You’ve probably heard about the recent massive network security breach that affected many governmental organizations (e.g. Unclassified Pentagon Network, Department of Homeland Security, State Department, Department of Energy, National Nuclear Security Administration, Treasury Department), as well as many of the Fortune 500 companies (e.g. Microsoft, Cisco, Intel, and Deloitte).
Evidence points to this being an intentional act of the Russian government. The goal, it seemed, was information gathering (espionage) rather than financial gain or data destruction. Still, the breach has been described as one of the most serious ever.
There are many interesting facets to this breach. First, it took a long time to detect. The breaches started in March, yet were not detected until December. While that may sound like a surprising amount of time, and it may be considering the number of high security organizations breached, it is not unusual to take a long time for a business to realize it has been electronically breached. In fact, according to a study by IBM, the average time to discover a breach is 197 days (and then another 69 days to contain the breach). The fact that it was present for so long, also means that the adversary (breach author) had ample time to inject secondary or tertiary code implants. So even after the primary breach is contained, the adversary may still have access to the network, making it even more complex and costly to make their networks secure again.
The breath of the breach was also almost unprecedented. Most breaches happen either because an organization does not patch known security vulnerabilities (Equifax), are using insufficient or sloppy security practices (Adult Friend Finder) or succumbs to a phishing or social engineering attack (Clinton Presidential Campaign). But this breach used a creative and forbidding approach. Initially, they breached the network of a company called SolarWinds. The origin of that initial breach is still under investigation. However, once inside, the adversary inserted a module to create a backdoor into the regular software updates to SolarWinds’ product called Orion. Although SolarWinds may not be a household name, it is a large and well-respected company in the information technology space. The Orion product is a highly popular and powerful software system used to configure and monitor network equipment and other information technology infrastructure. Orion is primarily used by medium to large organizations. As a configuration tool, it typically uses very highly privileged accounts. By inserting their backdoor into the software update, they were then able to potentially breach up to 18,000 of SolarWinds’ customers as they installed the updates – which, ironically, most security conscious companies do expeditiously to address newly discovered vulnerabilities. Because the breach allowed them to use highly privilege accounts, their resulting access was wide and deep on these networks. (Note: SpotLink does not use SolarWinds Orion, so none of SpotLink’s clients are thought to be affected.)
The complexity of the breach was also noteworthy. Among other obfuscation techniques, the adversary used US based cloud provider target servers, with rotating IPs, to make the outgoing traffic look legitimate and hard to identify. While most criminal organizations, who typically are in it for financial gain, do not generally have the resources or capabilities to employ such breach techniques, that is not the case for state actor adversaries such as Russia, China, North Korea and Iran. The extent of skilled resources these players can put into an attack make it a formidable challenge to defend against a concerted effort by such state players.
Because of the nature of the software that was employed to deliver this breach, most of the affected businesses were medium to large organizations. But there are still some lessons here for small businesses:
– Most small businesses won’t be the focused target of a state actor. But if they are, there is a good chance they will be breached regardless of that business’ security posture. So, small business should make a breach part of its contingency plans, especially if the business profile might make it a target of such a focused attempt.
– It should go without saying, but all businesses should have good backups that have a backup chain beyond just the most recent backup. This includes system level backups (can restore entire servers) as well as data backups. Backups should extend to local, cloud and SaaS systems. Backups should also have a layer of separation from the network, so that a destructive system, such as ransomware, will not be able to destroy the backups as well. Having a chain of backups going back a year or so can also help to find when the breach first happened.
– If a business is of any substantial size or security profile, it should have a SIEM (Security Information and Event Management) system in place. This will make both finding an existing breach as well as tracing its origins much easier. Without that, both may be difficult or impossible, especially if lacking historical backups.
– If a small business uses an outside IT service provider, they should check if the provider uses SolarWinds Orion on their systems. If the provider does, find out what they are doing to detect a network breach, and then secure the network if it has happened.
– Just like after the discovery of any major security vulnerability, update any affected software with security patches. SolarWinds almost immediately released an update that removed this breach software, just as most software publishers would do in a similar situation. Also, Microsoft has already released code that will detect and disable any such infected software, so apply Microsoft security updates too.
– Use supplemental security systems such as Multifactor Authentication (MFA) where its available. Doing so can greatly complicate an attempted attack. If an attacker sees that, they will likely just move on to an easier target (unless they are specifically targeting a business).
– A business should adopt a cybersecurity plan and consistently implement it, especially on their internet facing security. A potential attacker will almost always first scan a business internet facing systems. If they look unmaintained and ununiform, they will assume that is the case internally as well and appear to be a tempting target. On the other hand, if the outside looks solid, they will also assume the internal system will likely be the same and move on to an easier target.
Security is a matter of degree. More attention to cybersecurity makes a business less likely to be the target of an attack but can also increase overhead and cost. Each business needs to find the best balance for them. No amount of cybersecurity makes a business 100% safe; but every incremental effort reduces the risk.
Robert Hood
CEO & Founder
SpotLink