Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading, say cybersecurity experts that used to work in government.
And yet, those same experts acknowledge that such accusations offer an important cybersecurity lesson for businesses: organizations must ensure that their entire attack surface receives attention.
“There are a range of potential adversaries working against admins – nation states, hackers, criminal competitors – all with varying degrees of skill," said Rosa Smothers, senior vice president of cyber operations at security awareness company KnowBe4, and a former CIA technical intelligence officer. "Without addressing all components, the bad guys will find your network’s Achilles heel.”
Criticism unfair and unfounded?
The premise that election security efforts diverted attention and funding away from other federal cyber initiatives – thereby helping the SolarWinds attack go unnoticed as thousands of corporations and government agencie were compromised – was brought up last weekend in a New York Times article that cited comments from unnamed investigators.
“The government’s emphasis on election defense, while critical in 2020, may have diverted resources and attention from long-brewing problems like protecting the ‘supply chain’ of software,” said the report. “In the private sector, too, companies that were focused on election security, like FireEye and Microsoft, are now revealing that they were breached as part of the larger supply chain attack.”
Multiple experts who spoke to SC Media said that the criticism was unfair.
“This is an ‘apples and oranges’ comparison,” added Smothers. “The role of managing an IT network is an entirely different role than monitoring our adversaries’ offensive cyber operations. In other words, those charged with monitoring Russia’s ops aren’t the same people implementing SolarWinds products on government networks.”
John Caruthers, business information security officer at Evotek and a former supervisory special agent at the FBI, similarly objected to the accusation. “Since 2016, the U.S. intelligence community has established election task forces, staffed with dedicated personnel, across the country to specifically address and investigate election fraud,” he said. “All the while, teams of investigators and analysts have continued working their respective threats, to include those emanating from Russia and other nation states. I can’t speak on behalf of our private-sector partners but, based on experience, can confidently assume they were and are working diligently to identify threats from all sources.”
For that matter, it’s currently not even the government’s official responsibility to protect the software supply chain. Portions of the government have a responsibility in securing critical infrastructure, including the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. "But it's not their role to reach down in and make sure that supply chain from soup to nuts is secure,” added Austin Berglas, former FBI special agent in New York and global head of professional services at BlueVoyant.
Still, a lesson to be learned
Even if the extra attention dedicated toward election security didn’t actually distract federal agencies and cybersecurity firms from other threats, the mere suggestion poses an important question for companies: Can neglect of portions of the attack surface essentially create soft targets for threat actors?
After all, just as water flows through the path of least resistance, attackers often go where the defenses are weakest.
“Nation-states have the resources and technical aptitude to allow for patience and will spend weeks and months looking for holes in your network to establish a foothold,” said Caruthers. “Yes, nation-state attackers will find where the defenses aren’t present… Businesses that focus on one particular threat and ignore the rest will be positioned to be a soft target, which equates to a much higher risk posture.”
Indeed, there are plenty of examples where adversaries launch an attack as an intentional misdirection or smokescreen, simply to divert attention from their actual objective. “I've seen instances where bad guys DDoS an organization, send massive amounts of zombie communications… and knock their online banking platform offline,” said Berglas. “The limited IT resources of that financial institution scramble to mitigate that DDoS attack, and then… the bad guys come around and exploit a vulnerability” that was the true target all along.
In other words, “If you have a problem in your front door and you rush all of your staff there… that could potentially leave vulnerabilities that are unaddressed.”
According to multiple experts, a common risk that public and private-sector organizations often overlook is the human element. Companies will devote the majority of their funding and resources toward firewalls or intrusion detection technology to stop attacks without addressing the employees who often unknowingly enable the incursions in the first place.
“I’m a firm believer in the ‘people, process, and technology’ model and I see too many resources directed at the technology piece,” said Caruthers. “Security is a ‘sum of the parts’ approach and that involves educated employees; documented policies, processes and procedures, and the right tooling. [But] it starts with the people.” Without employee security awareness, “policies are meaningless and tools are ineffective.”
But even when it isn’t neglected, training may not be as comprehensive as it should be: “Phishing and ransomware have become all too common, and though many companies have realized they need to implement a security awareness training program for their employees, they don’t include – or fail to utilize – social engineering testing to provide a more effective, hands-on example of phishing or other forms of social engineering,” said Smothers. “It’s great to teach the theory, but without actual practice, the threat doesn’t often register with the user.”
Third-party vendor security is another area where companies often lack investment – and this is a trend that appears to have directly contributed the SolarWinds crisis.
“It's really difficult these days, because if I'm hiring a third-party provider of a specific service, that third-party vendor is not going to allow me to do a deep dive into their network security, go inside their company and make sure that they're completely secure before signing on. It just doesn't happen,” said Berglas. “But there are ways to look externally at threats around that organization and do more due diligence around onboarding third party providers.”
With all that said, Berglas doesn’t think the Russians used election threats as a misdirection to attack supply chain. In all likelihood, they have been attacking the supply chain all along. “They've been doing it for quite some time and they will continue to do it just like they will continue to try to attack our election security.”
So what can companies do to balance how they address risk throughout all aspects of their organization? Just as they don’t want to focus all their attention on one problem such that others are neglected, they also don’t want to spread themselves out too thin and try to fix everything at once.
It’s a matter of prioritization and defense in depth, said the experts.
First, prioritization: “It's the basic tenant of securing what needs to be secured first – understanding what is the most sensitive information inside your organization, what information that if lost, damaged or stolen would cause irreparable harm to your company,” said Berglas.
After this initial assessment of current cyber posture and risks, companies should create a roadmap on remediation that is budgeted into the quarterly financials. Even if certain assets are prioritized over others, layers of protection ensure that even deemphasized areas receive some attention.
“It's like the castle, the moat and a drawbridge, and the alligators in the moat scenario,” said Berglas. “The storming troops… have to cross the moat that have killer alligators in there and have to get [over] the drawbridge and beat the archers.”
“There has to be layers of defenses that the bad guys have to get through," he added.
Caruthers suggested this implementation strategy: Choose a cybersecurity framework (NIST, CIS20, MITRE ATT&CK, etc.) that will help drive your security strategy. Identify your company’s risk appetite, which acn be documented in a risk register. Hire an outside firm to conduct a security assessment of the enterprise.
"This will entail all departments and leaders being interviewed and will require you to check your ego at the door," Caruthers said. "Once you know your vulnerabilities and combine those with your risk register, you’ll then be able to determine what internal resources can manage certain threats and where opportunities to outsource are present.”