The Cybersecurity and Infrastructure Security Agency confirmed this week in a letter that better cyber hygiene – specifically, blocking SolarWinds Orion servers from outbound internet traffic – could have helped prevent the supply chain attack. But cybersecurity experts say that alone would not have protected organizations from being infiltrated.
CISA was responding to Sen. Ron Wyden, D-Ore., who in February inquired about the supply chain attack and why the federal government’s Einstein intrusion detection system was ineffective. In the CISA response, details of which were first reported in Reuters, the agency agreed that blocking outgoing connections to the internet would have neutralized the SolarWinds malware. However, while CISA said it did observe situations in which blocking Orion servers from the internet was successful, doing so “does not apply to all intrusions and may not even be feasible given operational requirements for some agencies.”
Indeed, security pros point out the sprawl of the individual firewall policies required at the network perimeter. Oliver Tavakoli, CTO at Vectra, said configuring a custom policy for each server in the network would require a substantial investment in human and technical capital to create and maintain.
“While the lack of simple cyber hygiene can often be blamed for a crucial stage of an attack succeeding, hindsight is almost always 20/20,” he said.
“Such an investment needs to be considered in the context of the overall investments in cybersecurity that an organization makes and CISA’s response makes this point clear,” Tavakoli said. “So sure – lock down your internet-facing firewall policies, implement better network segmentation and, most important, move your detection and response capabilities to the interior of the network where most of the actions performed by attackers are actually visible and more difficult to hide.”
Tavakoli added that it’s not possible to block all outbound connections from all servers. He explained that servers may need to make outbound connections to operate correctly and as noted in the CISA response, the Orion servers need to make some connections back to SolarWinds’ support networks as a normal part of its operation.
“So had the firewall policy for the Orion server been restrictive – only allowed outbound connections to SolarWinds' support network – the download of the second stage of the malware would have failed,” Tavakoli said. That "doesn’t mean the attackers wouldn’t have found another way to establish a footprint inside the target environments – just that this particular vector would have been stopped.”
Chris Grove, technology evangelist at Nozomi Networks, added that while cyber hygiene plays a role in resisting attacks, as well as being resilient, post breach, it’s a bit far-fetched to say that it would have prevented a SolarWinds-style assault.
“Like real world hygiene, it’s a good practice and eliminates common, day-to-day threats,” Grove said. “However, we must still plan for the inevitable, and knowing that Einstein is only focused on the perimeter shows a gaping hole in resilience planning. The interior of the network needs to be monitored for anomalies, known attacks, and to track the myriad devices that exist. Putting all of our eggs in the Einstein basket is too great a risk to continue, so I agree with the sentiment that increased monitoring within government networks needs to happen.”
Tavakoli added that the industry needs to take a holistic approach rather than look for a silver bullet. For example, he thinks it’s unrealistic to expect that Einstein could pick up a zero day – that is, a never-before-seen vulnerability.
“The issue here is that we’re relying on a data source – network traffic leaving federal networks – which is pretty ill-suited to finding such novel attacks,” he said. “Utilizing more data sources deeper inside the environments is the way to flip the script.”