What Federal Agencies Should Take Away from SolarWinds Attack

It was one of those fragile, oversized wine glasses that couldn’t have cost more than a buck. I saw it teetering on the counter’s edge, soon to meet the kitchen floor. That unmistakable shattering noise was made especially painful by the fact that we had a six-month-old baby who loved to mop the floor with her belly. 

You know the feeling: “What if I missed one little shard? Did I accidentally spread glass to another room? I can’t risk it. I’ll take another pass with the mop.” 

Ask any digital forensics expert who worked on a SolarWinds SUNBURST case and they’ll tell you how haunted they’ve been over the past two months. When your network has been infiltrated by a threat actor that FireEye called “one of the most sophisticated adversaries they have ever seen,” you need to be certain you’ve eliminated every shard of glass—every persistent foothold. 

If the impact of the SolarWinds infiltration could be quantified by the time and money spent investigating and remediating incidents, it would be massive. While patching, threat hunting, and remediation have been the focus, we can’t ignore the elephant in the room: stolen data. 

A website called “solarleaks” is selling source code stolen from Microsoft, Cisco, and FireEye, and now it’s reported that the APT behind SUNBURST may have compromised highly sensitive U.S. court documents. This particular treasure chest of information can have far-reaching consequences in the real world given that federal court cases tend to feature high-profile targets. I can’t help but think of the OPM breach, where millions of personal records containing fingerprints, background checks, and financial info were exfiltrated. It’s hard to imagine a graver consequence than exposing the family of a government agent. 

When you can confirm your data has been stolen, the stakes go through the roof. When you can’t confirm that it hasn’t been stolen, you’re almost worse off.  

A Tale of Two CISOs 

We’ve been helping many organizations respond to SUNBURST over the past few weeks, and we’ve observed a correlation between their controls and their concern. Those with more granular segmentation, detective controls, and effective logging and were, not surprisingly, better able to detect activity and determine whether data was accessed. Those without visibility and control were scouring every nook and cranny for signs of broken glass, bracing their bare feet at every step.  

One of the most resilient organizations we helped had adopted a strict Zero Trust posture and detected unusual DNS queries in a test environment before the malicious SUNBURST update hit their production environment. Crisis averted.  

At the other extreme, some organizations knew they had run the malicious code in production but had no logging in place to confirm whether or not the backdoor had been used, or if any data had been stolen.  

Those that fell in-between were able to verify unusual activity from the SolarWinds systems and accounts and accurately assess the scope of impact on their sensitive data and infrastructure. 

Keep Supply Chain Risk in Context 

Regardless of where you fall on the spectrum of cyber maturity, it will be tempting to overprioritize supply chain risks while overlooking more urgent exposures. The fact is that we saw more sophisticated attacks last year than ever before. Techniques used by state actors are quickly adopted by cybercriminal groups and lone wolves looking to monetize stolen data—an objective made trivially easy by cryptocurrency. Said another way: yesterday’s APT is today’s script kiddie. 

Making matters worse: countless IT resources went toward accelerating digital transformation this year. We saw many organizations deploy technologies before they really had a chance to properly secure them, resulting in compromised accounts, insider threats, and, you guessed it, stolen data. 

What You Can Do 

Make sure your response actually reduces risk (turning off security updates and patches won’t). Your supply chain is a part of your attack surface so it makes sense to choose reputable, responsive suppliers that adhere to security standards and best practices. The Cybersecurity Maturity Model Certification (CMMC) and Common Criteria Certification (ISO 15408) exist to help ensure the security of the federal government’s supply chain. Your risk surface, however, encompasses a lot more than your software, hardware, and partner supply chain. Every few months we are reminded how much damage insiders can do, especially when they get access to sensitive data on their first day at work.  

For most agencies, data is what’s most at risk — through the supply chain, insiders, or any other vector. Security teams struggle to protect it against every day threats that are far less sophisticated than those behind SolarWinds – they are probably treading on broken glass far more often than they realize.  

We see that far too many employees have access to data, and it is rarely monitored for abuse. This is incongruous with current security principles like least privilege and Zero Trust, where the idea is that no person, application, or system should be able to do more than they need.  

If you’ve identified and prioritized your important data and made sure nothing and no one has more access than they need, your risk surface area is much more manageable. If you’re monitoring your data closely so you know every single time it’s touched, you have a map of all the broken glass.  To reduce risk further, model behaviors of trusted users and systems to ensure those with access haven’t been compromised.  

CISA called out the importance of behavioral modeling in its alert about this APT:  

“Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyberthreat intelligence database.”  

Most organizations are more fragile than they realize when it comes to defending against every day attacks, and any data-driven organization is a tempting target. With the amount of data that employees create and share today, most organizations can’t analyze data for criticality, achieve least privilege or Zero Trust, or detect unusual behavior. The ones that can use sophisticated automation for behavioral monitoring as well as implementing Zero Trust.  

As threat actors grow more skilled, motivated, and patient, the chances that a trusted user or system will be compromised grow to near-certainty. The only uncertainty is in how well organizations will prepare – will they start modernizing their controls, or wait for the glass to shatter?