New Takes on the Solar Winds Hack(s)

The story of a major cyber attack follows an eccentric path. Riffing on the Kübler-Ross model, a cyber attack narrative usually lurches from anger (“OMG!”) to denial (“It wasn’t that bad”), bargaining (“We’ll fight back!”), depression (“We’re doomed!”) and finally, acceptance (“We got burned…”). The Solar Winds supply chain hack, however, which involved suspected Russian hackers penetrating numerous US government agencies, is so immense that it’s creating its own distinct cacophony of mixed messages. We don’t know the true extent of the damage, and will likely never know it. It’s hard even to be quite sure of what actually happened. Yet, we still need to figure out how to do better next time.

What can be done now to reduce the odds of an attack of this magnitude recurring in the future? In this disorienting moment, it’s helpful to seek the opinions of experienced people in the industry. Tom Kelly, president and CEO of the data privacy and breach firm IDX, was involved in briefing Congress on the attack. In his view, the SolarWinds hack demonstrated the devastating impact of a well-known risk factor. “The fact that a foreign intelligence service can set up a server on U.S. territory and appear to be an American-based entity, while carrying out an attack on the U.S. government, is a major national security problem,” he said. “If we want to avoid this kind of nightmare going forward, this would be a good place to start.”

“The fact that a foreign intelligence service can set up a server on U.S. territory and appear to be an American-based entity, while carrying out an attack on the U.S. government, is a major national security problem. If we want to avoid this kind of nightmare going forward, this would be a good place to start.” – Tom Kelly, president and CEO IDX

Kelly also spoke to an issue that, while easy to identify, is hard to address: the imbalance between a given organization’s cyber defenses and the resources of a nation-state attacker. “It’s not a fair fight, even for the most well-resourced agency,” he noted. “It’s time for better public-private partnerships to bolster defenses at the levels of individual government agencies and American corporations.”

Gregory Bell, Co-founder and Chief Strategy Officer of Corelight, the Network Detection and Response (NDR) vendor, offered a different take on the situation. Based on his experience in network defense, his reality is that preventive countermeasures are almost guaranteed to fail in mitigating such an advanced mode of attack. “If you’re relying on firewalls and access controls to prevent a state security agency, with a signed certificate in its hand, from taking over your enterprise management software, you’re in for a rude shock,” Bell shared.

“If you’re relying on firewalls and access controls to prevent a state security agency, with a signed certificate in its hand, from taking over your enterprise management software, you’re in for a rude shock.” – Gregory Bell, Co-founder and Chief Strategy Officer of Corelight

A better approach, in his experience, is to monitor network traffic and collect system logs and other data, in order to catch an early glimpse of an attack unfolding. “It’s important to collect data from endpoints, network infrastructure, and external sources of intelligence,” he said. “If you combine this data with analytics and threat hunting, you stand a chance of detecting an attack as Mandiant did—so you can then respond on a timely basis. At a minimum, you’ll get a quick understanding of what we call the ‘blast radius’ of the attack. You’ll know what got infected, and how the event unfolded.”

Bell further noted that it may take months to figure out if the Solar Winds hack included the implanting of as-yet undetected malware that could lurk for a long time. “But if you’re gathering real-time data, including network data, you’ll have critical evidence you need in that case – since attacks like this do need to cross the network.”

“What we saw for the first week or two after the initial SolarWinds revelations was some organizations just trying to figure out whether they even use SolarWinds products. Every network has some type of dependency on third parties. It’s not realistic to expect that any network can be completely isolated from third party risk.” – Katie Nickels, director of intelligence at Red Canary

The Solar Winds attack revealed many deficient security practices. As Katie Nickels, director of intelligence at Red Canary, put it, the attack “has emphasized the need for basic security measures like asset inventory and knowing your network, including having a concise list of all third-party providers being used. What we saw for the first week or two after the initial SolarWinds revelations was some organizations just trying to figure out whether they even use SolarWinds products. Every network has some type of dependency on third parties. It’s not realistic to expect that any network can be completely isolated from third party risk.”

The story of this attack has not yet been fully told. The work of preventing the next one must start now. What’s clear, despite all the confusion of the situation, is that traditional security models aren’t up to the job. New thinking is needed.