Just a few brief thoughts on the initial reports of a SolarWinds Orion supply chain attack allegedly impacting a multitude of high profile government and corporate targets. We’re still waiting on quite a few important details; some great initial IOCs have been graciously provided by cybersecurity firm and attack victim FireEye.
It unfortunately seems that NotPetya really was that really bad omen, for multiple reasons. This is not a big surprise, particularly when considering an adversary group willing to invest substantial resources and time into a long game to compromise specific targets as effectively and efficiently as possible.
We already knew that both cyber and non-cyber related software supply chain attacks against organizations with big or desirable customer footprints are incredibly effective for resourced attackers. A compromised and trusted party with security permissions is simply a great way to intrude into anything. This would (and did) work for a 1940’s bank robbery as well as it does for breaking into a cybersecurity company.
The gloomy news is that there’s currently no easy fix for not being able to trust third-party software or software updates – including our own privileged IT and cybersecurity tools. We still need software, and not updating it generally has even bigger security risk implications. There are a lot of interesting efforts underway to tackle software supply chain security issues, such as SBOM. None are particularly widespread or unilaterally implemented. Secure development as a field faces a lot of organizational and cultural challenges in general. Things are improving, but it will take effort and time, and there will never be a silver bullet to completely prevent bad people from attacking and successfully compromising software supply chains.
Unfortunately, many of our most commonly deployed security and infrastructure software suites (think EDR, antivirus, development tool kits, IT asset management…) are pretty insistent about having unfettered access to everything on the local machine or network. That makes them even more dangerous if compromised in this kind of attack. It’s something that keeps people like me awake a lot.
So, what can be done? Really, the only thing that can be done by most of us right now is to build good old-fashioned defense-in-depth into our environments and operate software in well-segmented, least privileged environments. We should work with an assumption that any of our third-party software could potentially be leveraged in a supply-chain attack. That means trying to ensure an attack is quickly detected and an attacker is contained or slowed adequately to complete incident response before crown jewel systems are impacted. Cybersecurity is always a game of preventing meaningful consequences. That means understanding what those consequences could be, what could cause them, and creating layers of defense and mitigation.
Here’s the upside, and why we are probably going to survive this. Remember Auntie Lesley’s rule #2? “Even the most sophisticated adversary with the most expensive intrusion TTPs still have to follow the laws of reality” – even with a sophisticated supply chain attack that entirely circumvents network borders, an adversary can still be caught somewhere else in their attack chain. We may not be able to stop every resourced adversary from intruding into our network through compromised software, but we should put every effort into detecting the adversary inside before they complete their objectives or cause irreparable harm. They still have to do things like move laterally, gain persistence, beacon, escalate privileges, etc. Adversaries are not magical, no matter how much days like this make it feel like they are. They are humans, and for the most part they are humans doing a job who make mistakes just like we do.
So, What Now?
Well, if you’re a SolarWinds Orion customer – Krypt3ia said it the most succinctly: “you should be on a conference bridge right now”, checking for the IOCs provided by FireEye and strategizing for a worst case Incident Response scenario as more details and indicators trickle in about this event. We just don’t know a ton, yet. Make sure your incident response team or retainer provider are aware and ready to go with the information about your environment and procedures that they may need. Stop reading, come back later.
Even if you aren’t, I would highly recommend every org perform a TTX in the next month or two where their AV, EDR, or host configuration management tool updates and is compromised by a malicious adversary as part of a supply chain attack. (Just to go all-out on a plausible worst case scenario.) Security tools are a harder target than tax software or a network management tool, but they would make a horrendously effective weapon against a lot of organizations that trust them implicitly with the most generous administrative permissions.
In case you haven’t heard the term before, “TTX” is short for “table top exercise”, which is one of the cheapest and also effective security practice measures any organization can take. In a tabletop exercise, a security team drills a theoretical Incident Response scenario on paper, with all the people who might be involved in a real cybersecurity incident response effort playing along. A TTX scenario could be anything from ransomware worm to a website defacement. Given these current events, I suggest you consider an insidious supply chain attack which impacts multiple systems with substantial privileges on your network (or customers’ networks). If you are a software provider, you should be considering a compromise of your software which impacts your customers.
TTXes will show you process, tool, and communication gaps, and they will also very effectively engage essential groups such as corporate communications, legal, and executive leadership in your security efforts.
Updates to follow on Twitter and this blog as we learn more.