Haunted by the far-reaching implications of the recent supply chain attacks, software company executives have ordered sweeping new assessments of their products, looking for any signs of suspicious activity, code anomalies, or exploits that could deal them a similar fate.
If or when more attacks are uncovered, end-user organizations will need to apply the lessons learned from recent attacks that used SolarWinds and potentially other avenues to infiltrate networks, taking swift and decisive action, infosec experts agreed in a series of interviews with SC Media.
"Companies large and small alike are going back and looking through their environments and their processes,” said Jerry Davis, founder of risk management firm Gryphon X, LLC and former chief information security officer at NASA and the U.S. Department of Education. “No one wants to be patient zero.”
Indeed, Malcolm Harkins, chief security and trust officer at Cymatic, described a scenario that he said has been playing out among various tech vendors: “Post-SolarWinds, the CEO or the board says, ‘Hey, could we experience something like this where our technologies are used as the attack vector to our customers?’”
And the answer will often be yes, he said, as the coordination between software companies' information security teams and product security teams are typically infrequent or less productive than they should be, with security neglected during development.
But now, with SolarWinds serving as a wake-up call, executive leaders suddenly have a renewed interest in assessing their code, products and systems for risk.
Hard reality check
Companies are “going to presume that they can be weaponized in the same fashion” as SolarWinds, Harkins explained. “So you start scanning, you start looking through key systems with administrative access, you start looking through all these things. And then you go, ‘Oh shit. We found a couple of issues.'”
Eclypsium, for one, does not use SolarWinds; but the device security company immediately notified customers of steps it was taking to ensure its own infrastructure and that of its partners was secure, said Eclypsium CISO Steve Mancini.
Mancini advised companies to “take this as a life lesson, take this as a shot over the bow, and do those internal threat assessments and shore up where you can any gaps that you may uncover.”
Of course, there can also be unexpected repercussions from performing these threat assessments. One expert suspects that a recent cyberattack may have been the result of a SolarWinds-inspired product or code assessment, suggesting that the victim company could have uncovered signs of an intrusion, causing the malicious actors to strike back.
Last week infosec company SonicWall revealed that it suffered a coordinated cyberattack after malicious actors breached its network via a zero-day vulnerability in the company’s own Secure Mobile Access (SMA) solution. Though he has no inside information to confirm this, Harkins said one plausible scenario is that SonicWall may have discovered the intrusion while examining its products for potential SolarWinds-type threats, thereby causing the perpetrators to react.
“I would bet money something like that is what occurred,” said Harkins, rationalizing that an attacker would otherwise stay under the radar and use that same bug to compromise as many of the company’s customers as possible.
SC Media reached out to SonicWall, which continues to decline comment at this time.
While not outright dismissing the notion, Davis and Mancini were less convinced of Harkins’ theory. But even if it does not hold up, companies that are busy scanning their systems and reviewing their source code in response to the SolarWinds attack may want to steel themselves for this exact kind of situation.
“As you start pulling those strings, the bad guys who were in your systems are watching,” said Harkins. “They see you're pulling those strings. And how do they cover it up? They muddy the waters and make it look like an attack against you. It's like I murder somebody and then I torch the place so that it looks like a fire and ruin the crime scene.”
If, indeed, scores of software vendors are carefully poring over their code as we speak, one very well could discover that they are the next SolarWinds. When that happens, these companies and their end-user organizations are going to have to act fast and make some tough calls.
“I believe more than a handful of places have probably been compromised over time,” said Davis. “I think this probably goes back a little ways – how far I don't know, but SolarWinds is probably not the starting point."
Should a significant vulnerability emerge, customers will need to immediately apply recommended mitigations and start looking through logs for suspicious activity or network changes during the time period corresponding with the software’s compromise. As Harkins put it, “you paint a window of time that you're going to look at,” well beyond what the vendor even recommends.
From there, Davis said that users of affected software “have to figure out a way to reconstitute their environment, and rebuild trust… by essentially rebuilding the entire infrastructure, piece by piece.”
Indeed, a lot of of SolarWinds customers shut off Orion from their environments, "tearing systems down to bare metal to rebuild," Harkins said. But such a strategy does little good if attackers already infiltrated the network.
Moreover, ripping out a device isn’t always feasible, said Mancini, because “none of these devices operate in isolation. If you pull something [out] like this, there could be upstream and downstream consequences.” In his mind, applying mitigations and “maybe putting some additional detection focus in that space would have been a more reasonable control and play."
SonicWall customers may be facing some of these decisions right now, even though that incident was categorized as a zero-day exploit, not a supply-chain attack.
“If I was assessing risk at a large company with a serious investment on SonicWall, I would probably want to get my account exec and the CISO" to answer a few questions, said Mancini. ‘When was the component of code that was leveraged in the zero-day introduced into your product? Do you have a solid chain of change management that can tell you with absolute certainty that no one but you put that zero-day into play?’”
In circumstances like this, “you [the vendor] need to regain my trust by telling me that you took extraordinary measures in your investigation to ensure your product integrity,” Mancini added. If the bug was self-inflicted during the development process, that's acceptable, as every company has problems in their code. But, Mancini said, if the vendor says ‘No, we can't actually explain where that code came from,' "then they would have that SolarWinds problem.”