Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. The bottom line for me is that multiple agencies were still breached under your watch by hackers employing techniques that experts have warned about for years, Wyden said. As we all know, that wont be easy. An attacker would have to be right three different times, identically, to be able to conduct an attack like the recent one with Orion. It would have to be the one that had the least possible number of ways it could have been realized, and thats attack number two. And you might not be the cybercriminals target. For those who are not EC members, This is because these were pure supply chain attacks. Dissecting The SolarWinds Hack For Greater Insights With A But dont worry: Those customers were mostly unimportant ones the NSA, DHS, DoE, the National Nuclear Safety Agency, FERC, etc. Cyber agency says SolarWinds hack could have been deterred They first stole the source code for many of the companys software programs and conducted reconnaissance of its build environment and networks. Great River Energy A big takeaway from this security incident is just how important it is to manage and mitigate third- and fourth-party risk. SolarWinds Hack SolarWinds hack explained: Everything you need to know Please email me attom@tomalrich.com. However, at least three possibilities have been raised: 1. The bar code scanner had been published for several years and had a healthy installed base of 10 million users. Since the SolarWinds supply chain attack was disclosed in December, there has been a whirlwind of news, technical details, and analysis released Of course, building every release of every software product (or even just Orion) three times, not just one, will be very expensive for SolarWinds. Once you have identified and prioritized your assets, you must establish a system to monitor all of these assets, creating visibility of their dynamic and changing landscape. MOVEit hackers may have found simpler business model beyond LCRA In early February, Kevin Perry forwarded me a, to an interesting article about an open source (and therefore free) product called. So, how could the SolarWinds hack have been prevented? Can you get all of your critical supplies from other providers? The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. San Francisco, California, Transmission Interconnection Specialist Sr (Hybrid) Step 1: Build cyber resilience & recovery. If a critical section of your supply chain collapses you face an emergency of a different kind. In one of Energy Centrals emails today, I saw a post by Joe Weiss that looked interesting; it was entitled SolarWinds Orion: The Weaponization of a Network Management System. Just like the bar code scanner app, the updates were used to distribute the malware to existing customers. Will they reveal their record of cyber security incidents and incident handling? The U.S. Treasury, the Department of Homeland Security, the Department of State, the Department of Defence, and the Department of Commerce were all victims. Be mindful of any supplier who routinely sends service or maintenance personnel to your premises. Location - Remote, CleanPowerSF Customer Data and Billing Operations Manager This goes both for software users and software developers). Second, what could have led to the Russians being discovered as they were operating for around ten months - inside the SolarWinds build environment? SolarWinds development environment(s) was compromised by Russian attackers, who placed an exquisitely designed piece of malware, Of course, theres a lot written about that issue (and Fortress Information Security is conducting a, It might have been a supply chain attack through a Microsoft Office 365 reseller, as discussed in, It also might have had something to do with the fact that SolarWinds had, Finally, the Russians could have penetrated a software development tool (presumably by planting malware in the tool developers network, which would have played the same role that SUNSPOT did with SolarWinds). Our. There was a lot of discussion which expanded to related questions, as those discussions often do. SolarWinds Contact Panorays today to schedule a demo. Powder River Energy Corporation Actually, a better question to ask is how they could possiblynothave been discovered. As such, it was impossible to predict. The new owners had modified the code of the scanner app to include malware. Foundations of Privacy and Data Protection, 2023 IAPP Privacy Professionals Salary Survey, TOTAL: {[ getCartTotalCost() | currencyFilter ]}, CISA highlights how SolarWinds attack could've been prevented, A view from DC: Celebrating privacys 50th birthday, A view from DC: How FIPPs prevail in today's privacy, AI landscape, The evolution of the EU's anonymization standards, IAPP releases AI Governance Professional Body of Knowledge, In scope or not? What Is a Network Security Assessment and Why You Need It, Learn how to simplify and enhance your supplier security process, Evaluate cyber risk as part of your M&A due diligence process, Stay informed about any possible threats to your organization, Thoroughly assess and monitor your subsidiaries cyber risk, Provide greater visibility about your third-party cyber risk, Explore the many unique features that Panorays solution provides, Learn how Panorays automates the entire lifecycle of third-party security, Find out how Panorays calculates its Cyber Posture Ratings, Choose the right solution for your organization, Learn about the latest research and happening in TPSRM, Tips and advice about third-party security, compliance and more, Read how Panorays helped customers enable and streamline business, Explore our reports for valuable insights about supplier security, View our many webinars about security, compliance, risk and more, Explore our data sheets to learn more about Panorays, Stay up-to-date on our latest enhancements and features, The CISO's Guide to Third-Party Security Management, The CISOs Guide to Automating Third-Party Cyber Risk Management, Our mission and the leaders and supporters who help us achieve it, Panorays cyber and compliance experts quoted by the media, Interested in joining the Panorays team? SLAC National Accelerator Laboratory Our mission at EnergyCentral is to help global power industry professionals work better. . Lets be clear: The only way to force them to do anything is with some kind of regulation. SolarWinds create and sell monitoring and management software for corporate networks. However, this wouldnt have prevented the SolarWinds attack, since SolarWinds had no clue about any of this until FireEye reported the attack to the world. Powder River Energy Corporation That means mapping it out. What we must do to prevent the next SolarWinds hack It communicated with the Russians about what it was doing through bogus VMWare log entries that the Russians could read outside of the build environment. SolarWinds defense: How to stop similar attacks | ZDNET The Russian hackers the U.S. government has attributed the operation to Russias foreign intelligence service, the SVR breached SolarWinds network in early 2019. A Year After the SolarWinds Hack, Supply Chain Threats Still Loom SEC Targets SolarWinds' CISO for Rare Legal Action Over It is no longer malcontents in their parents' basements or even organized crime, it is being funded by national governments that see future world wars being fought in cyberspace rather than on land and the sea. Your access to Member Features is limited. SolarWinds Given FireEyes stature in the tech Planning and preparing is everything So if you cannot predict a third-party security breach like SolarWinds, and you cant prevent a sophisticated breach being This is described in a greatarticleby Crowdstrike, which I tried to summarize (and simplify, to the extent I could) inthispost. If you want to comment on this post, you need to login. Given the amount of damage that the attack caused, SolarWinds is in no position to complain about having to spend a lot of money on this. Maple Grove, Minnesota, IT Client Support Technician Are you guaranteed to get results using any of these means? So if you cannot predict a third-party security breach like SolarWinds, and you cant prevent a sophisticated breach being carried out by a seasoned cybercriminal or terrorist nation-state, what can you do to protect your assets? Gillette or Sundance, Wyoming, Director of Emergency Preparedness and Critical Infrastructure Protection Clearly, it has to do with SolarWinds controls (or more likely, the lack thereof) over their development network(s). DeSantis team shares Pride Month-inspired video in latest attack on Trump, Louisiana governor vetoes bills targeting gender-affirming care, pronoun usage, State Department didnt report emissions from climate trips required under executive order: report, Minnesota sees spike in abortion, amid increase in out-of-state patients: report, Apple hits record $3 trillion in worth, making it most valuable company, US didnt anticipate Afghanistan exit chaos, State Department finds, No Labels hits back against progressive group in letter to secretaries of states, HHS among targets in government hacking attack, A regional disaster: Cyberattacks on health care facilities have ripple effects, study says, Hackers say Texas city website targeted over state law on gender-affirming care, Crypto hack alarms ramp up as authorities crack down after $3.7 billion stolen, Biden plots new course to get relief for student loan borrowers, Five takeaways on the Supreme Courts student debt decision, Why the White House thinks new student loan plan will hold up in court, Roberts takes aim at liberal justices in defending Supreme Courts legitimacy. Kingman, Arizona, Transmission Interconnection Specialist Sr I believe that ultimately there will need to be mandatory controls on these organizations, perhaps structured something like whats required by the recently approved, So barring regulation, what can we do to get software developers in general to improve their level of development security? I reasoned that, since Sunburst was effectively a component that had been added to the code, it should have been identified when the SBOM was generated. They develop sophisticated attacks centering more on long term evolutionary gains and knowledge than short term chaos. Since many small security teams are charged with a multitude of responsibilities, and just one of those tasks is managing third parties, automation can help streamline and accelerate that lengthy and tedious process. Of course, the country was greatly relieved to hear there had been only 17,999 victims, not 18,000); and. The Colonial Pipeline hack might not have been the largest hack in recent memorythat probably goes to the SolarWinds or Microsoft Exchange hacks. A rogue developer could have placed the Sunburst malware in the update code being developed (although this idea goes against the fact that the Russians developed and deployed a very sophisticated piece of malware called SUNSPOT that did everything that was needed remotely; moreover, SUNSPOT painstakingly covered up what it did. However, before making any assertions about what could or couldnt have prevented the attack, its important to remember that when we talk about the SolarWinds attack, were really talking about four distinct phases: 1. What can you do about niche products or services that you cannot easily or quickly obtain from elsewhere? b)Second, what could have led to the Russians being discovered as they were operating for around ten months - inside the SolarWinds build environment? There are two components to this. That is the case with matching anonymization standards to EU General Data Protection Regulation requirements. "Of course, the country was greatly relieved to hear there had been only 17,999 victims, not 18,000" "SolarWinds is seeing if it can design its software-build systems and pipelines a bit differently.". How can I prevent phishing attacks? However, Joe admits that the SolarWinds NMS that were compromised by the attacks announced in December were almost all (or probably all) behind a firewall. The same thing we do regarding anything else we want a supplier to do: nudge them along the path of righteousness. Electrical Estimator WebThe Supply Chain Attack on the SolarWinds Orion platform could have prevented one of the biggest hacks. One of the first ideas I had about this was that having a software bill of materials (SBOM) could have alerted SolarWinds to the presence of Sunburst. To properly assess the risk of a supply chain attack you need to understand your supply chain thoroughly. What could have actually prevented the SolarWinds attacks in the first place? Are any of them attractive targets to a state-sponsored APT group? It then makes HHTP requests to the threat actors servers to retrieve commands, which it then acts upon. 2. To summarize, I think Phase 2 of the four phases of the SolarWinds attack could have been short-circuited during either its first or second stages. These updates were issued between March and June 2020. Dave is a Linux evangelist and open source advocate. Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member. Can Power Companies Remotely Adjust Your Smart Thermostat? For those who are not EC members,heresthe link to the same post on Joes blog (BTW, for about 4 or 5 months Ive been putting almost all of my posts on EC, as well as in this blog. Develop the skills to design, build and operate a comprehensive data protection program. If you would like to comment on what you have read here, I would love to hear from you. So what should a software supplier do, who wants to avoid being the inadvertent victim/perpetrator of a SolarWinds-type attack? Though it sounds obvious, unfortunately something as simple as knowing who to contact and how to contact them in the event of a breach is often overlooked. Play a leading role in scaling Panorays be at the forefront of our product quality, by allowing our dev team to move fast, and catch issues before they reach our clients. Shape the vision and lead the Automation efforts for our platform. Long Island Power Authority Once the infected updates are applied to the customers networks, the malware installs itself and lies dormant for about two weeks. Chesapeake Utilities Corporation . The malware has been named SUNBURSTby cyber security researchers at FireEye. Of course, they were certainly very careful, but they finally slipped up and were detected because someone who worked for FireEye noticed an unknown login to their account. By submitting your email, you agree to the Terms of Use and Privacy Policy. Once youve identified those suppliers that directly or indirectly touch your network, you can make a risk assessment. Which of them was the most preventable? In one of Energy Centrals emails today, I saw a post by Joe Weiss that looked interesting; it was entitled SolarWinds Orion: The Weaponization of a Network Management System. If they can compromise an MSP, they have the keys to the kingdom for all of the MSPs customers. Auditing new suppliers should become standard procedure, and at least annual auditing for existing suppliers. They include senior U.S. agencies and federal departments, operators within the critical infrastructure of the U.S., global organizations, and private companies. Of course, CI software suppliers should also be required to notify the federal government if they discover such a breach; Rep. Jim Langevin (D, RI) is proposing this idea, as described inthisWall Street Journalarticle.