Remediation of the fallout from the massive breach of SolarWinds network management tools – which affected up to 18,000 organizations – could cost companies billions.
In the breach, the attackers were able to compromise the update process of a widely used piece of SolarWinds software. In cybersecurity circles, this is referred to as a supply chain attack – an especially devastating variety of cyber aggression. By compromising just one vendor, attackers may get access to all the vendor’s customers.
US national security costs could also be significant, since the list of breached IT organizations included those of the Pentagon, the Department of State, and the Department of Homeland Security.
Four federal agencies – the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) – issued a joint statement saying that the SolarWinds attack was “likely Russian in origin.”
SolarWinds may be a seismic event in government cybersecurity, but it’s not the first major supply chain attack we’ve seen. And it’s not the first one Russia has launched on a global basis.
In 2017, Russian actors compromised Ukrainian accounting software as part of an attack designed to target the country’s infrastructure, but the malware spread quickly to other countries. NotPetya wound up doing more than $10 billion in damage and disrupted operations for multinational corporations such as Maersk, FedEx, and Merck.
The Software Supply Chain Is Vulnerable
Any tech company is a potential target. Nation state actors have the deep resources and skill sets necessary for supply chain attacks, able to penetrate even the most security-conscious firms.
Even security vendors can be targets. In the SolarWinds case, one of the higher-profile companies breached was FireEye, one of the most well-known cybersecurity vendors. FireEye said the attackers didn’t get into customer-facing systems, and that they only got access to penetration tools used for security testing. But the fact that a company like FireEye got hit at all is worrisome.
Another example came in November 2020, when another leading cyber security company, Sophos, suffered a data breach that exposed some sensitive customer information.
This fall, security vendor Immuniweb said in a research report that 97 percent of the world’s top 400 cybersecurity companies had data leaks or other security incidents exposed on the dark web – and that 91 companies had exploitable website security vulnerabilities.
Supply chain attacks aren’t a recent development. In 2011, RSA Security admitted that its SecurID tokens were hacked. One of its customers, Lockheed Martin, was attacked as a result.
If these vendors are potentially vulnerable, every vendor is.
Attacks like the SolarWinds one, which compromise commercial software vendors, are one of three types of supply chain attacks. The other categories are attacks on open source software projects and direct interference by nation states in the products their domestic vendors make (such as China’s alleged leveraging of Huawei’s global install base).
The Open Source Supply Chain Threat
According to Sonatype’s 2020 State of the Software Supply Chain report, supply chain attacks targeting open source software projects are a major issue for enterprises, since 90 percent of all applications contain open source code – and 11 percent of those have known vulnerabilities.
For example, in the 2017 Equifax breach, which the company said cost it nearly $2 billion, attackers took advantage of an unpatched Apache Struts vulnerability.
And 21 percent of companies said they had experienced an open source-related breach in the previous 12 months.
But attackers don’t have to wait around for a vulnerability to surface in open source software. Over the last few years, they’ve begun creating their own vulnerabilities, deliberately compromising the open source development and distribution process. It’s been effective.
According to the Sonatype survey, these kinds of next-generation attacks increased 430 percent over the previous year.
The Foreign Sourcing Threat
Why bother to hack into a software company when you can just order it to install malware in its products?
That’s not so much of an option for Russia, not a major technology exporter. For China, it is.
“Compromised electronics in US military, government and critical civilian platforms give China potential backdoors to compromise these systems,” said US Senators Mike Crapo (R-Idaho) and Mark Warner (D-Virginia) in a statement announcing the bipartisan 2019 MICROCHIPS act.
“Almost all nation states, industries, and enterprises are overexposed to, for example, China and other low-cost supply sub-chains,” said Steve Wilson, VP and principal analyst at Constellation Research.
The interconnectedness of software is impossible to unravel, he told DCK. “You should be wary of third-party providers.”
How to Guard Against Supply Chain Attacks
So, what can data center security managers do?
“The harsh reality is that the state of our software supply chain is mediocre at best, partially due to the overwhelming complexity of the software supply chain itself,” said Liz Miller, VP and principal analyst at Constellation.
But there are some steps that companies can take, she told DCK.
To start with, they can ask their technology vendors for a “bill of materials” that lists all the code components that they use, she said. This can help identify potential vulnerabilities related to open source component vulnerabilities.
“Organizations with high aversion to risk can consider the additional step of conducting a code audit prior to implementation,” she said. One tool that helps companies do that is Synopsis’ BlackDuck, she said.
One lesson data centers should not take away from the SolarWinds breach is that installing supplier patches is a bad idea.
The attack did compromise the automated software update system, but it’s a lot more dangerous to leave known vulnerabilities in your systems, said Tsvi Korren, field CTO at Aqua Security. “It requires some painstaking work to compromise the internal systems of a company,” he said.
By comparison, exploiting a known vulnerability is quick, easy, and appealing to attackers of all ability levels. “Leaving vulnerabilities out there is something we want to avoid,” Korren told DCK.
Security managers can ask their vendors for some assurances, however. “It’s reasonable to demand to know what their internal chain of custody is,” he said. “How do they ensure the integrity of their process all the way from writing a line of code to the packaging and distribution?”
New Software Development Process Standards Mulled
Unfortunately, there’s no industry standard that specifically covers security of vendors’ software development process, he said. “But I could see a set of standards emerging that come out of this incident, and that would be a good thing.”
An organization working on this task is the Consortium for Information and Software Quality, a special interest group under the technology standards body Object Management Group.
“One of the standards we’re working on is a software bill of materials,” said executive director Bill Curtis. “It will tell you if there are known vulnerabilities.” It’s expected to be released in the spring, he said.
Curtis suggested that software buyers ask their vendors to audit their software for vulnerabilities. “Most vendors won’t like that idea and will fight it,” he said.
A lot of the work is being driven by the federal government, he said.
“The Department of Defense has gotten royally fed up with secrets being stolen for our weapons,” he said. “They realized that the problem is in the supply chain. One of the contractors that’s weak gets penetrated, and they’ll work their way up the supply chain.”
The defense sector is already asking for more from their software suppliers, said Joe McMann, CSO and cyber strategy lead at Capgemini North America.
The defense sector is mandating the Cyber Maturity Model Certification, he said.
Shimon Oren, VP of research at Deep Instinct, said data centers can also ask their vendors if they have SOC-2 certification, where outside auditors check if a vendor has adequate security in place. And there is also an ISO standard specifically focused on software development.
“Software vendors that have those two are more likely to be better protected in general,” he told DCK, though it’s no guarantee. “It doesn’t make them immune.”
SolarWinds Cleaning House
It may be too late to save the business, but SolarWinds is now going to implement some of the security practices that experts are recommending customers start asking for.
In a statement, incoming CEO Sudhakar Ramakrishna promised that the company is beefing up its security controls, with a particular focus on software development environments, resetting all user credentials and enforcing multi-factor authentication.
SolarWinds will also add more automated and manual checks to make sure that compiled releases match the source code, expand its vulnerability management program, and perform penetration testing on its software using third-party tools to analyze source code for vulnerabilities.
These are all steps that every software vendor should take, before they become the next SolarWinds.