In December 2020, the world discovered that the SolarWinds' Orion Platform had been compromised by cybercriminals, potentially affecting thousands of businesses the world over. Security groups such as the National Cyber Security Centre (NCSC) provided advice and guidance to security teams and IT companies on what actions they should take to minimize the impact on them and their customers.
But the Advanced Persistent Threat (APT) carries with it a worrying sub-text that requires further exploration as companies continue to tackle the ongoing issues of a global pandemic and an increasingly fatigued and remote workforce.
Knowledge is power
In the wake of the discovery of the breach, national security agencies such as the NCSC were prompt in providing advice and guidance. Using tools such as the Cyber Information Sharing Programme (CiSP), they shared technical information on how to assess if an organization was at risk and what actions they should take if they were. Following the announcement, SolarWinds provided comprehensive advice and information, which is well worth reviewing as it also provides a detailed 'FAQ' section. However, it's easy for such information to get lost in the midst of the social media hysteria and noise that tends to follow any large-scale attack.
The advice offered by the CiSP includes the following steps;
- Assess the version of the Orion platform that had been installed
- Analyze key files (ie. Solarwinds.orion.core.business.dll) for any malicious alerts
- Assess if anti-virus software had been disabled
- Assess DNS logs going back to Q1 2020
- Identify if you have 'C:\Windows\SysWOW64\netsetupsvc.dll' on any servers
The advice from the CiSP platform and SolarWinds is that all users of the SolarWinds Orion platform should consider these steps immediately. Of course, these steps should be carried out by technical staff who have experience with the SolarWinds Orion package, and if you have not already signed up to the CiSP service, I would highly recommend that you do. I say this not only because you will receive direct advice from NCSC, but other specialists can also provide advice and guidance on what to look out for as well as actions to take following any significant event. (CiSP was widely credited for assisting in the recovery of the 2017 Wannacry ransomware attack.)
Actions speak louder than words
We all know that there is no such thing as 100% secure, and as our technical and business infrastructures become increasingly complex, vulnerabilities are a known issue we must all seek to understand and protect ourselves from. Cybercriminals can create these vulnerabilities, but they could also be made through human error. The key to successfully protecting ourselves is taking pro-active action to analyze our technical environments to ensure that we can quickly identify instances of compromised software (including the Orion platform). But this step isn't something that happens once a year or that follows a major news story. All too often, we have seen systems and services come 'online' many months after a scan was performed. This means it could be months before another scan is performed, one which identifies vulnerabilities thought by the C-suite to have been fixed long ago.
The winds of change – Lessons we must learn
Large-scale incidents and events have lessons for us all, not just those they directly impact. If you have been lucky enough not to be affected by this particular event, what lessons should you take from this? Here are my thoughts:
No one is an island
Receiving reliable advice and information following an attack is vitally important, which is why the CiSP, NCSC and the Cybersecurity and Infrastructure Security Agency (CISA) in the USA are such important resources that we should be following, increasingly working with and supporting. Connecting with others in your industry or sector and working proactively sharing information is incredibly powerful, as we are the ones who are typically called in to fix everything if/when a problem occurs. We are a global village, so share your knowledge and experience to make the world a safer place.
In screens we trust
If you are PCI DSS-certified, then you'll know that the tenth requirement is to "Track and monitor all access to network resources and cardholder data." Therefore, businesses should review their logs daily to search for errors, anomalies or suspicious activity that deviates from the norm. Using tools like Tripwire Enterprise, for example, provides fully integrated solutions for policy, file integrity and remediation management that will help to reduce the likelihood of something happening on your networks without your knowledge. The idea of persistent monitoring has been with us for some time, but I feel it is still relatively under-utilized, in part by the perceived overhead in resources required to monitor logs, etc. This is why you need a mechanism for monitoring logs and systems that is intelligent enough to alert you only when the threat is real.
In suppliers we trust
As stated above, no one is an island. We must therefore trust others to provide a product or service that is as secure as possible. But there is no excuse for not completing our own forms of due diligence and review when onboarding new systems and services. There must be an aspect of security vulnerability testing undertaken in any technical project, but especially when implementing services that ultimately help to govern our technical and operational environments. Are you happy with your onboarding or procurement process? What decisions are made of the systems, products or services that are used in your organization, and what security assessments are being carried out? One method of managing this is to categorize your suppliers into 'tiers,' with each tier having a clear set of requirements. (e.g. all Tier 1 suppliers are expected to have ISO27001 in place and will be audited annually.) Further, tiers can be developed with less stringent requirements, but they should all be based on risk.
Testing, Testing, 1, 2, 3...
SolarWinds was a significant event that was widely publicized, so your C-suite is likely aware of it. I believe one of the issues many of us face is how to engage with top management, but is this because we're not testing them on real-world scenarios? Everyone in the security sector recognizes the importance of testing plans, but how often do we stress-test the C-Suite? If the only time we stress-test them is when there is a real event to deal with, how will we know how they will respond?
Use events like Wannacry, SolarWinds and others to test out your emergency management plans, as this has a dual benefit of helping to demonstrate that the controls you have in place are adequate (or not) and familiarizing the emergency management team on the processes to follow when an event occurs.
There is risk in everything we do, and there is no such thing as 100% secure. On the face of it, this sounds quite depressing, but the message is that there are lessons for us all to learn when a major incident or event occurs. We need to be pro-active. We need to share information. And we need to learn and grow.
That's how we make the world a safe place for us all.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.