Just when you think the dust has settled from the nation-state-sponsored SolarWinds breach, United States organizations are faced with another breach (HANFIUM Microsoft Exchange Server). But even as new nation-state threats present themselves, the core efforts to contain them remain consistent. Let’s take a look at what happened with SolarWinds and how the skills and strategies Agio uses day-to-day are excellent ways to protect yourself when the unexpected comes calling.
First, what does it even mean to have a nation-state breach? Well, a nation-state actor leverages cyber threats against other nations to gain an advantage and weaken adversaries. Those cyber threats are generally a breach that causes ripples throughout the country they’re trying to disrupt (think government entities, critical infrastructure, etc.) and has a negative impact that may not be fully known for years. A nation-state actor could be from Russia (SolarWinds), China (Microsoft Exchange Server), or another country like North Korea or Iran.
How Did the SolarWinds Attack Happen?
The access to SolarWinds Orion software allegedly gained its initial foothold through poor password policy enforcement. Once the bad actors gained access to the software update process, they introduced and distributed the backdoor and malware to all organizations who used that software (e.g., government agencies, universities, Fortune 500 companies). This is known as a supply chain attack because the attackers target hardware and software manufacturers to gain access to their real target, the customers of those vendors. Since the software updates came from a recognized vendor who certified the update, Solarwinds’ customers followed standard update procedures to install them in appropriate environments.
Just as an aside, despite the vulnerability being spread through software updates, routine patching is still the best way to protect your organization from threats. Agio does not condone skipping the patching process. The SolarWinds breach is like a ten-year flood in terms of its timing and impact—somewhat rare and very damaging—but the attacks leveraged against unpatched systems have a greater frequency and can have a greater negative impact if not properly managed.
What made the SolarWinds attack different were the incredibly sophisticated measures taken to ensure undetectability. Once the malware was introduced in an environment, it didn’t activate until at least two weeks after it was installed and then only if certain malware detection software was not installed. Customers who installed it in test environments and looked for unusual activity were unlikely to find it before installing it on other systems. It was inside the systems, but it was biding its time. This made it extremely difficult to find indicators of compromise (IoCs) simply because they weren’t active. This is the epitome of what those in cybersecurity call an advanced persistent threat (APT). APTs often are in place for hundreds of days before they are first detected.
Once activated, the malware took considerable measures to avoid detection such as installing to different file paths and file names, and recompiling to create unique fingerprints that could not be found if searching for other infected systems. If one instance of the malware was detected, a search for those identifying characteristics would likely not find other examples even if multiple systems were also infected.
To top it off, to cover their tracks the attackers went back and removed the malware from the original SolarWinds source several months after the initial breach. At this point, it was only on the systems they had infected—it was not infecting new systems through new SolarWinds updates. The attackers could still leverage the access they gained on the customer networks from their initial APT foothold.
Almost 10 months after the initial deployment of the infected updates, the cybersecurity company FireEye was the first to publicly disclose that they found the malware in their environment. FireEye was able to detect this threat due to a number of security controls in place: multifactor authentication, use of security information and event management (SIEM), well executed incident response and escalation measures.
How Did Agio Respond?
Nation-state espionage is complicated for average organizations to defend against. Your plan of action should focus on preparing for the everyday threats facing you again and again. If done well, your ability to quicky detect and recover will increase your cyber resilience and many of the APTs will not be able to gain a foothold. To do that for our clients, we continue to follow our principle of brilliance in the basics:
- Enforce strong passwords and two-factor authentication (2FA).
- Establish and maintain consistent and secure configurations according to the Center for Internet Security’s (CIS) benchmarks.
- Grant access only as needed (the principle of least privilege)—the fewer people with admin rights, the smaller the chance bad actors can infiltrate and take down your environment. Also, remove any systems and software that are no longer needed or are past their end of support. This reduces your attack surface.
- Keep systems and software up to date, and patch critical security flaws. Have a plan to escalate and patch vulnerabilities which are known to be exploited.
- Conduct security awareness training with all employees.
- Conduct incident response tabletop exercises to test your operational and administrative preparedness for likely incidents. These should include not only common incidents like phishing and ransomware but also nation-state attacks like SolarWinds.
For our clients, we monitored the SolarWinds attack based on updated OTX intelligence (basically watching for IoCs) which is incorporated into our security information and event management (SIEM). Extended Detection & Response (XDR) capabilities are critical to detecting and responding to new threats, particularly detecting IoCs, looking for and finding emerging threats, and increasing your security and maturity to protect yourself going forward. Agio works with a number of partners to share threat intelligence and make the community stronger as a whole. As new threats become known, new IoCs are often identified, and these are added to the library of events to be alerted on.
Managing third-party and vendor risk is also vital to understanding cybersecurity risk. Agio’s vendor risk management program provides the framework to poll your third-party vendors on emerging threats, reevaluate risk, and open a communication channel to quickly reach out to vendors and determine if they are impacted and how they will mitigate new risk.
How Can I Keep My Organization Safe?
Let’s not sugarcoat this. There will always be a new threat—it’s the nature of the game. For an average organization, a nation-state attack is challenging to defend against. Chances are that each nation-state won’t implement just one breach. There will always be something in the works—and those attacks become more sophisticated with each initiative.
However, a nation-state casts a wide net to catch big fish like government systems. If you’re affected by the attack, you’re likely just one of the medium-sized fish that got caught in the net (not that it’s any less messy).
The best thing you can do is keep an eye out for IoCs and expect the unexpected. As I mentioned earlier, routine patch management and other security fundamentals are still the best method to guard against everyday threats.
What I want you to take away from this event is that you need to focus on the day-to-day threats that are coming at you by the dozens. Isolate critical data and systems from non-critical data and systems. Learn and adapt but stay focused on the things that are more likely to impact your organization. Finally, make sure you have an incident response plan that is up to date (taking into account the most recent attacks impacting organizations like yours) and that you can quickly implement in order to detect and remediate threats.
If you don’t currently have a partner with cybersecurity governance, XDR, and vendor risk services, give us a call. Agio would love to help you be prepared for the next threat.