Threat Management, Threat Intelligence

SolarWinds: A devastating lesson in third-party vendor vulnerabilities

The Department of Commerce was one of many agencies and companies attacked worldwide by Russia’s APT 29 via SolarWinds Orion servers. Today’s special columnist, Kelvin Coleman of the NCSA, offers some analysis and practical advice for security pros. Tim Evanson Creative Commons Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

Although the true scope of the SolarWinds attack has not been fully uncovered, there’s no doubting the level of sophistication required to carry these attacks on numerous government agencies, including the US Treasury, Commerce Department and the Department of Homeland Security.

Considering how long its discovery remained dormant, the amount of coverage we’re seeing in the mainstream media and the levels of concern out of the intelligence community are no surprise. As details emerge – almost in real-time – we’ll continue to have better clarity as to the logistics, tactics and motivations behind the incident. In the meantime, we can only speculate.

Chances are, we’re far from fully seeing the fallout from the SolarWinds incident. But to understand why SolarWinds was attacked, we have to first identify what makes it attractive to bad actors.

First, SolarWinds works with about 85 percent of Fortune 500 companies, 10 of the top US telecoms, the top five U.S. accounting firms, hundreds of universities and colleges worldwide, all five branches of the US military, the Pentagon, State Department, the NSA, and NASA.

They are just a massive target.

While some may criticize the complacency of these organizations to use the same vendor, the sheer scope of industries affected by this hack – education, government, finance, communications – compares to attacks like WannaCry and NotPetya. And although there are already plans to patch and mitigate unauthorized access to these troves of sensitive data, the damage has already been done. The timeline for the attack mentions that attackers have likely been able to use global admin privileges to access data troves from all of these public-private organizations since this past spring, indicating they’ve had ample time to access, collect and steal integral sensitive data for months while going undetected.

The second piece of the puzzle lies in the nature of a supply chain attack. While security pros consider the SolarWinds attack more sophisticated than we’ve seen in the past, this approach lets threat actors damage their targets and reach multiple systems at the same time. It’s low-cost, high-impact and in this case, SolarWinds was the bridge between the foreign actors and hundreds of thousands of targets the Sunburst Backdoor reached. The compromised software – in this case, a malware-laced update introduced through SolarWinds Orion products – thus became a single disruption point for all of the companies that thought they were installing and updating verified software.

How to minimize the risks of supply chain attacks

In reality, there’s virtually no company that doesn’t use outside service providers to help enhance their IT functionality, security measures, and other protocols. Although there’s no silver bullet for preventing these attacks, often the right measures are relatively low-tech and boil down to vigilance and careful monitoring. In fact, even something as simple as ensuring that all internal devices have multi-factor authentication enabled and that critical devices aren’t accessed by third parties can stop a supply chain attack in its tracks.

Because most supply chain attacks happen through third-party providers, it’s critical to have proper oversight and assessment of all outside vendors to determine risk. Organizations need to have a strict vetting process in place and ask a potential third-party partner the right questions. For example, are they ensuring that providers are adhering to strict compliance protocols such as the Health Insurance Portability and Accountability Act (HIPAA), International Traffic in Arms Regulations (ITAR) and the Payment Card Industry Data Security Standard (PCI DSS)? How do they handle incident response? 

Businesses should also make sure that there are adequate controls for vendor access, an internal response and mitigation strategies for when a breach does occur, and a comprehensive education policy in place for employees who are tasked with updating IT frameworks internally.

There’s no clear sense of the real motivations behind the SolarWinds attacks. Did the nation-state actors take advantage of America’s preoccupation with election security ahead of a pivotal Presidential race? We don’t know for sure, but without a unified government response, the continued pursuit of attribution and remediation, alongside an overhaul for the way our infrastructure prepares and responds to these threats, this could very well signal that our doors are open for one and all. Hopefully we can shut that door as quickly as it was forced open.

Kelvin Coleman, executive director, National Cyber Security Alliance

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.