A newly-discovered cyber-attack has reached headlines as it wreaks havoc across US federal agencies and large global organisations. What is the SolarWinds hack, what are its implications, and how can you reduce the risk to your organisation?
Most of the thousands of cyber-attacks that are launched each year fly well under the mainstream news radar. So when a cyber-attack reaches international headlines, all organisations should sit up and pay attention. Earlier this year, hackers thought to be sponsored by the Russian state compromised software developed and managed by SolarWinds, an IT monitoring and management software provider. It went big: according to reports from Reuters, The Guardian and The Wall Street Journal, the hackers were able to deliver malware payloads that have to date affected the US Homeland Security, State, Commerce and Treasury Departments – and possibly more.
If you’re currently thinking “that’s fine – I doubt Russian state-sponsored hackers will target my organisation” then that’s a totally understandable response. However, we’d caution against it. The SolarWinds hack has implications that all organisations – including yours, including ours – should account for. Fortunately, there are also steps we can all take to reduce the risks our organisations face of suffering a similar fate. We’ll get to them a little later. But first, what actually is the SolarWinds hack?
The SolarWinds Hack Explained: What Actually Happened?
SolarWinds provides IT monitoring and management software that gives organisations visibility of what’s happening on their networks. If you want to know why a particular circuit is running slowly, or if you want to understand the journey of a specific data packet, SolarWinds software can do that. In order to, however, SolarWinds needs what one of our cyber security experts described recently as ‘god-like’ access to your network.
The SolarWinds Orion Platform delivers centralised monitoring and management across organisations’ network, IT operations and security products. In order to function, it needs that ‘god-like’ access our expert described. Orion is a popular product – it’s used by several US federal agencies, along with a number of large companies including Microsoft and Cisco. What if you could hack the SolarWinds Orion Platform and leverage its access to launch cyber-attacks against these organisations?
Well, that’s exactly what happened. Hackers managed to access a system that SolarWinds uses to put together updates to its Orion Platform, enabling them to insert malicious code into otherwise legitimate software updates. Around 18,000 SolarWinds customers installed the tainted updates onto their systems, enabling hackers to gain access to confidential information and exfiltrate it away from the targeted organisations.
We’re still trying to understand the implications of the SolarWinds hack. At the time of writing investigators are still trying to determine what information the hackers may have stolen, and what they could do with it. But in the meantime, what are the lessons we can learn that we can apply to our own organisations in order to reduce risk and maintain operational integrity?
At Six Degrees we believe there are three key take-homes from the SolarWinds hack: the importance of supply chain security, the need to apply zero trust-aligned principles, and the need to proactively detect and respond to events throughout your network. Let’s take a look at these one at a time.
Protect Your Organisation Through Supply Chain Security
The SolarWinds hack was what is known as a supply chain compromise, as the hackers targeted their victims by first compromising a trusted supplier. This is a big deal for hackers: instead of having to trick individual targets into downloading malicious software, they can package their malicious code in otherwise legitimate software updates that they can simply leave the software provider to prompt its customers into downloading.
Put simply, every one of SolarWinds’ vast number of Orion Platform customers became a potential hacking target. So even if you’re not the US Treasury and the Russian state has no interest in you, your organisation could just as well be a victim, too.
The lesson here is about auditing and monitoring your organisation’s supply chain maturity. Supply chain attacks will become more commonplace as they continue to be a successful route to revenue for hackers. Therefore you need assurance from your suppliers – especially those that have intimate access to your network – that they don’t pose a cyber security risk to you. Here’s how you can go about doing that.
How to Gain Supply Chain Assurance
Your organisation probably outsources a number of services that were traditionally carried out in-house. The supply chain that delivers these outsourced services is typically split into two tiers: tier one suppliers directly contracted by you, and the tier two suppliers that they themselves outsource to.
Right now, there’s a good chance that your tier one suppliers are assessed during the contract onboarding process and then forgotten. Not great, but probably better than the diligence placed around the tier two suppliers.
At Six Degrees, we recommend carrying out continual diligence around your supply chain in order to mitigate the risk of a supply chain compromise causing financial, operational and reputational damage to your organisation. By benchmarking your suppliers against key domains such as compliance and accreditation and technical compliance, you can establish the areas of security weakness within your supply chain that present the greatest threat to your organisation. You can then prioritise remediation activities to reduce this threat.
Our Aegis cyber security benchmarking tool features a supply chain assurance module that enables you to do just this. To learn more about the Aegis tool and how we tailor it to enhance your organisation’s cyber security maturity, book an appointment to speak to one of our experts.
Detect and Respond to Security Events
According to reports, the hackers that launched the SolarWinds hack had access to compromised systems as early as March. That’s the best part of a year to snoop around, find and exfiltrate highly sensitive data as they pleased. Not good. But if you download malicious code as part of an otherwise legitimate software update in a supply chain attack, how can you detect the compromise and respond to it quickly in order to minimise its impact?
There are two methods your organisation can employ that will reduce your attack surface and enable you to minimise the impact of a cyber-attack. Let’s take a look at how Managed Detection and Response begins to create a zero trust posture.
Apply Zero Trust Principles to Your Organisation
Zero trust is at best the future of cyber security and at worst an annoying buzzword that professionals throw around to sound smart. However, even though its interpretation can depend on who you speak to, its principles are sound. But what exactly is it?
With most organisations in 2020 having to deal with remote users, overlapping multi-cloud environments and Internet of Things devices, security focus is moving away from network perimeters and towards protecting assets individually. Zero trust shifts focus from where you are (on the network or at the perimeter) to who you are (your identity or device), challenging and authenticating every action you take.
Zero trust nirvana is a long way off for most organisations, but the journey to zero trust is one we believe organisations should take. Adhering to best practice zero trust-aligned security principles such as using multi-factor authentication and applying policy-based access to applications will reduce hackers’ ability to expand cyber-attacks throughout your network.
If you’ve heard the term zero trust bandied about and want to understand how it can relate to your organisation, get in touch. In the meantime though, here’s how detection and response complements zero trust to protect your organisation from cyber-attack.
Introducing Managed Detection and Response
The SolarWinds hack would have been far less damaging if its victims had been able to identify and address the threat sooner. Moving forward, how can your organisation achieve this? Well, that’s where managed endpoint security comes in.
Endpoint security is an approach to cyber security that follows zero trust principles to focus on end user devices — or endpoints. However, the goal isn’t to protect each individual endpoint — desktop, laptop, virtual environment etc. — but the system as a whole. This is done by managing the flow of information between the network and device, centralising security and control while decentralising risk.
Microsoft Defender for Endpoint is an endpoint security system that is able to automatically isolate active threats, minimise risk exposure, and provide advanced attack detection and response capabilities. When configured and managed correctly, this delivers a preventative security system and real-time defence that enables security analysts to prioritise threat alerts, view the full scope of any breaches and act immediately to rectify identified threats.
Put simply, if hackers gain access to your network, Microsoft Defender for Endpoint will generate alerts that identify the suspicious activity. Which is great. But who’s going to manage and act on the alerts the endpoint security system generates? The best security tools can only quarantine an issue and alert you to a problem. It’s then your responsibility to act upon the intelligence you’ve received to eliminate and remediate that treat.
Our Managed Detection and Response service handles this for you. Managed Detection and Response is a fully-managed endpoint protection service that keeps your organisation safe 24×7. Our experienced cyber security experts harness the power of Microsoft’s industry-leading Defender for Endpoint security solution to deliver:
- 24×7 real-time alert management, detection and rapid response
- Comprehensive protection throughout your infrastructure – right down to the endpoint
- Trended reporting to quantify the risks that have been contained
- Bespoke deployment, configuration and management to maximise your protection
- Industry-specific expertise that elevates your cyber security to the next level
By implementing Managed Detection and Response, you can reduce hackers’ ability to expand cyber-attacks across your infrastructure and minimise the risk of data breach resulting in financial, operational and reputational damage. You can learn more about Managed Detection and Response and book a demo here.
Reduce the Risk to Your Organisation
The SolarWinds hack has opened up a real Pandora’s box of cyber security implications, and these touch on some pretty fundamental aspects of your organisation’s operational approach. In this blog we’ve explained the importance of supply chain security, applying zero trust-aligned principles and implementing detection and response capabilities to minimise the cyber risk your organisation faces.
At Six Degrees we have the expertise and the experience to deliver tailored solutions that will enhance your organisation’s cyber security posture. But before we start, we always want to understand your organisation and where you are on your own cyber security journey. That’s why we offer a cyber security assessment that will give us – and you – the knowledge and tools to roadmap the next steps of your journey. Schedule a call if you want to learn more.