: if SolarWinds' flagship product could be compromised and go unnoticed for weeks or months by thousands of enterprises, including some of the world's top cybersecurity firms, how many more software supply chain compromises may already be in the wild right now, just waiting to be discovered?

A supply chain 'kill chain'

Enterprises and vendors alike must account for the risk of supply chain attacks, and adjust both strategically and tactically. Organizations should strive to create a "cyber kill chain" for supply chain compromises, thus creating as many opportunities as possible to prevent, disrupt, or at least quickly detect such incidents before weaponized software has the opportunity to cause damage.

Omdia recommends adopting a long-term, programmatic approach to software supply chain security. Such an approach should be based on a sound risk management best practices, such as NIST's Cyber Supply Chain Risk Management (C-SCRM) guidance.

However, there are three particularly notable areas where enterprises have opportunities to affect positive change in the near term.

Software supply chain governance

Most organizations have no practical visibility or control over the security practices of their third-party software vendors. Even if enterprises had the wherewithal to pursue it, from the perspective of the software vendors, providing customers (or anyone) with that opportunity often introduces too much risk into their own processes, by way of exposing system access or security tactics, not to mention the added costs of doing so.

That said, organizations should seek to leverage their influence as customers to improve software supply chain governance.

In practice, this is executed by creating a baseline set of software security best practices that serve as baseline requirements that must be met by any software vendor prior to purchase.

These requirements may be more or less detailed or technical based on the category of supplier or the size of the enterprise. Again, industry best practices should be the starting point for any software supplier, including but not necessarily limited to specific practices for code sourcing, code review (manual and automated), consistent software security testing both pre- and post-runtime, and detail on its practices to detect unsourced and/or anomalous code insertions like the one that affected SolarWinds and may go undetected by traditional security measures.

As part of any purchasing agreement, vendors must be required to not only pledge to live up to these guidelines, but also validate that they are doing so on an ongoing basis. Some high-value purchases may also potentially require indemnification for affected or compromised customers in the event of a security incident. 

The governance angle is the linchpin here because this approach requires buy-in across the business, from the C-suite to the IT and cybersecurity groups to all line-of-business managers and other software decision makers. It is not a technical control as much as it is a business risk management control.

While the approach will no doubt add time, complexity, and cost to the software acquisition process, once refined it can become a standardized process that helps ensure that software makers with undocumented or unclear security practices are weeded out of the purchasing process.

Behavioral analytics-based threat detection

It is interesting to note that FireEye's initial detection of the SolarWinds compromise didn't find complex lateral movement, or even data exfiltration.

What triggered FireEye's deeper investigation, according to reports, was an unusual remote user login from a previously unknown device with an IP address in a suspect location. It was only upon further review that FireEye discovered the intrusion and ultimately traced it back to SolarWinds.

This scenario, now all too real for thousands of enterprises around the world, underscores the importance -- if not necessity -- of having behavioral analytics as a key component of contemporary enterprise cybersecurity product architectures. 

Behavioral analytics supercharges threat detection by not only analyzing event input based on activity from users and devices, but also by using machine learning, statistical analysis and behavioral modeling to correlate and enrich events.

World-class behavioral analytics technology can factor in a wide variety of data points -- such as peer groups, IP association, personal email addresses, and kinetic identifiers like badge reader activity -- to identify a malicious intrusion by stitching together a half dozen or more events that, by themselves, would seem benign.

In this case, FireEye received an alert because its analytics systems were able to automatically correlate the login attempt with the user credentials and likely other factors, such as location, time of day, and overall pattern of system access by that user. This anomalous activity likely triggered a high-priority alert, signaling to security analysts that the login in question required further scrutiny. 

Without this technology, this malicious login and all the activity associated with it would likely have blended in with every other login, as is typically the case in most enterprises today. The lack of widely deployed behavioral analytics technology is perhaps one of the largest and most dangerous gaps in enterprise cybersecurity programs today, a gap attackers are clearly exploiting. 

Data exfiltration detection and prevention

When all else fails, an organization needs to be able to quickly identify when valuable data is being exfiltrated out of its endpoints, servers, and networks, even in the most unusual ways.

Most enterprises have extensive network traffic logs to draw from, but the challenge is that command-and-control traffic is often obfuscated, plus the exfiltrated data itself is often encrypted before it leaves an organization, making its contents almost invisible. This is especially true when application traffic is involved.

Indeed, according to reports, adversaries used the Trojan embedded in SolarWinds to initiate the process of exfiltrating some victims' sensitive files and communications. Then it used established domains that seemed legitimate to initiate the exfiltration operations.

Interestingly, a number of security vendors have published reports stating that, upon review, their various intrusion detection technologies did detect the activity, but that the significance of the alerts did not rise to an actionable level.

While the SolarWinds incident clearly represented a unique detection challenge, the lesson is that organizations cannot assume that unusual outbound network traffic is benign, even when sourced to a trusted application. Vendors need to tune their detection algorithms to account for the very real possibility of malicious actions from trusted applications, and enterprises need to update their monitoring tactics to watch for anomalies where they typically haven't focused much before, such as their network management software.

Traditional network security best practices can also blunt the likelihood of a SolarWinds-style data exfiltration, namely network segmentation and perimeter firewall policies that restrict application traffic to pre-approved domains.

It remains to be seen whether SolarWinds represents the beginning of a wave of high-profile software supply chain attacks. Regardless, enterprises would be wise to learn from this incident, and prepare as if the next supply chain attack is only a matter of time.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5