We still don’t have a complete picture of what exactly happened during the SolarWinds attack in 2020, nor do we know the full extent yet of the damage or what the long-term impact may be. However, imagine how much less we would know – and how much more vulnerable the world would be – if private security firm FireEye had not come forward to report the attack after discovering its own systems had been infected.
That question was at the heart of the U.S. Senate Select Committee on Intelligence hearing held on Feb. 23. SolarWinds CEO Sudhakar Ramakrishna, FireEye CEO Kevin Mandia, Microsoft president Brad Smith and CrowdStrike CEO and President George Kurtz were all in attendance as witnesses to discuss the novel March 2020 attack – believed by many to be the work of nation-state attackers who successfully compromised identities and manipulated privileged access to pull off a massive, targeted digital supply chain attack that potentially compromised thousands of government and private sector entities.
Through hours of testimony and questioning, two things came to the fore:
1. Today, there is no legal obligation for private organizations to report breaches to government agencies of any kind. Due to the nature of a breach involving an unauthorized entity gaining access to an organization’s most sensitive data and assets, there is no actual requirement for organizations to notify the government. There’s a need for both mandatory participation, and communication between government agencies to be streamlined.
2. Federal government agencies and departments are frequent targets for nation-state attackers. Whether the goal is to compromise sensitive government data, steal personally identifiable information (PII) or disrupt operations, the sophistication of such attacks makes it increasingly difficult to safeguard critical cyber infrastructure. These challenges are made even more difficult by the government’s lack of resources, overall visibility into threats and standardized security processes. There’s broad consensus that a new approach to cybersecurity is needed – one grounded in Zero Trust.
Transparency is the Way Forward
Nation-state attackers are well-funded, highly organized, incredibly sophisticated and extremely patient – and in most cases, they will find a way inside no matter how strong an organization’s defenses. During the hearing, Ramakrishna made vehemently clear during his first public acknowledgment of the incident that the principle of least privilege had been overlooked by SolarWinds, putting the cross hairs directly on their backs. Explaining why SolarWinds’ Orion platform was targeted, he said, “When you gain access to the Orion platform you gain administrative privileges to the Windows servers that the Orion platform is running on – and so, if you were to run that with lower privileges, even if an attacker were to gain control, they won’t be able to do as much damage because you’re a regular user and not an administrator of that network.”
Generally speaking, implementing preventative controls that consistently enforce least privilege will help buy an organization invaluable time; frustrating the attackers to the point of forcing their hand to use methods and techniques that will expose their presence.
The sophistication of this attack was referenced a number of times. The SolarWinds attackers were extremely careful not to raise traditional red flags, which made the attack (and its reach) harder to detect and determine. They leveraged U.S.-based infrastructure, which allowed them to avoid immediate detection. Additionally, they impersonated users with specific access and avoided the use of domain admin access to further decrease the chance for detection.
The hearing brought to the surface the need for a higher levels of security and cooperation across the public and private sectors, and a call for encouraging greater transparency regarding cyber attack reporting. The hearing made it clear a confidential disclosure program would both protect a company’s reputation and improve cybersecurity at the federal and private level.
A step in the right direction, just a few days before the hearing, the government announced sweeping executive action. Anne Neuberger, deputy national security advisor for cyber and emerging technology, said in a White House press briefing that the government is “working on close to about a dozen things. Likely, eight will pass to be part of an upcoming executive action to address the gaps we have identified in our review of this incident.”
Cyber Hygiene for All
SolarWinds shed light on the far-reaching impacts of supply chain attacks, and the need for a proactive approach to security. By adopting an “assume breach” mindset, government agencies and private organizations can enforce multiple layers of security – to reduce the greatest amount of risk. This approach, referred to as “Defense In Depth,” is based on Zero Trust principles. And it comes down to three things:
1. Working to make sure your organization’s own internal infrastructure is secured, and that attention is focused on preventing attackers from reaching their end-goals. This includes securing access to Tier0 systems.
2. Protecting development environments – including the CI/CD pipeline, which was the critical first phase of the SolarWinds attack. Some important proactive steps include validating the integrity of all code and builds, securing access to highly privileged pipeline orchestrators and infrastructure managers – and enforcing just-in-time access policies in these highly automated environments.
3. Focusing on bolstering the security of customer-facing products and services, with a critical eye on the security practices and stability of digital supply chain partners.
It’s clear, as part of the testimony that came out of the hearing, it’s hard to fully stop an attack of this precision and scale – but an “assume breach” mindset will enable organizations to become vigilant and hyper focused on addressing weaknesses and vulnerabilities that exist within their IT environment, especially the areas that provide access to critical systems and infrastructure (i.e. privileged access).
“Zero Trust” and “least privilege” may still seem like buzzwords to some, but in the wake of this hearing they will continue to be the impetus behind a push for stronger security protocols, more transparent communication between private organizations and the federal government – and, ideally, more effective ways to mitigate the risks of large-scale attacks.