In a recent interview on CBS, Microsoft president Brad Smith claimed that the now-infamous hack of SolarWinds Worldwide Orion software as the “largest and most sophisticated attack ever” as further details of the attack emerge.
The SolarWinds Hack Was Sophisticated and Big
SolarWinds is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offices in a few locations in the United States and several other countries.
The incident, which began as early as March, was by SolarWinds unwittingly sending out software updates to its customers that included hacked code. The code created a backdoor to customer's information technology systems, which hackers then used to install even more malware. The attack became public in December.
If Brad Smith says it was the biggest hack ever, there are few that are going to contradict. In the interview he told the audience that Microsoft has already assigned 500 engineers to investigate the attack. That number, he added, is half of what those behind the attack may have deployed, he added.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks,” Smith said. “And the answer we came to was, well, certainly more than 1,000.”
Ara Aslanian, CEO of IT services company Glendale, Calif.-based Inverselogic and an advisor to LA Cyber Lab, described the attack as “breathtaking in its scale and sophistication” and it shows that foreign national actors are massively stepping up their efforts to hack American governments and companies. The Biden administration has promised $9 billion to plug gaps in the federal government’s patchwork of cyber defenses, but what we really need is a cohesive national strategy to respond to this threat.
What is important to take from the attack is how vulnerable many organizations are to hacks of their vendors’ systems. Bulletproof cybersecurity takes training, intelligent software, and expert resources to monitor systems and people 24/7, but it can all be undone if hackers are able to get in through a vendor whose systems connect to an organization’s own network. For instance, the hackers who breached Target a few years ago got in through the HVAC vendor’s system.
“As companies’ supply chains get more complicated and they deploy more IoT to manage their buildings and processes, the attack surface is growing and growing,” he said. “Alongside investing in solid cybersecurity, companies have to prepare to deal with a successful attack. That means deploying systems to continuously monitor and back up their data via digital storage and enabling point-in-time recovery.”
Related Article: Can AI Fortify Your Organization's Cybersecurity Strategy?
‘Anyone Can Be Hacked’
The last decade has been littered with high profile third party breaches which led up to this moment. Target was the first mega third party breach in 2013, when 40 million customer credit card records were stolen. From there the trend continued: JP Morgan and Boston Medical in 2014. T-Mobile, Sam’s Club, Costco, CVS, Rite Aid Walmart Canada, and Tesco in 2015. Kroger, Stanford University, and Northwestern University in 2016.
With SolarWinds, it will be years before we know the full damages of the SolarWinds breach and it may be the biggest hack of all-time, Tony Howlett, CISO at Austin-based SecureLink, told us. “The key lesson here is that anyone can be hacked no matter how sophisticated or big an organization is. CISOs need to understand the dangers associated with outsourcing. Relationships between organizations and third-party vendors have become more complicated as more and more critical business functions are outsourced and those third parties are increasingly being viewed as business partners.”
He also pointed out that an average of 67 vendors require remote access to a company's internal network — that is essentially thousands of users connecting — and with 59% of data breaches traced to third-party vendors, these statistics highlight that third party risk management needs to be a top security priority for organizations.
“CISOs need to focus on buying the right tools rather than trying to make things work with the wrong ones to protect themselves from this kind of risk,” he added. “VPNs are the most common — it’s a great tool for employee network access but is not appropriate for vendor users, especially ones working with privileged credentials.
Many organization have many different solutions and processes for vendor management that can make it impossible to standardize across the organization and orchestrate security policy. In terms of best practices, CISOs need to identify, control and audit their vendors.
How These Hacks Happen
One key component that enables these types of attacks is credential compromise. Nation-state hackers are careful to obtain authentic credentials whenever possible to gain entry to the systems and data that they want to access inconspicuously, minimizing their digital footprint. IT teams need to be wary of unusual password activity, like an uptick in resets or permission change requests. Some other early signs to look for include files being created and deleted quickly, inconsistencies in email usage, and data moving around in unexpected ways, Mike Puglia, chief strategy officer at Miami, Fla.-based Kaseya, said.
However, it is important to remember that the top security threat for every organization across the board is people. That is why phishing will continue to be the top threat for organizations around the world — it is easy, cheap, versatile, and successful. One employee clicking on one phishing message can unleash a wave of devastation. Nation-state hackers are making extensive use of ransomware, and that is almost always delivered through phishing.
“Cybercriminals are also gaining expertise in the social engineering that empowers phishing, and that will continue. The industry is going to have to continue innovating automated and AI-driven anti-phishing solutions that can keep phishing emails out of employee inboxes to fight back,” he said.
The SolarWinds hack really shows that there is no way to stop someone from getting into your network and data if they want to get in. There are so many layers upon layers of potential vulnerabilities that exist and must work together to protect an organization.
What Should Organizations Do?
It is nearly impossible to be so secure that no one can get in, Stuart R. Crawford, MSP marketing consultant for Sebring, Fla.-based Ulistic, told us. The most important aspect of all the different security needs for an organization is the need to be able to detect when something is going on.
There are still so many organizations that do not have the detection part of the security framework in place. This is not an insignificant cost and therefore makes it very difficult to have in place because the decision makers of organizations may not provide the necessary budgets for the proper security measures.
This hack also illustrates that any outside third party vendor or client in the security chain may be the weak link within your security policy. This shows that the third parties that an organization works with must also prove and show proactive measures that they take to minimize their risk to their client’s networks.
There must be a higher level of cooperation between all the different departments of a software maker, the clients that they work with and to fundamentally understand the risks that they each have and how to properly reduce them. When something like this hack happens, new laws and more compliance comes out so that other organizations are forced to do a better job.
This is the issue, instead of compliance dictating what should be done, organizations need to take a step back and really be more proactive and do the right thing without the government stepping in. These organizations need to be more creative and innovative in their approach to solving the issue with risk and vulnerabilities.