Because this attack was purportedly executed by a sophisticated state actor (so far, most are attributing it to Russian state intelligence), many of the largest US Federal departments who use this software, including the Treasury Department, Homeland Security, and State Department were targeted directly. Some of them have already reported either actual breaches or indications of compromise.
But it wasn’t just the big US government agencies that were affected; many state and local organizations, as well as many governments and militaries around the world, also use the software and would-be potential targets for a state-run hacking organization. The largest agencies have massive staffs and budgets to deal with this kind of cyber-disaster but even for them, it may take months or even years to unravel all the potential backdoors and other vulnerabilities introduced by this attack.
For smaller departments or groups, the task will be even harder since they don’t have the resources that the feds do. As one of these types or organizations, what do you do, both to remediate any immediate vulnerabilities and prevent this from happening again?
Stop the Bleeding
First of all, you want to eliminate the immediate risk. If you use the affected software (details can be found here), you should have already followed the CyberSecurity Infrastructure Security Agency (CISA)’s directions to disconnect and decommission any instances of SolarWind’s Orion software.Hopefully, your organization has already taken those steps; if not, do so right away. But taking these actions leaves these entities without the network monitoring and management capabilities that the software provided. This could lead to outages or even other attacks going undetected. SolarWinds has released a patched version, but most security professionals do not recommend simply patching an in-place installation. Instead, a complete reinstall of base OS software on up is the only way to ensure that there are no hidden backdoors or rootkits on the affected servers.
Assume You’re Hacked and Hunt for Threats
But, a complete reset isn’t enough to get you completely out of the woods. Even if you don’t think that your company would be one of the ones that the hackers would go after first, you have to assume there might be a compromise on your network. The vulnerability existed for over six months, which would be potentially enough time for a large state-sponsored hacking organization to go down the list of victims to your organization. You need to do a top-to-bottom security review of all your networks and systems.There are tools out by various scanning vendors that can search for infected SolarWinds servers and the “phone-home” signals they give off. You will also want to look for Indications of Compromise (IoCs) of this particular attack which include accesses to the malicious command and control nodes used by the malware. You can find a list in the official CISA Advisory.
But don't stop there. Consider hiring an outside, respected threat hunting firm to go through your log files and other data to search for clues of past compromise. These companies specialize in this kind of work and know what to look for. Plus, you’ll get an unbiased assessment of your security posture from outsiders to assure upper management, board of directors, and customers that you aren’t compromised.
Check Your Vendors!
Finally, over the long term, you need to examine all of your relationships, both between internal servers and external third parties who might have access to your networks and systems. You might be clean of any malware, but if a vendor used the affected software and has access to your network, if they’re compromised, it could easily lead to you being compromised.If you don’t already have a vendor or third-party risk management program set up, do so immediately. If you already do have one, make it better. Interview all your vendors to find out if they use the software and if they do, are they doing the right things to make sure they aren't hacked? You will also want to tighten security around vendor access, with more vetting up front and more audits and ongoing monitoring once they are engaged.
How To Keep Yourself Safe
A sophisticated supply chain attack like this is very difficult to defend from. The hackers managed to make it into trusted, digitally signed software updates which are generally accepted as safe. And they used a platform that acted as network overwatch which gave them wide latitude to explore, exploit, and spread through networks at will, knowing they controlled the software that was supposed to warn companies about this kind of activity.Given how successful it was, expect there to be more like it (if it hasn’t already happened). I would expect reforms and possibly legislation to come out of this event that will force companies to more closely examine the software update process, vendor relationships and other vectors for supply chain attacks. And in the meantime, by making sure you are closely vetting and watching third parties access of all kinds, you stand a much better chance of catching the activity of a hack and responding to it before real damage is done.
Tony Howlett, CISO at SecureLink, Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.