Is trust as we know it dead?
The SolarWinds breach was arguably the most significant computer hack of the decade. At least, of those breaches that we know of. Rather than jump straight into judgement and analysis, we wanted to watch as things unfurled and provide a balanced view with facts and clear thoughts later, rather than fast attention-grabbing reactions.
In this article we’re going to explore the consequences of the SolarWinds breach for all businesses, large and small. We’ll challenge the popular concept of security and we’ll offer some constructive advice. We also look at how attackers breached one of the world’s leading security companies, and why it told everyone about it.
Is hacking normal?
It is totally naïve to believe that hacking between nation-states, businesses and even individuals is rare or even fictional. It happens all the time, since humans first started fighting, and realised that planning improves chances of success. But let’s not get into a history of war, espionage and sabotage. Let’s look at the SolarWinds hack in a modern context, with wise eyes and optimism in our hearts.
When we at SE Labs first heard of the breach, it was through FireEye’s notification. That announcement surprised us initially, because most organisations are shy about reporting breaches.
A security specialist would, we thought, be even more private than most other companies. It felt like a reputational issue. A large financial institution would avoid announcing such a thing unless compelled by legislation, so a company whose mission is to prevent and investigate hacker intrusions would be even more embarrassed in a similar situation.
Why would FireEye admit that it had been hacked?
But then we started thinking about it a little more deeply. FireEye is famous for its ability to analyse breaches. The company must have realised a few things:
- That the attackers had breached other significant organisations, so FireEye was in ‘good’ company. It’s less embarrassing to be the victim of a crime if there are lots of other victims.
- If lots of large enterprises, including other security companies, had been breached, someone is going to talk sooner or later so…
- It would be better to be the one who calls it out first. It would be the best security expert that actually noticed this breach! Everyone else didn’t see it. (Or if they did, and kept it quiet, they most likely broke the law. So they’re going to have to claim that they didn’t notice…)
With retrospect, this level of an attack shouldn’t be surprising. Very large organisations have provided technical details in the past, following a breach. Google’s Aurora breach is one foremost in our memory.
What was most significant, though, was the breadth of the attack. It affected Microsoft and others, which brings up some interesting issues to consider. Those include problems with the information technology supply chain – the companies you use, the companies they use and so on.
Their first target isn’t their last
With supply chain attacks, you are vulnerable to things that are very much out of your control. Do you choose Microsoft or Google to handle your business email and cloud services? Amazon? There are not many choices out there, so you have to rely on one of a very few companies. That means attackers have only a few targets to focus on (and keep focussing on) for the next few years.
So now you have an issue of trust. Who do you trust to run your IT systems? Will your in-house team do a better job securing Microsoft products than Microsoft itself? Should you simply assume that you are going to be compromised at some point? Do you assume that your systems are not as secure as you’d like? Could you simply not put confidential data in the cloud? All of these things are easier considered than fixed.
SolarWinds breach – ignorance was bliss
The SolarWinds breach is a wake-up call that no-one is bullet-proof, including the best IT providers in the world and the most skilled hackers. Being aware of risks is important, even if you can’t completely mitigate against them. Blindly ignoring them might be bliss, but it’s irresponsible and likely to end in tears.
There are useful steps that you can take if you assume that your organisation will be attacked, attacked effectively and over a prolonged period of time. If you ignore the problem attackers will breach you. If you address the problem, you might still be breached, but you can reduce the damage.
The SolarWinds incident highlights the usefulness of multi-factor authentication, which is how FireEye first detected the breach. Its system noticed that an employee had a new phone. The administrators checked with the employee, who knew nothing of this. And so the breach was first spotted. The hack also highlights the need for customers to understand that any security vendor is not 100% secure.
What now? What next?
Attacks similar to those launched against SolarWinds and its clients are very likely to happen again. They probably already have and are ongoing.
We can benefit from FireEye’s disclosure and see it as a call for a more realistic view, in which security remains a balance of cost, control and convenience and that 100% security is never possible, however you balance things.
Every organisation is going to have its own way of handling threat mitigations but our general advice is to use multi-factor authentication, if you don’t use it already.
Reconsider classifying information (such as using Classified/ Sensitive/ Public labels) according to where it’s stored. In the cloud is riskier, in terms of disclosure, than on an internal server or even a disconnected hard disk. Not every system has to be connected to the internet, even though the industry has tried its best to make that desirable. And bear in mind:
- Not every security product is equally effective. However, it’s possible to build a secure environment using most of the popular ones, with care and understanding.
- Don’t just trust the products. Trust and train your team.
- Don’t let fear paralyse you into doing nothing – either business or security. Threats have always existed. Learn to co-exist.
SolarWinds breach timeline
8th December 2020 – FireEye reports breach and theft
Security firm FireEye reported that its systems had been breached by state-sponsored hackers and its offensive security (red teaming) tools were stolen.
13th December 2020 – FireEye announces breach.
FireEye discloses the “global intrusion campaign,” claiming to have discovered that attackers had Trojanised SolarWinds Orion business software in order to distribute malware now known as ‘Sunburst’. The campaign is code-named UNC2452.
13th December 2020 – Cybersecurity and Infrastructure Security Agency issues Directive
The US Department of Homeland Security issued a directive to agencies to either forensically examine systems and then disable specific versions of SolarWinds Orion. It noted that agencies should, “Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.”
15th December 2020 – The Wall Street Journal names some attack victims
Victims named include the National Institutes of Health; the Department of Homeland Security; the State Department; and the US Commerce and Treasury Departments.
31st December 2020 – Microsoft announces breach of its own systems
Denying that any customer data was accessed or services were affected, Microsoft acknowledged that SolarWinds-related malware was found in its “environment” and that an attacker had viewed some of its source code.