SolarWinds Pre Post Mortem
I am sure most if not all of you are somewhat familiar with the SolarWinds Hack. This had was sophisticated, far reaching, and the true impact is still not fully understood. As such, I wanted to put this post together to provide some insight as to where we stand today, and the lessons learned that we could apply now.
What was the genesis of this hack? Good question, I am glad you asked. There were three potential points of entry. Researchers are not sure which entry point was used, so I will briefly identify each one. First, we know from various reporting and sources that there was a file server that had a password of “solarwinds123.” This is obviously a terrible password. SolarWinds has stated that once they were made aware of this password, they remediated within a couple of days. With that, I am not sure they can confirm the hackers did not already have access by the time the password was changed. An article from cnn.com states that the password was still in use in 2019.
The second potential point of entry could have been good old fashioned brute force password attack, which if consider the aforementioned password, this definitely a possibility. For those who do not know, a brute force password attack involves having a massive list of potential passwords and using an automated process to try every password in the list until one is successful. One would hope that there would have been some type of logging that may have caught these numerous attempts, but we are not sure if this was the method used.
Third, it is suspected that the compromise could have been initiated through a third party. This entry point should sound familiar because it was the same way that Target was breached some years back. With this method, the hackers would comprise a third-party that they know the ultimate target uses. Then they wait until that third-party interacts with the target and use that as a point of entry.
Obviously, neither of these potential points of entry provide a “warm and fuzzy” feeling if you are using the SolarWinds Orion platform. Effectively based on these three potential points of entry, this hack may not have occurred if they used multi-factor authentication (MFA) and/or had an adequate 3rd party vendor assessment program. These are the basics. If you are a solid organization of any type, MFA and 3rd party vendor assessments should be core pieces of your overall security program.
Now, you may be asking yourself why the hackers chose to compromise the SolarWinds Orion platform. The SolarWinds Orion Platform literally can integrate into every point in the network. This platform is used for network management and has hooks into network, application, virtualization, netflow, storage, and logs. In other words, if you were trying to effectively learn everything about an organization’s technological assets and practices, you would have a one-stop-shop from the Orion Platform.
When the hackers were able to gain access into SolarWinds network, they took the extraordinary step to actually infect the Orion platform’s updates. So, every time a company using this platform ran an update, which is best practice, they were effectively infecting themselves. This impacted the supply chain for any company using the SolarWind’s Orion platform. This is significant because this gets at our level of trust for a vendor. What happens when you are now worried that if you download an update from your vendor, you may be infected? Do you become hesitant to update? That is dangerous because that hesitation could cause the next breach. Now, I do not think that the goal of the breach was to break trust, but I believe it may be a long-term side effect. The nature of security requires that for the tooling to be effective, it will need to be intrusive in the way it integrates into our environments. Most of the work that we do in the security space, especially when it comes to tooling, forces us to have a high level of trust and faith in the security hygiene of the security vendor and the tools they provide. This hack hits at the heart of that trust.
One of the extraordinary facts about this breach is the threat persisted for at least 8 months and no one detected it. In fact, this breach was only identified after an employee at FireEye received an MFA reset notification on their phone and they knew they did not request a reset. That well trained employee reported that odd behavior, and FireEye began an investigation which found this breach. This is a huge plug for security awareness training. If that employee did not respond, would we know about this breach at this point?
How should we as security professionals respond? Obviously, it is not reasonable to say, no more security or monitoring tools on the network, but it does require us to expand our view and understanding of the attack surface. Traditionally, security in general has focused on the attack surface as being primarily the User domain, or any technology that is not actually participating in the securing of the network. This hack should force us as security professionals to include our tooling as part of the potential attack surface. That would mean including policies, processes, and mechanisms to monitor our tooling.
As a solution, we can implement zero trust methodologies not just for users, but for our technology. Organizations should research and evaluate solutions that would apply zero trust methodologies to the integration of our tooling. Additionally, we need to get back to basics. The trend in security, for years now, is to use technology as the core “work horse” to secure our organizations. I think we need to shift back to relying more heavily in our workforce. That means, we spend real time and develop our people and processes to ensure we can accomplish good security practices and hygiene with limited technology. Then when appropriate use the technology as an efficient mechanism.
One last point, if you look at this hack holistically, one could classify this hack as a reconnaissance effort. This should make everyone nervous because if you have worked in security for any length of time, you know that reconnaissance is just the first step and not the goal. I honestly do not think we have heard the last of this breach. I suspect we will be dealing with the impact and fallout of this breach for years to come.