As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called
The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the
The attack had been ongoing and undetected since perhaps
It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion. “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.
While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a
There are two sobering consequences from this recognition. First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature. Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection. Accordingly, it may be necessary to revisit prior incidents thought long resolved.
A Response Checklist
How should businesses respond to this development, and how should legal departments direct or support this response? This blog post spells out some of the specific steps that all potentially impacted organizations should consider. Note, these steps are not necessarily appropriate in all cases and for all organizations, and each entity should design its response as appropriate for its particular situation. However, the following thoughts are good starting point considerations for an organization as it plans and executes its incident response effort.
- It is essential that businesses respond to this threat in an internally coordinated and thoughtful manner. To the extent a business has established processes and procedures for such circumstances, such as an incident response plan, they should be reviewed and possibly invoked. Such plans typically draw together all of the necessary expertise and authority within and external to the organization to evaluate and respond to the situation as it is currently understood and as new facts are learned, and provide for input as appropriate from governmental resources and external experts. All activity responding to this incident should be coordinated across the various functions of the business (including IT, “business owners” of impacted systems (keeping in mind that if the attack is determined to span multiple systems, there may be different business owners), information security, legal, investor relations, compliance, public relations), all in accordance with the business’ response plan. Given the sophistication of this attack, it is likely that an organization that has the compromised software will need to retain experts to assist them in the investigation. Care must be taken to ensure that these experts are properly retained, and, any investigations are properly scoped.
- CISA issued an emergency directive for Federal agencies to follow. The directive spells out a number of exemplary technical steps to take to mitigate the risk of this incident and provides some specific indicators to look for to determine if data was accessed through the Orion-installed malware. This directive is one possible starting point for the response process, and businesses should evaluate which of the steps set forth therein are practical and applicable for them. Should it ever become necessary to defend the organization’s response, reliance on materials such as these could be used by an organization defensively as proof of the reasonableness of its efforts.
- For example, CISA advises federal agencies to evaluate which of their telecommunications systems use the Orion products at issue, and consider disconnecting from such system or blocking any connecting systems which use the Orion products as an immediate remediation step until longer term actions can be planned. While this is also an action that businesses should consider, alternatively, there may be less disruptive options available, such as restoring older versions of Orion, or installing newer, clean versions as they become available. There may be other ways to reasonably address the risk, and based on the input from qualified experts, an organization should consider which avenue of risk mitigation is right for its specific circumstances. Organizations should also consider whether compensating controls, such as enhanced network monitoring, are prudent to mitigate risk while a more permanent repair is designed and implemented.
- In certain circumstances, an organization may need to evaluate whether it would be appropriate to invoke its business’ disaster recovery plan or use disaster recovery or business continuity systems. Or do those systems also use Orion?
- In cases where businesses either outsource the management of their telecommunications system to third party, use systems hosted by third parties or SaaS-based services, the business should evaluate whether it is necessary to reach out to their service providers to determine whether such third party uses Orion and evaluate whether it would have been possible for motivated actors to pivot from such third party systems into the business’ systems. Of course, in these circumstances, the contract between those parties should be reviewed by legal. Legal should also be involved in determining the particular details of those communications, including whether these communications should proceed business-to-business or counsel-to-counsel.
Beyond such communications, legal may need to review their agreements with their technology providers that may be, in part, responsible for any Orion infection, and consider what contractual remedies may be available to them. As a more general issue, businesses should implement more rigorous policies and procedures for the implementation of third-party software. These should be part of internal procedures and should be requirements for any third party technology providers. For more details on that, please see a companion post about
- To the extent a business has been impacted by this incident, it should (as may be required by law or contract), to the greatest extent possible, identify any specific data that has been accessed or acquired. Businesses should consider what notices are required to be issued pursuant to applicable law or contract and when those notices must issue.
- Even to the extent not required by law or contract, businesses should consider how they will communicate to their community (including customers, business partners and employees) on this issue. Businesses should put together a response plan for such inquires based on input from amongst others, governmental resources, internal and external technical experts, public and investor relations experts and counsel. Businesses must keep in mind that the implications of this incident may include claims and assertions against the business by members of the community, notwithstanding the fact that the business itself is a victim of this incident, and thus all internal and external communications must be crafted with that in mind.
- To the extent this incident or a business’ response will interfere with business operations, the business should consider whether this may constitute a force majeure event under relevant contracts.
- Impacted businesses should consider notifying insurance carriers of the potential claims arising from this event.
Final Thoughts
The forensic investigation into the
As part of the evaluation of the impact of this incident on any organization, it is important to remember to conduct the incident response and risk assessments under privilege whenever possible to minimize the generation of potentially harmful discoverable materials. Please see our discussion of that and related issues in a detailed post on the firm’s Privacy Blog.
To learn more information about the
How To Respond To The SolarWinds “Orion” Supply Chain Attack
Originally Published by Proskauer,
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
Eleven
(
10036-8299
Tel: 2129693000
Fax: 2129692900
E-mail: [email protected]
URL: www.proskauer.com
© Mondaq Ltd, 2020 – Tel. +44 (0)20 8544 8300 – http://www.mondaq.com, source