Hundreds of articles over the last couple of months have dissected the ins and outs of the massive Solar Winds hack that targeted US government agencies and private corporations around the world. There’s no point rehashing all of the details, but there are some very valuable lessons that we can learn from the hack.
10,000 foot view
At its core, this was a backdoor attack that impacted at least 18,000 of Solar Winds’ customers. The hackers played the long game, carefully and strategically manipulating code in the company’s Orion software – a proprietary network monitoring tool – to make it go undetected for many months. Once it had slowly and insidiously established itself, the code was able to open a back door to the hackers, giving them access to potentially sensitive corporate and personal data.
In an NPR interview, former National Security Agency (NSA) general counsel, Glenn Gerstell said, “It’s as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months.”
And it wasn’t just a fluke that these attacks were successful. Experts at cybersecurity firm FireEye had an opportunity to study the malware, and came to the conclusion that the breaches were methodically orchestrated and very targeted. “These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”
The malware was engineered to be stealthy, operating in ways that would masquerade as normal activity, FireEye said. It added that the malicious software could also identify forensic and anti-virus tools that might threaten it. And it said the credentials it used to move within the system were “always different from those used for remote access.”– NPR, What We Know About Russia’s Alleged Hack Of The U.S. Government And Tech Companies, by Bill Chappell, Greg Myre, Laurel Wamsley
One of the biggest problems with long-term hacks such as these is that until the vulnerability is discovered, it’s business-as-usual inside the network. This left federal agencies and powerful corporations such as Cisco, Intel and Deloitte prone to data exfiltration over an extended period of time.
The attack was also widespread. In the U.S., it impacted the Commerce Department, the Department of Homeland Security, the Treasury Department, the U.S. Postal Service, the National Institutes of Health and the Pentagon.
But the breadth of this Orion hack goes well beyond the U.S. border. Other victims include government agencies, consulting firms, tech companies and telecom operators from countries across Europe, Asia and the Middle East.
Some estimates have pegged the clean-up bill from this hack to be as much as $100 billion. While it is always going to be difficult to calculate the true monetary damage caused by a hack such as this, it has without doubt tarnished our trust in the security that we so often take for granted.
It’s easy to say that things would have been different if only… but we simply don’t know how a different approach would have resulted in a better ending in this particular case. There’s an old adage that security is only as strong as its weakest link. While this is a simplistic view of security, it may teach us an important lesson.
While we will never completely stop hackers from trying to steal valuable data, we can certainly do more to blunt their attacks. In one of his articles covering news of the Solar Winds hack, Darkreading journalist Jai Vijayan advocated the use of ‘air gaps’ and segmentation between network resources to help contain damage within a single part of the network. In a similar vein, FedScoop’s Dave Nyczepir wrote about the need for government agencies to protect their data by adopting zero-trust technologies that effectively compartmentalize network connections.
Zero trust approach
Zero trust shows particular promise, particularly for organizations catering to a large, distributed workforce. Encompassing solutions such as Software Defined Perimeter (SDP), zero trust is a relatively new breed of identity-based security tools designed primarily to prevent lateral movement through a network. They do this by establishing a temporary 1:1 connection to a specific resource required by the user, and nothing more.
The added benefit of the zero trust approach is that these tools can be extremely granular in their policies and permissions, making it much harder for hackers to spoof identities or re-use stolen credentials as they could with a legacy VPN.
One thing is clear – organizations of every size desperately need more effective tools that stop or at least slow down bad actors. We can’t afford to cut employees off from the data and services they need for their jobs, but we also can’t expect our data to be safe if we leave the doors open. The adoption of more intelligent remote access technologies based on zero trust – or even the bigger-picture Secure Access Service Edge (SASE) framework of integrated tools – promises to deliver our best chance.