If you have been watching the news lately (especially the Cyber headlines), there have been at least two major breaches which have occurred to two major Cybersecurity Vendors, that of Fire Eye and Solar Winds. Both have completely been an utter shock to our industry, as these are leading firms in their areas of specialties.
But it has been the Solar Winds one that has caught the attention of most, as this attack also had a huge and tremendous impact upon the Federal Government as well.
I’ve got to be honest, I have not kept myself abreast of what exactly has happened thus far, because each news headline that comes out has something different to it. It is something that is actually still evolving quite a bit, and we may not get all of the answers that we are looking for until months down the road, until a thorough forensics investigation has been conducted.
But here is what we do know so far, from reliable sources:
*It was known in some circles that an attack would be imminent like this, some 6 months ago;
*The use of Advanced Persistent Threat variants has been cited so far as the major culprit;
*Malicious payloads were first delivered to specific network management software that has been created by Solar Winds known as “Orion”;
*MFA protocols were bypassed in Microsoft Outlook which allowed the Cyberattacker(s) to steal the secret Encryption key from it;
*The malware that was hiding in the Orion network management software actually posed as legitimate updates, was also used to create a covert backdoor called “Sunburst” that was installed across most of the Federal Government’s critical level servers (which includes the US Treasury Department, Department of Homeland Security, the Justice Department, the State Department, and the five branches of the US military).
So now, the question remains, just how were the Cyberattackers able to get in? Here are some of the clues that have been picked up so far:
*The use of Remote Monitoring and Management Tools:
These are also known technically as “RMM Tools” and is a tool that is actually used quite heavily by Managed Service Providers (MSPs) in order for them to keep a close eye on the IT and Network Infrastructures of their clients. In a way, this is very similar to the Remote Desktop (“RDP”) that was developed by Microsoft. Using this specialized protocol, one can remotely access multiple workstations from just one interface. This is how the RMM Tools work. But their uses are far more sophisticated in the sense that the MSPs can keep a check on the health status of the networks, endpoints, and all of the wireless devices of their clients. But using this software package also requires that an agent be deployed deep into the IT and Network Infrastructures of their clients in order to get a holistic view of that is actually happening. These agents are typically used to capture detail on such critical areas as the patch and version levels of the software/firmware upgrades, and hardware performance issues that include CPU and memory consumption usage, the fan speeds to keep the servers cool, and other related functionalities. But these agents and the RMM Tools come together as one, cohesive package. Meaning, if a Cyberattacker can break through this, they can pretty much gain access to the MSPs client’s IT and Network Infrastructures and move in a lateral fashion. All this translates into the fact is that there is just one huge attack surface that be easily broken into. So now, there is a movement to try to separate these two components, so that the Cyberattacker if breaks through one, the statistical odds that they will break through the other component becomes a lesser risk.
*Gaps in the Software Development Lifecycle (“SDLC”):
This is something I have written about before extensively. In today’s remote environments, software developers are often under enormous constraints and pressures to deliver their projects on time to the client. Because of this, security is often a forgotten about subject. As a result, there are many backdoors that are left behind, giving the Cyberattacker one of the easiest ways in which to penetrate an organization’s IT and Network Infrastructure. So as it applies to this Cyberattack, it is now believed that the malicious payloads were actually inserted into the SDLC environments of the targeted victims, via the backdoors that were not checked for as the source code was being developed. So thus, although security may hold things up a little bit, it is absolutely imperative that various Penetration Test are actually being run in order to discover these unknown backdoors and close them up quickly.
*Other Threat Variants are being used:
Although it has been initially thought it was the RMM Tools package from Solar Winds that has been the culprit for deploying most of the most malicious payload, it is also quite conceivable that the Cyberattacker used other forms of threat variants as well in order to gain a foothold. But these were masked, as everybody was paying attention to the RMM package. The bottom line to keep in mind here is that a Cyberattacker is not just going to use one way to do the damage that they want to do. While they may use one point of entry for the initial attack, they will use other threat variants in order to gain access to the other areas of the IT and Network Infrastructure of a company. This is all in a concerted effort to create confusion, and to keep their tracks well covered in the process.
*The Trust Process was broken:
For the hundreds (if not more) of clients that use the Solar Winds RMM Tools package, there was an inherent level of trust that was established. For example, if any software patches and updates are being pushed through by Solar Winds, it has to be safe, right? Well in this instance, this was not the case. The Cyberattacker took full advantage of this weakness and exploited it to the maximum that they possibly could, which even filtered all the way down to the IT Security teams and Network Administrators that had some of the deepest levels of access. This all just underscores the fact, in today’s and unfortunately so, you simply cannot trust anybody these days. You literally have to watch your own back on a constant basis.
My Thoughts On This:
IMHO, this was truly a perfect storm ready to happen. Not to mention all of the recent chaos and firing of key Cybersecurity personnel at the White House, this led to a Social Engineering component as well. So, what can we do with what we have learned so far? Here are some tips:
*Now and forever, always implement the Zero Trust Framework, with at least three layers of different authentication mechanisms being used.
*Break up your IT and Network Infrastructure into different zones or “Subnets”. That way, if a Cyberattacker does break through one of them, the statistical odds of them going deeper and further in become much lower at each separate layer. Also, air gap your components, so that they are not all fitting tightly together was one unit, as it was the case with the RMM Tools package.
*This is probably one of the most important of all: Always check the security level of your source code as it is being developed. Just don’t wait until the end to this. Do it as each module is complete so the weaknesses that appear in one package do not transcend down towards the others in a cascading effect.
*Make use of Artificial Intelligence (AI) and Machine Learning (ML) tools to help filter out the false positives, so that only the real ones are presented to your IT Security Team. This will make the triaging and escalation process a much smoother and efficient process. Also, this will help your IT Security team to keep their eyes on other threat variants that the Cyberattacker might be using in order to further disguise their footprints.
As we fast approach into 2021, it is quite possible that these kinds of large scale Cyberattacks could very well occur, in which the Cyberattacker uses all sorts of methods to unleash the havoc they want to wreak. But worst of all, this could be a simultaneous type of attack which will impact all of our Critical Infrastructure, thus taking us weeks and months to recover from, not just days.