Previous    All Posts    Next

SolarWinds Breach: Did We Learn Our Lesson Yet?

Posted: December 28, 2020 to News.

Tags: Data Breach, Malware, Penetration Testing

With time going by and no real response from the White House regarding the SolarWinds breach, it can be pretty easy to forget about it and move on to the next media cycle.  Because that's what we tend to do here in the US. However, doing that is just NOT a good idea in this situation. This attack was one of the most sophisticated attacks in the nation's history and truly spotlit our cyber flaws.  Going on two weeks since the attack, here is what we know, and here are the steps we need to take...

Scope

While we still don't know the exact number of government agencies and businesses that have been breached, we know it has touched such departments from Homeland Security to the CDC and is the largest (known) breach since 2014 when the Office of Personnel Management was hacked.

Attack

It's also important to note that this attack wasn't a "cyberattack," per se.  It was a Russian-state espionage mission which means they weren't trying to HURT our networks and systems, exactly; rather, their goal was exfiltration of data.  The distinction is an important one because the ramifications of an attack versus espionage are fairly significant.  The expectation is that spying on other nations is something that is known and accepted while attacks will often call for a show of force. However, it does cast doubt on the US's cyber security strategies which have evolved from "deterrence" to "defend forward."  Using deterrence is where the US attempted to stop the enemy before they started through the use of threats.  Threats, to work, need to have teeth... All bark and no bite is not only a terrible way to play, but it's also a terrible way to measure effectiveness because, how do you know if your tactic worked when there's nothing to see here, folks?  If your adversary thinks that there will be no consequences (or moderate consequences) for their actions, what's stopping them?  On the flip side, destroying a city or dropping bombs on civilians is a pretty extreme response to a data breach, so where is the happy medium?
Because cyber spying is so common, punishments are difficult to dole out. At this point, it's still unknown just how far-reaching the effects will be, but what's clear is that our strategy didn't work... Which is why they seem to be shifting from "deterrence" to "defend forward (DF)." DF is meant to help plug the holes left behind from deterrence methods and was unveiled in 2018... As many of you might realize, it's 2020, so clearly something went wrong.  DF is meant to "...halt malicious cyber activity at its source..." but it hasn't seemed to become a fully realized ideal and the US clearly needs to beef up its cyber security practices.

Sophistication

This breach's most notable feature is just how insanely sophisticated and meticulously planned it was.  While it followed a rather common path in that it snuck into the networks and expanded whenever and wherever possible, it was remarkable in the fact that it was able to exploit a vulnerability in SolarWinds software process that was then spread far and wide... But with almost no detection and lots of cover-up. And while the course of the attack looked similar to other attacks, the beginning is where you really see just how advanced the bad guys are.  It started with software vulnerability and they embedded that vulnerability as code, which gave them access to some really sensitive data, like the tools used by FireEye for Red Team testing - this is HUGE and extremely dangerous because it helps the enemies of our state understand more fully the actions that we are taking in our defense and offense.

What's Next?

While we can't very well force the US government to do what needs to be done, what's clear is that layered protection is a necessity.  It's also vitally important that we start to really take cyber hygiene seriously.  Just think about when you were a preteen and started to get blemishes on your face... the same routine you were using clearly isn't working anymore and it's time to figure out what works so you don't suffer from needless scarring in the future. For example,  in order to minimize the impact of a future breach, the US should improve its cyber security by adding much-needed layers while also conducting counterintelligence and counter cyber operations, thus expanding its "defend forward" strategy, in addition to attempting to deter attacks in general. It doesn't make sense to rely on deterrence-only as a tactic and it clearly doesn't work. While, again, neither you nor I can effect direct change on the government, we can control ourselves and fortify our own vulnerabilities.  A great starting point is to review our Remote Security Checklist, which gives a number of ways to start layering your cyber security for greater protection against bad actors.  We also strongly urge you to contact a cyber security specialist.  Most firms, like ours, will conduct a free consultation where you can ask questions and gain insight into your cyber security needs.  Feel free to call us at 919-422-2607, or visit our online scheduler.
Please stay safe out there, and remember that hackers TRULY have no shame.
Previous    All Posts    Next