Posted on August 11, 2021
Backups & DR
In the final stretch of an already challenging year, news of the attack on the SolarWinds Orion monitoring platform rattled businesses and the government alike. In the private sector, customers of SolarWinds included 425 of the US Fortune 500 companies, ten of the top US telecommunications companies, and five top US accounting firms. Government agencies, including the US Military, the Pentagon, and the State Department, were impacted by universities and colleges.
The scale of the attack was massive and considered one of the largest ever. The hackers gained a foothold in computer networks around the globe. The attackers went to great lengths to avoid detection, leaving a tiny footprint on the users’ systems.
What does this mean for cybersecurity in the future? How can businesses prepare for and protect themselves against future attacks?
News of the SolarWinds attack first broke on December 8th, 2020—just as most people were preparing for the holidays and saying goodbye to a tumultuous year. It was an announcement that was stunning in its scale. Hackers used novel techniques and sophisticated tools to go undetected for months.
The sheer volume of companies impacted by the SolarWinds hack is still unknown, but experts believe the impact is global.
Hackers placed malware inside the SolarWinds Orion product. Companies that used Orion would apply routine, legitimate updates. As a result, the malware unknowingly made its way into their networks.
This happened over the course of several months. SolarWinds identified the impacted period as of March through June of 2020. Companies that downloaded, implemented or updated Orion during this period received the malware.
The State Department and security firms believe that a Russian intelligence agency is behind the sophisticated attack. The Russian embassy denied responsibility in a December 13th statement.
The hack on the Orion platform is believed to be a nation-state hack. In other words, a private group acting on behalf of a government.
A nation-state attack intends to disrupt target governments or organizations. The goal is to gain access to valuable data or intelligence.
The security firm FireEye first raised the alarm. FireEye disclosed that state-sponsored hackers had broken into their network. Investigation of the breach revealed that hackers had weaponized the SolarWinds Orion updates.
FireEye then alerted SolarWinds that Orion contained a vulnerability. From that point, there was an immediate outbreak of concern among top government agencies, large companies, and other private businesses.
The impact was far-reaching. SolarWinds issued a security advisory outlining the hack and associated defensive measures.
Around 18,000 SolarWinds customers had installed the two Orion updates that contained the malware. The scale of the attack continues to grow and has had a global impact. Major companies that downloaded the compromised update include Cisco, Intel, Deloitte, VMWare, among many others.
The hack is considered to be a supply chain attack. In other words, rather than attack a target directly, hackers attacked a third-party provider (in this case, Orion).
While supply chain attacks are not common, data breaches by third parties are. A survey found that 80% of companies had experienced breaches caused by third parties.
Technology experts are still learning how to mitigate supply chain attacks. There is no easy solution since companies rely on software to run their businesses, and routine updates are not perceived as a threat.
Companies may start needing to employ zero-trust networking principles. They may also need to assign role-based access controls to their applications and servers. However, this is a balance between the potential for attack and needing to run a business efficiently.
There will likely be an increase in supply chain attacks in the future. Ransomware attacks have also been on the rise as cybercrime groups have adopted more sophisticated techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to power down SolarWinds Orion products immediately. CISA’s guidance to organizations was that operational security remains at the forefront. Companies need to initiate incident response activities and implement remediation plans.
CISA determined that the exploit was of grave risk. The malware could monitor traffic on major federal network systems. There is also a high potential for compromise of government agency information systems.
Impacted businesses needed to respond swiftly to the attack. Identifying whether or not they had received the malware was only the first step. IT security teams need to continue to hunt for threats and monitor their networks.
They had to assume that the hackers were monitoring their response. It might be necessary to involve an outside forensics team or experts to help identify if impacted the company. FireEye reports that the malware stops executing if it discovers that it is being analyzed.
Businesses that were not impacted also needed to contact any vendors that have access to their data. This is to identify if that vendor was using the Orion platform and how the vendor is responding.
In some cases, entire networks may need to be rebuilt. Disaster recovery efforts may be the solution, assuming that captured critical data and environment information before installing the Orion update.
In a way, the world was poised for an attack of Orion’s magnitude. Data breaches were on the rise in the months leading up to the SolarWinds attack. Hackers were taking advantage of the confusion caused by a coronavirus.
This is a result of more and more business happening online. Many companies had to make abrupt shifts from office work to employees working from home. This opened up an opportunity as IT staff may have used shortcuts or piecemealed security measures.
Cybercriminals always take advantage of confusion or uncertainty. Companies of all sizes are at risk for an attack. Losses from a cybersecurity incident can be costly for an organization.
The challenge of keeping a business safe and secure from attackers can seem daunting. It can feel like a constant threat between bad actors looking to carry out smaller-scale cybercrimes and large-scale attacks like SolarWinds.
Since some of the largest companies fell victim to an attack, it may seem like efforts to implement security are futile. However, this is not the time for businesses to let down their guard in any way, as cybercriminals are waiting to exploit weaknesses.
There are many things that businesses can do to minimize the risk of potential attacks.
Your business needs to begin with the basics, including securing all hardware with a complex password. Devices should lock after a period of inactivity and require entering a password again. Stolen equipment is a risk and an increased risk with employees working from home.
Ensure that you have policies in place to handle lost devices, stolen devices. This could include geolocation or remote destroy of information if a device falls into the wrong hands.
If data does fall into the wrong hands, you can render it useless by encrypting the data. This protects sensitive information, such as customer data, employee information, and business data. You should implement full-disk encryption as well as the encryption of your data stored in the cloud.
Hackers sometimes will lock companies out of their own data and demand a ransom for its release. You can protect yourself by backing up your data in a separate location so that you can reaccess the data easily.
Security isn’t only for IT administrators. Users need to be aware of threats and keep themselves and the company’s sensitive information safe. These measures can include:
If you work with outside vendors with access to your data, include cybersecurity standards in your vendor contracts. Companies need to understand how these standards evolve. Contracts should also include language around what happens if the standards are not met.
Despite threats of cybercrime, your business needs to be able to operate. The SolarWinds Orion attack reminds companies that companies need to remain vigilant and implement the best security measures possible. This includes proper threat detection and response, as well as robust preparation for disaster recovery.
If your business needs an expert security team, NETDepot is here to help. We can work with your unique business needs to develop a plan to keep your data secure and mitigate threats. Contact us today for more information.