Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Boost detection & stop attacks
Webinar: How SOCs can improve threat detection
What's next for DC firewalls?
Webinar: Net security for software-defined DCs
SecOps & DevOps collaboration
Webinar: Start transforming DevOps into DevSecOps
1/11/2021
03:00 PM
Eric Parizo
Eric Parizo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

SolarWinds Hack Lessons Learned: Finding the Next Supply Chain Attack

The SolarWinds supply chain compromise won't be the last of its kind. Vendors and enterprises alike must learn and refine their detection efforts to find the next such attack.

Even though investigations and analysis of the recently discovered SolarWinds hack remain ongoing, it is already clear that the scope is extensive, and the full impact will likely prove to be devastating.

To recap, FireEye last month discovered what it described as a "global intrusion campaign" perpetrated via malicious, trojanized updates to SolarWinds' Orion network management software. The latest estimates indicate that the compromised SolarWinds software made its way into approximately 18,000 enterprises, government agencies, and other entities globally.

It is as yet unclear how many of those victims suffered damages as a result.

Related Content:

SolarWinds Hires Chris Krebs and Alex Stamos for Breach Recovery

FireEye's Mandia: Severity Zero Alert led to Discovery of SolarWinds Attack

Next-Gen Supply Chain Attacks Surge 430%

Vulnerabilities in the software supply chain are not new; according to Imperva, there have been more than 150,000 reported Common Vulnerabilities or Exposures (CVEs) in software applications and libraries since 2000. However, the SolarWinds incident has served to clearly illustrate that supply chain vulnerabilities represent significantly greater risk of compromise -- and potential for damage -- than most previously thought.

An even scarier proposition is this: if SolarWinds' flagship product could be compromised and go unnoticed for weeks or months by thousands of enterprises, including some of the world's top cybersecurity firms, how many more software supply chain compromises may already be in the wild right now, just waiting to be discovered?

A supply chain 'kill chain'

Enterprises and vendors alike must account for the risk of supply chain attacks, and adjust both strategically and tactically. Organizations should strive to create a "cyber kill chain" for supply chain compromises, thus creating as many opportunities as possible to prevent, disrupt, or at least quickly detect such incidents before weaponized software has the opportunity to cause damage.

Omdia recommends adopting a long-term, programmatic approach to software supply chain security. Such an approach should be based on a sound risk management best practices, such as NIST's Cyber Supply Chain Risk Management (C-SCRM) guidance.

However, there are three particularly notable areas where enterprises have opportunities to affect positive change in the near term.

Software supply chain governance

Most organizations have no practical visibility or control over the security practices of their third-party software vendors. Even if enterprises had the wherewithal to pursue it, from the perspective of the software vendors, providing customers (or anyone) with that opportunity often introduces too much risk into their own processes, by way of exposing system access or security tactics, not to mention the added costs of doing so.

That said, organizations should seek to leverage their influence as customers to improve software supply chain governance.

In practice, this is executed by creating a baseline set of software security best practices that serve as baseline requirements that must be met by any software vendor prior to purchase.

These requirements may be more or less detailed or technical based on the category of supplier or the size of the enterprise. Again, industry best practices should be the starting point for any software supplier, including but not necessarily limited to specific practices for code sourcing, code review (manual and automated), consistent software security testing both pre- and post-runtime, and detail on its practices to detect unsourced and/or anomalous code insertions like the one that affected SolarWinds and may go undetected by traditional security measures.

As part of any purchasing agreement, vendors must be required to not only pledge to live up to these guidelines, but also validate that they are doing so on an ongoing basis. Some high-value purchases may also potentially require indemnification for affected or compromised customers in the event of a security incident. 

The governance angle is the linchpin here because this approach requires buy-in across the business, from the C-suite to the IT and cybersecurity groups to all line-of-business managers and other software decision makers. It is not a technical control as much as it is a business risk management control.

While the approach will no doubt add time, complexity, and cost to the software acquisition process, once refined it can become a standardized process that helps ensure that software makers with undocumented or unclear security practices are weeded out of the purchasing process.

Behavioral analytics-based threat detection

It is interesting to note that FireEye's initial detection of the SolarWinds compromise didn't find complex lateral movement, or even data exfiltration.

What triggered FireEye's deeper investigation, according to reports, was an unusual remote user login from a previously unknown device with an IP address in a suspect location. It was only upon further review that FireEye discovered the intrusion and ultimately traced it back to SolarWinds.

This scenario, now all too real for thousands of enterprises around the world, underscores the importance -- if not necessity -- of having behavioral analytics as a key component of contemporary enterprise cybersecurity product architectures. 

Behavioral analytics supercharges threat detection by not only analyzing event input based on activity from users and devices, but also by using machine learning, statistical analysis and behavioral modeling to correlate and enrich events.

World-class behavioral analytics technology can factor in a wide variety of data points -- such as peer groups, IP association, personal email addresses, and kinetic identifiers like badge reader activity -- to identify a malicious intrusion by stitching together a half dozen or more events that, by themselves, would seem benign.

In this case, FireEye received an alert because its analytics systems were able to automatically correlate the login attempt with the user credentials and likely other factors, such as location, time of day, and overall pattern of system access by that user. This anomalous activity likely triggered a high-priority alert, signaling to security analysts that the login in question required further scrutiny. 

Without this technology, this malicious login and all the activity associated with it would likely have blended in with every other login, as is typically the case in most enterprises today. The lack of widely deployed behavioral analytics technology is perhaps one of the largest and most dangerous gaps in enterprise cybersecurity programs today, a gap attackers are clearly exploiting. 

Data exfiltration detection and prevention

When all else fails, an organization needs to be able to quickly identify when valuable data is being exfiltrated out of its endpoints, servers, and networks, even in the most unusual ways.

Most enterprises have extensive network traffic logs to draw from, but the challenge is that command-and-control traffic is often obfuscated, plus the exfiltrated data itself is often encrypted before it leaves an organization, making its contents almost invisible. This is especially true when application traffic is involved.

Indeed, according to reports, adversaries used the Trojan embedded in SolarWinds to initiate the process of exfiltrating some victims' sensitive files and communications. Then it used established domains that seemed legitimate to initiate the exfiltration operations.

Interestingly, a number of security vendors have published reports stating that, upon review, their various intrusion detection technologies did detect the activity, but that the significance of the alerts did not rise to an actionable level.

While the SolarWinds incident clearly represented a unique detection challenge, the lesson is that organizations cannot assume that unusual outbound network traffic is benign, even when sourced to a trusted application. Vendors need to tune their detection algorithms to account for the very real possibility of malicious actions from trusted applications, and enterprises need to update their monitoring tactics to watch for anomalies where they typically haven't focused much before, such as their network management software.

Traditional network security best practices can also blunt the likelihood of a SolarWinds-style data exfiltration, namely network segmentation and perimeter firewall policies that restrict application traffic to pre-approved domains.

It remains to be seen whether SolarWinds represents the beginning of a wave of high-profile software supply chain attacks. Regardless, enterprises would be wise to learn from this incident, and prepare as if the next supply chain attack is only a matter of time.

Eric Parizo supports Omdia's Cybersecurity Accelerator, its research practice supporting vendor, service provider, and enterprise clients in the area of enterprise cybersecurity. Eric covers global cybersecurity trends and top-tier vendors in North America. He has been ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...