Navigating the SolarWinds Storm
Brett Thorson / James Gimbi
SolarWinds has announced that up to 18,000 companies may be affected by a highly sophisticated attack targeting their Orion product that is continuing to reverberate globally, with guidance suggesting over 300,000 companies and their connected partners up and down the supply chain may be affected.
The Washington Post attributed the attack to a well-known Russian hacking group – known as Cozy Bear or APT 29 – and cybersecurity company FireEye published evidence that the breach began as early as March this year. So far, victims include various government agencies and companies across consulting, technology, telecommunications, and oil and gas companies in North America, Europe, Asia and the Middle East.
These organizations, and hundreds of thousands more, rely on the software designed by SolarWinds to manage their IT networks. It appears the attackers embedded malicious code, called SUNBURST, into a software update released by SolarWinds that provides the attacker persistent access to the customer’s network, ultimately leading to control of privileged accounts and access to sensitive data. By installing the update, organizations effectively handed over the keys to their kingdom to SolarWinds and the attacker.
The gravity of the attack reminds us that well-established security principles, like Defense in Depth and Least Privilege, can mean the difference between routine incident management and a truly disruptive compromise across the networks of public and private organizations via the software supply chain.
How should organizations be reacting?
To their credit, SolarWinds was quick to issue a security advisory and potentially affected organizations should consult their consistently updated guidance.
Ironically, the first company to report being affected by the incident was itself a cybersecurity company. FireEye, which is an intelligence-led security company, released its own advisory endorsed by the Cyber and Infrastructure Security Agency, and published signatures to detect the threat are also being released on its GitHub page.
Microsoft is also leading a collaboration between a variety of companies to seize and ‘sinkhole’ a domain that played a central role in the attack, according to ZDnet.com. In cooperation with the US Government, Microsoft was able to take over the domain name “avsvmcloud[.]com” that the malware was using to communicate with the attackers. In this way, any data being sent from a compromised company to the attackers will be sent to Microsoft, and the attackers can no longer send commands to the malware. Being so close to the incident, Microsoft has released instructions on how to contain a SUNBURST malware infection.
While the CISA has issued an emergency directive ordering all federal agencies to immediately disconnect or power down the affected Orion products from their networks, most companies should be able to sufficiently protect themselves by following the Microsoft guidance above and blocking the domain “avsvmcloud[.]com”. Organizations already impacted by this new SolarWinds incident must take actions to mitigate the impact. This means understanding the extent to which the malware has infected an operation, and the nature of this breach divides SolarWinds customers into three categories:
- Customers unaffected by the known scope of the breach - These organizations should continue to monitor official advisories as the industry’s understanding of this incident continues to evolve. Importantly, some organizations were unaffected because they were not updating enterprise software. Leaders should understand whether this applies to their organization, and what this might mean for their broader cybersecurity posture.
- Affected customers with no APT activity - The organizations should follow established incident response plans, closely monitoring privileged and service accounts, and consider implementing recommended mitigations to prevent further compromise.
- Affected customers with APT activity - These organizations should follow established incident response plans, closely follow guidance from previously referenced organizations, and should consider engaging external incident response support.
For impacted companies, a very important consideration is providing transparent communication from leadership without consuming technical resources with ad-hoc requests for status updates.
To that end, we advise our affected clients to follow an achievable meeting cadence with key leaders across an organization. For example, setup specific update times during the day (e.g. 10:00 AM and 4:00 PM) when all executives can call into a video or conference call number to hear an update and ask questions. This will reduce the tendency for stakeholders to repeatedly ask technical teams for an update and will ensure timely updates comes from authorized and knowledgeable people while granting the technical team the time to conduct their analysis.
Leaders also need to accept that a malware attack evolves; as it develops, status updates will be a top-line perspective rather than a detailed report. To expect anything else would be premature and hinder the technical investigation.
Leaders at affected organizations should also work with technical, legal and communications teams to determine how the scope of their potential, or actual, exposure impacts obligations to internal and external stakeholders, including customers, employees, shareholders, and their suppliers. Companies should review financial, operational, regulatory and reputational considerations to name just a few.
For organizations not running SolarWinds, the attack represents an opportunity to reflect on how teams would handle a similar event. With so much insight on the incident, it is feasible to simulate the attack to determine whether an organization has the adequate resources and support to detect and respond to third-party cross compromise. Cyber maturity assessments and tabletop exercises can be valuable tools to structure a simulation and identify costly cyber capability gaps.
What does this mean for digital customers and providers?
Digital product and service customers
It is to be expected that third-party risk is part of doing business in today’s digital ecosystems, but organizations cannot afford to ignore Cyber Supply Chain Risk Management (C-SCRM).
Mature organizations have robust C-SCRM capabilities, combined with well-rehearsed incident response and business continuity management procedures to ensure organizations can detect and resolve cyber breaches stemming from third party compromise, and continue to safely operate their business. While few organizations can promise to eliminate all the risk from digital partners, many can start to improve the situation by fostering relationships with providers to produce (and practice) joint response procedures.
BCG worked with the National Institute of Standards and Technology (NIST) to offer freely available tooling and guidance to help organizations learn from leading C-SCRM practitioners.
Digital product and service providers
We can derive several important early learnings for digital suppliers and service providers. Importantly, these all stem from developing a robust DevSecOps capability that ensures code is reviewed, meets requirements and has a goal or task associated with any change. A good DevSecOps methodology contains:
- Code review, leveraging third parties
- Rigorous post-deployment integrity checks, audits, and penetration testing
- Accountability, logging, and audit capabilities
- Incident management playbook for responsibly and effectively guiding customers through breaches
Looking to the future?
This is not the first widespread cross compromise and is not likely to be the last. Dragonfly and Shylock attacks by threat group “FIN4” (which was tracked by FireEye), and many others have leveraged trusted third-party partners as a vehicle to launch major attack campaigns. Digital products and services can unlock incredible value, but organizations must work to understand and manage the risk introduced by these partnerships. This not only calls for mature cybersecurity practices, but for an end-to-end approach to supply chain and third-party risk.