SolarWinds, Part One – Supply Chain

Eric Lansbery

The scope of the SolarWinds supply-chain attack continues to expand. Over the last two months, we’ve learned about a variety of related incidents occurring throughout several industries and organizations. As a member of any organization, whether you’re an analyst or a business leader, it can be increasingly difficult to keep up with the intelligence feeds while forming a complete, proactive remediation strategy based on the information presented. This three-part series will consider ongoing organizational challenges resulting from the active SolarWinds supply-chain attack, and how we can be more proactive in mitigating both process-based and technology-based risks.

Admittedly, the vulnerabilities in software and systems related to this attack are typically technical in nature and require technical expertise to mitigate.  However, such events routinely demand a heightened focus on improving policies, processes, and procedures to ensure a more complete and effective response.

Response planning while your organization is challenged with actively managing the potential damage from an event and reducing overall risk exposure is difficult.  The common incident response approach—preparation, event identification, containment, eradication, and recovery—becomes trivial when intelligence sources are hitting you from all angles and the facts of the incident continue to evolve. As more details are known, you must constantly adjust your response, measure impact to the organization, and evaluate your internal supply-chain. 

What if we placed more emphasis on the key preparations that support the response and how would we begin to think about achieving a more proactive approach?

First, let’s take another look into the evolution of events over the course of the first 10-days of the attack detail based on publication, with a focus on how we can simultaneously improve our response capabilities.

At the time of public media reporting, evidence suggests that related deployment events occurred from September 2019 through February 2020, based on domain name registration, and identified suspicious modifications of SolarWinds software code. This attack, along with many others, could be traced back to previous incidents and each should be considered potential candidates as predecessors to follow up attacks.

The earliest potential weaponization of the SolarWinds Orion software was discovered in late February to early March of 2020.

The first 10 days:

  • 2020-12-08: The first public announcement of the attacks was generated by FireEye. The impression that this attack resulted from a well-informed nation-state actor, namely Russian, was reported during this time.
  • 2020-12-12: The SolarWinds compromise was discovered. At that time, security and technology teams became aware of the details and began their pursuit to mitigate risk within their networks. Indicators of compromise (IOC) began to surface, and intelligence mechanisms were in full force. During this phase, the resource load on remediation teams was substantial. Various dependencies on relevant skillsets, outsourced security teams, and internal response procedures were likely strained very early on in this process. Considerations of the need for supporting resources begin to be evaluated by organizations as they uncover risk. How many layers deep does this affect us? How extensive is the damage?
  • 2020-12-13: CISA, Microsoft, FireEye and SolarWinds released official advisories addressing the issue and known vulnerable release versions with recommended actions to remediate. As these advisories are updated, new recommendations are being supplied. (2020-12-31 was the last software update, at the time of writing.)
  • 2020-12-15: The U.S. Government releases their first notice of being impacted. Areas of Commerce, the U.S. Treasury, U.S. Department of Homeland Security, The National Institute of Health, and various State Departments have all been included in running the affected version of the application.
  • 2020-12-16: A domain takeover was completed to deplete any further command and control communications from the affected hosts.
  • 2020-12-17: The number of affected organizations that continues to expand, including Cisco, VMware, Intel. Each of these organizations reported findings with evidence of compromise.

It doesn’t end there. Community response and State-sponsored initiatives are driving awareness of the issues surrounding the attack. Recently, reports of large-scale e-mail account compromises, heavy allegations of Russia involvement, a White House response initiative, additional CISA guidance, access to Microsoft source code, and various SUNBURST identification tools have surfaced. Organizational transparency is fueling the security community’s understanding of the attack and improving their response.

What Is the Problem?

Examining how we became willfully exposed to such an attack requires root-cause analysis.   The supply-chain—both internal and external—is a good place to start.  What do we mean by supply-chain?  Every organization exists in an eco-system made up of partnerships and relationships on which it depends to advance its mission and goals.  Your organization acquires products and services across a wide variety of vendors and suppliers, which are often difficult to map out, due to the increasing implementation of technology throughout the chain at all levels of processing. Without fully understanding and inventorying software and systems within your organization, there are blind spots in your environment.  And, this isn’t going to change, so you need to have a strategy.  Consider three simple steps:

Step 1: Enhance your visibility of existing systems and products being utilized and their internal and external connections, focusing on those that affect key components of your business. Take an inventory of your own supply-chain. Determine where, when, and how data is moving between systems and consider both the in-transit and at-rest security requirements you may need to apply. This is true for compliance as well as due diligence. Once your inventory is built, create a process to regularly review to identify potential gaps in the supply-chain management process.

Step 2: Report and set tasks to remediate the areas of concern within the supply-chain. If an organization is unaware of the risks in their product development process, they’re unable to prioritize, fund, or even respond to high-impact issues at the drop of a hat. Awareness can drive agility in these scenarios.

Step 3: Adopt a continuous improvement mindset. Ask questions regarding how defenses can be developed because of supply-chain attacks. Consider instituting a forward-thinking process with worst-case scenarios and through risk management processes to better prepare for supply-chain related attacks while estimating the resources needed to respond when something does happen.

Additionally, organizations need to consider a variety of improvements to effectively protect against supply-chain attacks.  These attacks are not new, and they’ll likely be an increasingly valuable tool for advanced attackers. The reward is very high as well as the risk.

  • Evolve your security program to address modern and emerging threats. This is crucial to developing better proactive defenses, reactive responses, and maturing the supply-chain to reduce exposure.
  • Perform infrastructure tool rationalization. Added complexity and redundancy can increase your exposure. 
  • Leverage security partners to regularly assess, provide insight and input, and effectively review the supply-chain vendors to ensure secure practices are being aligned with business initiatives.
  • Do scenario planning. What might be the next attack that could be delivered through our supply chain?  How would we be affected?  Are we able to detect, prevent, and/or react to it? 

In the next two parts of this three-part blog series, we’ll examine more closely the benefits of Third-Party Risk Management efforts and the technical aspects of defense for supply-chain attacks, while citing information related to the SolarWinds attack.