SolarWinds attack: are you ready for the supply chain risk?

Shoring up your defenses against supply chain attacks.
A quick background of the SolarWinds attack and checklist to stay protected

The recent SolarWinds attack represented one of the more impactful and sophisticated events in recent times. The attacker performed a “supply-chain” attack to compromise network management software produced by SolarWinds. This note will provide background on this event, Atos’ perspective (including challenges, mitigating actions, and outlook) and further information resources.

Background

Recent large scale, sophisticated attacks are exploiting weaknesses in the implementation of supply chain management processes. The recent compromises involving SolarWinds Orion are distinguished in that the Advanced Persistent Threat (APT) actor targeted the supply chain to bypass traditional enterprise perimeter and detection defenses.

The attack involved cyber actors compromising SolarWinds' build infrastructure and used that access to distribute trojanized software updates to over 18,000 SolarWinds customers.

What is SolarWinds?

SolarWinds Inc. is a US-based company that develops software for businesses to help manage their Networks, Systems and Information technology infrastructure. SolarWinds has a customer database of 300’000 customers, including US Federal government, 80% of the Fortune 500 and diverse customers worldwide.

How did it happen?

The threat actors used sophisticated zero-day malware to compromise the build servers of SolarWinds, which could identify when installed on a developer system and waited until the developer accessed specific Orion source code files. It then activated to replace one of the source files to include the SUNBURST backdoor code, inserting the malicious code into SolarWinds Orion’s legitimate software update. SolarWinds customers unwittingly installed the malware by updating their Orion platform. This attack methodology is typically known as a supply-chain attack as it affects all companies applying a trusted piece of software containing malware.

The difficulty in detecting and responding to the threat

Firewalls, intrusion detection services, and other monitoring apparatus were arguably limited in their capabilities to detect the attack and permit a timely incident response. Although the incident came to prominence in December 2020 after the FireEye disclosures, initial reports  indicate that the attack may have begun as early as September 2019. SolarWinds and their customers were likely subject to exposure for months until the incident was made public.

CISOs or Information Security Practitioners already know they should maintain mature supply chain management processes, including understanding how the vendor manages security, whether their quality program includes secure development principles, and maintain sound change management processes (in addition to other widely recognized standards and best practices). However, given the sophistication of this attack, it is worth considering whether conventional supply chain management practices adequately address the risks involved with incidents like SolarWinds.

A checklist to be better prepared

So, how should enterprises deal with such sophisticated attacks?

Go beyond conventional supply chain practices. At Atos, we rely on routine practices and sharable intelligence from our security services to anticipate and respond to threats. These best practices can be an opportunity for CISOs or other individuals responsible for enterprise defense to compare their response checklist to what we have provided here.

There is no single countermeasure to mitigate a supply-chain attack. The preparation must consider people and processes, as well as technologies.

Does your checklist include the following considerations?

  • Routine review of intelligence from Information Sharing and Analysis Centers (ISACs), national and regional Community Emergency Response Teams (CERTS), and other organizations involving infrastructure management software
  • Adopt a risk-based vulnerability management approach by using:
    1. Threat intelligence capabilities
    2. Risk scoring based on various aspects like the business context of the assets and criticality
  • Ensure correct implementation of encryption for storage, transmission, and processing (tokenization)
  • Review supply chain risk management standards and adopt best practices. One such resource, available at no-cost, is NIST-SP 800-161 “Supply Chain Risk Management”
  • Deploy a Zero Trust architecture; implement a no trust strategy-based policy verifications
    (see Atos publication “On the Road to Zero Trust”)
  • Exercize business continuity and disaster recovery plans in drills or tabletop exercises
  • Deploy advanced threat detection capabilities, including those supported by artificial intelligence
  • Identify the process to report a breach to your local crime complaint center

 

A practical approach to manage supply chain threats

As described in this note, there is no single countermeasure to mitigate a supply-chain attack. The preparation must consider people and processes, as well as technologies. These must be orchestrated through operational, tactical and strategic approaches to protect your organization. At Atos, we are committed to contributing our expertise and skills to our clients and the greater cybersecurity community. This includes perspective and resources to support greater enterprise and operational resilience.

Atos Intelligence Services were referenced for this report:

Global Threat Intelligence report

Share this blog article


About Dan Schaupner

Head of Digital Innovation Development, Digital Security Consulting, Atos
Dan Schaupner has been with Atos since 2017 and brings two decades of experience to his leadership of consulting activities. Previously, Dan was CTO at a Washington DC risk management firm, advising the U.S. government on cloud security (FedRAMP/Trusted Internet Connection). During his career, Dan has advised business and technical leadership in many industries including finance, healthcare, higher-education, manufacturing, and others. Dan is a graduate of the Atos Gold for Technology Leaders program, member of the Atos expert community, and provides mentorship to the Atos FUEL program for emerging professionals. Dan holds an MBA from Virginia Tech, an Engineering Bachelor’s degree from the University of Michigan, and CISSP and CISM certifications.

About Nemanja Krivokapic

Head of Digital Risk & Compliance (DRC), Digital Security Consulting, Atos
Nemanja is a CyS global principal consultant, experienced cybersecurity practitioner with 20 years of professional experience, committed, proactive and creative mind in an ever-changing cybersecurity landscape. His focuses are InfoSec governance and strategy, GRC, management Consulting, and project transformation programs. He has successfully managed several engagements and he is one of the key contributors to the overall global practice initiatives. He is PMP, CISM & Data protection certified and he is currently finalizing a master’s in information security.

About Anna Cantin

Global Practice Operation Support, Digital Security Consulting, Atos
Anna is Global Practice Operation Support, Digital Security Consulting at Atos. Her focus is on helping implement strategies, communication and processes in a global and growing team, using her creativity and commitment. In an ever changing environment, she helps adapting the consulting needs to the new challenges. She has also participated in several innovative cybersecurity projects focusing on HPC and OT, strengthening the security of Atos’s clients and participating on their business transformation.

About Hrishikesh Sivanandhan

CISSP, Atos
Hrishikesh Sivanandha is a cybersecurity practitioner with close to 18 years of experience. At Paladion, he has been involved in developing multiple practices including Data Lifecycle Management & PCIDSS services. He led the Consulting BU for more than 5 years and MDR Vulnerability Management division for last 4 years in Paladion. Hrishikesh has led projects across multiple industry verticals including BFSI, Telecom, Manufacturing and IT/ITES. At Atos, he is heading the Global Delivery Centre for Cyber Security Consulting.