For some perspective on the massive hack I spoke with David Byler, a Bryley trusted security advisor. David is president of Omega Security Partners. Omega evaluates a business’ security program through penetration testing and through the use of frameworks like the Center for Internet Security’s CIS Controls or the NIST CSF1. Omega can help develop an organization’s ability to manage its cybersecurity risk.
People are afraid of breaking things. They don’t want to be the one who goes and implements a firewall rule to lock down their server and now, accidentally, something else broke. So they end up leaving it like it is. They’ve got other, pressing things to do. —David Byler
Q: Can you put the significance of the SolarWinds breach in layman’s terms?
DB: The difference is that this breach is an example of a supply-chain attack, where a breach of a single organization doesn’t just impact that organization, it spreads across to other organizations. So what’s notable or scary or different about this versus say the Equifax breach or the Home Depot breach is that in those the target was the customer or cardholder data for that specific company. But in the SolarWinds case, the target was SolarWinds’ customers’ networks.
Also Equifax and Home Depot are not known as tech companies. SolarWinds is a tech company supplying tech to help tech companies manage their tech. So for them to get breached feels like this extra big thing and the fact they sell to lots of big companies and the government makes the impact feel a lot bigger.
The attackers, as far as we can tell, didn’t really care about SolarWinds’ company data or customer lists. They were trying to get their malware injected into a trusted supply-chain that would eventually get a download and install at the real targets, for a foothold into those targets.
Q: Reports made it sound like the methods behind this exploit were almost unheard of. Was this really new?
DB: From what I’ve read the malware’s behavior isn’t particularly novel. There were a variety of command and control implant that allowed the attackers to remotely gain access to companies’ internal networks.
The news broke first because FireEye was breached. FireEye is a security consulting company relied on by huge industry and government. They’re very well-respected. So when they were doing their incident response and trying to figure out how it happened, they found out it was through a SolarWinds breach that had not been discovered at that point.
I think the novelty of it is more to do with the fact that the group behind it, according to FireEye’s reporting, was extremely well-organized and extremely stealthy. There was a reference in FireEye’s report that there were some novel techniques. I don’t have any details on those, only that the actors were very good at waiting and playing the long game. They didn’t just come in and do the typical smash-and-grab. This is a long-term effort of probably several years.
Q: There are several network management software suites like SolarWinds on the market. [Bryley uses and installs Kaseya VSA which is not affected by this breach.] What do think will be the impact of this hack on the industry?
DB: This breach shows it’s entirely possible for any company to be hacked. At this point there’s no evidence that similar tools have suffered similar attacks, but what typically happens after a breach like this, is a lot of additional research gets focused on whatever type of tool made the news. I suspect there will be lots of fresh research on network management tools, and the end result, if any other malicious or unintentional vulnerabilities are found, is that the companies will have a chance to fix them, and we’ll all end up more secure in the end. In terms of response to the hack, SolarWinds did everything you could hope for. They responded quickly and publicly, patched it, and gave guidance for securing Solarwinds.
Because of the function they perform network management software is in a prime position to be a target for this kind of attack. So certainly these companies themselves should be double-, triple-checking their security: reviewing their code, reviewing their supply-chain, as well.
Q: Can this kind of network monitoring/management software be installed in a way that limits the damage that can be done through an exploit?
DB: Yes. Almost certainly. It may make your deployment more complex. The easiest, most default way is often the way that’s followed. But SolarWinds’ Orion servers, or domain controllers or SQL servers, et cetera often have no reason to be able to connect to the internet directly, or should have firewall rules that limit how they communicate on the internet.
For example if you put SolarWinds in a private VLAN with only local network access, this particular vulnerability is very unlikely to have been able to be exploited because the malware needed to connect over the internet to the command and control server to retrieve its list of things to do.
So even if you had the vulnerable version of SolarWinds installed on your network right now, if that server had no internet access, you’re pretty safe from this attack.
These kinds of practices fall in line with the concept of least privilege, which you can apply to a lot of different things. For a user account, you give them rights only to the folders they need on the file server, only the servers they need to do their job.
The same principle should be applied whenever installing software on your network. You figure out the actual required data flows, and restrict its access to just that.
The problem is that it takes more effort to implement these, because you have to figure out what those restrictions need to be. You have to pore through the documentation and see what the requirements are. You have to architect a network a bit differently and in some cases, that can add cost. Somebody’s got to do the work and build out and define.
And the biggest issue is on existing environments: people are afraid of breaking things. They don’t want to be the one who goes and implements a firewall rule to lock down their SolarWinds server and now, accidentally, something else broke. So they end up leaving it like it is. They’ve got other, pressing things to do.
Q: So, what’s the big take-away from this breach?
DB: This is making huge headlines, and it’s making people pay attention, which is good. Don’t panic about this. This is something to be aware of and alert to, but there’s no reason to get rid of SolarWinds or other network management tools. Evaluate your exposure, search for indicators of compromise, and let this be a kick in the pants, if you need it, to start taking a closer look at your own networks, and vendors et cetera, and build up appropriate security capabilities.
These include things like risk-management of the supply chain and incident response. That’s the ability to recognize when an incident (like this news about SolarWinds) has happened. You need the ability to respond. What do you do to contain it? What do you do to recover?
1 National Institute of Standards and Technology’s Cybersecurity Framework
Lawrence writes about networking and security. He’s written for Bryley since 2015.