Orion Breach
Earlier this week, CISA issued an emergency directive advising that SolarWinds Orion products had been compromised, potentially impacting thousands of organizations. Attackers modified software installation files, adding backdoor capabilities (now known as "Sunburst") and leveraging SolarWinds own update infrastructure to propagate the malware to customers. Infected updates began appearing on the SolarWinds website as early as March.
At this time, the initial attack vector into the SolarWinds environment is either not known or has not been publicly disclosed. Most likely the usual culprits are to blame: phishing, weak credentials, poor patch management, and other lax security practices. More importantly, the infected software was digitally signed with legitimate SolarWinds certificates, indicating a broad compromise across the SolarWinds network and PKI infrastructure.
Lessons Learned
Preventing an advanced supply chain attack such as this one is difficult, but good cyber hygiene together with these specific measures can help thwart catastrophe.
Control Admin Access
IT management tools are often granted unfettered access to systems. For example, some customer installations of SolarWinds Orion products leveraged the Domain Admins group for service accounts, creating a giant mess of an already bad compromise. Vendors need to start designing and supporting products which work without such elevated privilege, and the rest of us need to ditch the ones that don't.
Invest In Advanced Detection
Better detection systems are needed, along with talented cybersecurity professionals to implement and manage them, and make sense of their output. Tools should operate independently of the computers they are designed to monitor (so that they can't be compromised along with them) and organizations need to invest in systems which can effectively analyze user behavior and network traffic to detect anomalous activity.
Limit The Internet
Outbound internet traffic from machines that don't need it should always be blocked, especially on servers. This is an effective way to disrupt command and control, make detection easier, and limit data loss.
Prepare For The Worst
Recovery is tough. When a SolarWinds type of scenario occurs, forensic investigations need to be conducted and entire networks may need to be rebuilt. To prepare for widespread compromise, organizations should conduct frequent table top exercises and cyber drills. These should cover multiple types of scenarios, including supply chain attacks, and involve response teams along with key stakeholders and executive leadership.
It is almost inconceivable that this attack evaded detection for so many months, including at government agencies and formidable cyber security companies which have been compromised. The amount of data that may have been stolen is enormous and the recovery efforts will be gargantuan for any size organization.