Lessons from SolarWinds breach reveal why future supply chain attacks are hard to prevent

The lessons from the massive cyberattack that befell US IT management solutions provider SolarWinds continue to reverberate more than two years after it happened, continuing to serve as a warning that organisations need to remain vigilant amid an increase in global hacking campaigns.

The reality, however, is that future supply-chain attacks cannot be stopped because there is no way to tell if and when an organisation has been or would be breached until it may be too late, just as in SolarWinds' case, said Peter Firstbrook, a research vice president at Gartner.

"There really isn't a good example of making one think, 'you know what, these guys may be infected in the future, therefore, I think, we shouldn't buy this very powerful and very useful utility and put it in our network'. The security person who said that would get laughed at in the room."

A supply-chain attack uses a supplier to attack downstream customers; a company could become a victim where its customers are being impacted, or another organisation upstream could be infected and they infiltrate your organisation.

SolarWinds was among a number of companies breached in the widescale cyber attack that came to light in December 2020 after going undetected for a year. The hacking continues to reverberate today, with the growing threat of similar supply-chain attacks expected to increase further.

Considered one of the worst cyber espionage cases in history, the attackers exploited software credentials from SolarWinds and other US companies, including Microsoft and VMware, and used them to infiltrate several American federal departments, while also affecting global organisations such as the UK government, the European Parliament and Nato.

Tim Brown, the chief information security officer of Texas-based SolarWinds, told The National last October that the company recovered well in the aftermath of the cyber attack and said its experience should serve as a warning to other companies.

Mr Firstbrook said due diligence should be done, but the ability to spot that potential breach implant is extremely low.

"You should be prepared to respond. Nation state attacks show where the market and adversaries are going: whatever nation states do this year, you can assume that the ransomware authors will be doing next year."

He discussed a number of key points that organisations need to keep in mind and put in place that can help mitigate — if not totally prevent — cyber breaches.

Having the mindset of "assume breach" — a concept that assumes an attack will happen or has happened — is the only valid approach to cyber security, Mr Firstbrook said.

In the SolarWinds debacle, hackers were in very sophisticated organisations such as FireEye, Mimecast and Microsoft for up to nine months and these companies had no idea.

"We always have to assume that there’s something going on and we haven’t found it yet, [just like the] concept of zero trust, wherein you trust nobody until they verify who they are," he said.

Having the most popular and most expensive security tools are never enough to safeguard your infrastructure; policy, procedure and smart operators are critically important to implement an effective security programme. FireEye was the first to publicly announce the SolarWinds breach after one smart operator used multi-factor authentication to try and verify suspicious activity.

"Despite all of the tools they had, the one thing that caught the infection and started the clean-up operation was a smart operator who was following organisational procedures," Mr Firstbrook said.

Attackers today are increasingly using stolen credentials to game the credential system in order to move laterally with impunity — and they look authentic, escaping detection.

Mr Firstbrook said while most organisations do think of their identity infrastructure and spend huge amounts on it, they tend to overlook those who are able to access it.

"Most are focused on letting the good guys in, but very few focus on how to secure this 'Tower of Babel' infrastructure. Once data has piled up over the years, how do you know who's who?"

There is a so-called perimeter within IT infrastructure that must be defended, and today identity is the new perimeter, treated the same way as firewalls were before.

However, the other perimeter organisations are missing is that identity isn’t just about people — it’s also about devices and things as machine identity becomes more important.

In the SolarWinds breach, attackers found they gained access to a security provider’s environment, which had access to the Microsoft Office 365 environment. They got the keys for that vendor’s application programme interface and used that to attack their customers’ environments.

"Every application is a collection of APIs [Application Programming Interface], and yet in most organisations I ask who’s in charge of API security, there are blank stares around the table," Mr Firstbrook said, pointing out the lack of accountability in machine identity.

A lot of organisations may have a broad portfolio of best-in-breed security tools, but if the people who installed those tools aren't there, the new ones manning the system may not know what has been done that could potentially compromise the infrastructure.

Mr Firstbrook recommends that configuring and tuning systems must be done at least annually to ensure system credibility.

However, "the best authority for configuration and guidance are the vendor themselves; work with them to make sure systems function as expected", he said.

Privileged servers — those which grant special access to certain users — are perfect targets for attacks, they can potentially be exploited for uses other than legitimate purposes.

Mr Firstbrook said administrators should know what these privileged users are going to do with the information accessed and how they behave while accessing them.

"There are tools that can profile these servers, assign some parameters on how it behaves and find out why they do things they're not supposed to do. If there is any anomaly, an alert can be triggered."