Details are still emerging about the full scope and scale of the cyber-attack that targeted software vendor SolarWinds and compromised the systems of several of the largest U.S. public companies and government agencies, but the lessons it imparts on where vulnerabilities still lurk in the third-party vendor supply chain cannot be grasped soon enough.
Word of the cyber-attack—suspected to have been perpetrated by Russian hackers—came on Dec. 8, when cyber-security firm FireEye disclosed it had been hacked by “a highly sophisticated state-sponsored attacker.” The hackers “operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” FireEye said.
“Software supply-chain risk is far from a new concept. Over the last decade we’ve seen many instances of what happens when the supply chain is tampered with and subsequently tainted. What makes this problem intractable is that every business, whether they acknowledge it or not, relies on a software supply chain for both homegrown and third-party applications.”
Kunal Anand, Chief Technology Officer, Imperva
The cyber-attack traces back to third-party network management software vendor SolarWinds, in which hackers implanted malicious code within a software update to SolarWinds Orion products, allowing hackers to gain a foothold in the network and gain elevated credentials, according to Microsoft’s analysis of the attack. Once implanted, the software connected to a server controlled by the hackers, allowing them to launch further attacks against SolarWinds customers and steal their data.
Among its more than 300,000 customers, SolarWinds said in a Dec. 14 regulatory filing it believes “fewer than 18,000” customers may have installed the Orion products that contained this vulnerability. In that same regulatory filing, SolarWinds said its Microsoft Office 365 e-mail and office productivity tools had also been compromised.
The vulnerability was installed in updates first released in March, but a federal agency document indicates the hackers wormed their way into the system as far back as a year ago. The potential scale of the breach is alarming, given that SolarWinds’ customers include 425 of the Fortune 500 companies, 10 of the top U.S. telecoms, the top five U.S. accounting firms, hundreds of universities and colleges, and several federal defense agencies.
The SolarWinds cyber-attack is far from an isolated incident. According to its 2020 Digital Defense Report, Microsoft said it “delivered over 13,000 notifications to customers attacked by nation states over the past two years and [has] observed a rapid increase in sophistication and operational security capabilities. FireEye’s recent disclosure is consistent with the attacks that we’ve observed.”
U.S. federal agencies’ systems were also compromised in the attack, forcing the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks. In the private sector, those that are particularly vulnerable are defense contractors, tech companies, telecoms, banks, and more.
The proliferation of nation-state cyber-attacks like this one, and the fact that hackers are only getting more sophisticated in the methods they’re using, highlights a critical need for the private sector and governments to share threat activity with one another, cyber-security experts say. As Microsoft stated, “It requires policymakers, the business community, government agencies and, ultimately, individuals to make a real difference, and we can only have significant impact through shared information and partnerships.”
Aside from the need for better information-sharing techniques between the public and private sector, “Answering the question, ‘what could we have done differently?’ is kind of elusive right now,” says Dan Petro, lead researcher at Bishop Fox, a cyber-security consultancy. It’s likely this will result in greater scrutiny of third-party providers, he says.
“Perhaps greater visibility into what companies actually do to maintain security might be something that we insist on after this kind of event,” Petro adds. That said, nothing points to negligence on the part of SolarWinds. Until we know more about the initial intrusion, it’s hard to conclude what could have been done differently, he says.
That said, the SolarWinds cyber-attack serves as a dire warning about the need to be constantly vigilant about the threats that lurk deep within the third-party vendor supply chain, and that starts with basic cyber-security hygiene. At the very least, companies should ensure they take the following measures to fortify their own cyber-security practices:
Gather the facts immediately. FireEye, Microsoft, SolarWinds, and CISA have each shared information for security industry practitioners to use to find and mitigate potential malicious activity relating to the SolarWinds cyber-attack. FireEye, for example, said it has developed more than 300 countermeasures for its customers and the security community at large to use to minimize the potential impact.
Reevaluate your cyber-security hygiene. Companies of all sizes should “make sure they understand where their data lives, if the data is classified, if the right access controls are in place, and that strong tools for auditing and anomaly detection are put into effect,” says Kunal Anand, chief technology officer at Imperva. “Security teams need to know where their data is at all times across all environments, how it is used, and who has access to it in order to apply the appropriate controls.”
Don’t ignore Nth parties. “Software supply-chain risk is far from a new concept,” Anand says. “Over the last decade we’ve seen many instances of what happens when the supply chain is tampered with and subsequently tainted. What makes this problem intractable is that every business, whether they acknowledge it or not, relies on a software supply chain for both homegrown and third-party applications.”
As the SolarWinds hack illustrates, it’s not just the third-party application itself that can pose a cyber-threat to companies. “It’s all the components that go into delivering, running, and verifying the application function, including services and components that interact with it,” Anand says.
At its core, the SolarWinds cyber-attack shines a glaring spotlight on deepest parts of the third-party vendor supply chain that companies typically ignore in terms of due diligence. “A company may have the best security controls in the world, but it doesn’t mean their vendors across their software supply chain do,” Anand says. The SolarWinds cyber-attack highlights the importance of having proper oversight over not just first-tier vendors, but also vendors’ vendors—so-called Nth parties.
Leverage technology. In order to uncover vulnerabilities and cyber-threats that are embedded in the deepest layers of the third-party vendor supply chain and mitigate attacks like the covert methods used in the SolarWinds attack, companies need to harness the power of artificial intelligence, says Jennifer Bisceglie, CEO of supply-chain analysis firm Interos. That is to say companies need to leverage tools that allow for “forward-looking operational resilience,” she says, where you’re mapping out the larger, extended third-party supply chain down to Nth parties in real-time and continuously monitoring those suppliers. Such capabilities simply aren’t feasible at-scale through manual, human-driven processes, Bisceglie says.
Although there is no silver bullet solution for fully preventing sophisticated, nation-state cyber-attacks like the ones that victimized SolarWinds and its customers, increasing information-sharing between the public and private sectors and adopting AI technologies that can map and monitor the entire third-party supply chain ecosystem in real-time, in addition to following best practices in the cyber-security space—like the latest guidance from the National Institute of Standards and Technology (NIST)—is a good starting point. Additionally, this document from NIST provides a helpful list of cyber-security questions to ask to determine the vulnerability level of your suppliers’ cyber-security practices.