The now infamous SolarWinds attack happened just over one year ago, and yet, we’re still hearing about it, seeing the repercussions of it, and learning from it. To refresh your memory (though I’m sure you don’t need it), between March and June 2020, a Russian hacking group executed a supply chain attack against SolarWinds’ Orion network monitoring product, which compromised more than 100 SolarWinds customers, including U.S. government agencies and other private sector organizations, including cybersecurity company FireEye (now Mandiant) and Microsoft.
Fast forward to December 2021, and Mandiant unveiled new research indicating the hackers behind the SolarWinds attack, dubbed Nobelium by Microsoft, are still at it. SC Media reported: “The actors behind the SolarWinds campaign have been leveraging ‘top notch operational security’ and tradecraft and a diverse array of hacking techniques to successfully target governments, businesses and cloud providers around the world, according to new research from Mandiant.”
Reports of renewed activity from this nefarious group are a good reminder of the lessons we learned following the 2020 attack. Lessons that hopefully prompted us to adapt our security strategies to prevent similar incidents from happening again.
Applying Lessons Learned to Avoid Déjà Vu
The SolarWinds attack was an eye opener in many respects, but I want to discuss four cybersecurity mistakes, in particular, that organizations often make that were brought to light in its wake.
Mistake No. 1: Blindly trusting the security of third-party vendors.
In the previously mentioned SC Media article, Doug Bienstock, incident response manager at Mandiant, told the publication that the Russian hacking group continues to “exploit the relationship between victims and trusted third parties to break into systems and steal data.” He’s quoted as saying: “The SolarWinds campaign was about who were the vendors you trust and all the different software in your environment, and this threat actor leveraged that one-to-many relationship pretty well.”
Prior to SolarWinds, supply chain (or third-party) risk management was a topic of discussion, but following the attack, it has become a priority on every company’s IT security to-do list. When I worked for the government, the CIA had a saying, “In God we trust; all others, we verify.” This could not be more relevant to the world of cybersecurity today. Gone are the days where we think we’re safe, even if a partner company is compromised.
Similar to the Zero Trust concept used within IT architectures, organizations would be well served to never trust and always verify the vendors they work with on a daily basis. This includes knowing who they are, what they’re doing for the company, and what cybersecurity, compliance, and risk management processes and protocols they have in place to protect themselves and their customers. At the end of the day, if your third-party vendors are vulnerable to attack, so are you.
Mistake No. 2: Prioritizing prevention and detection.
Many companies focus their cybersecurity strategies on one of two things: 1) prevention – putting tools, solutions, and strategies in place to deter breaches and other cyberattacks altogether, or 2) detection – constantly using new algorithms, methodologies, data, and tools to find anomalies and threats quickly. While both prevention and detection are important, neither on their own will prevent a company from being compromised. Adversaries move quickly, they adapt and improvise, they use advanced techniques, and most businesses aren’t mature enough to defend against the attacks targeting them. Today, it’s no longer a matter of “if” a company will be targeted but “when.”
The only way to protect your business from today’s sophisticated cybercriminals is to build a robust cybersecurity and cyber resilience strategy founded on four building blocks: threat prevention, detection, investigations and response (more on these latter two in the next two sections). Singling out any one of the four will do you no good.
Mistake No. 3: Putting misplaced trust in automated threat response.
In 2017, Gartner Inc. coined the term security orchestration, automation, and response (SOAR), and since then it has taken off – promising organizations that they’ll be able to automatically respond to detected threats in a way that minimizes damage and protects the business. While this all sounds great, in reality, the collective cybersecurity industry isn’t mature enough to achieve this lofty goal. We can’t expect automated response to work as intended, if we don’t fully understand how it integrates with prevention, detection, and investigation – or if we don’t have each of these four components equally mastered and collectively working together.
I equate this to purchasing a self-driving car. If a salesperson tries to sell me a Tesla without a steering wheel and brake pedals, promising the autopilot will keep me safe, I’m never stepping foot in that vehicle. I still need control (this is known as conditional automation), where I can override the auto pilot, and I’ll need many miles under my belt before I begin to trust that all of the parts are working together to prove to me that the car can be trusted.
We’re not here yet with SOAR – or any automated response solutions for that matter. So, rather than delivering on its promise, automated incident response has set false expectations and failed to deliver on its intended results, leaving organizations vulnerable rather than protected.
Mistake No. 4: Complacency with the state of security investigations.
There has been very little discussion in the industry about security investigations, which has caused most IT security teams to become complacent with the traditional way of conducting them.
Until recently, this has been a major unaddressed pain point for security analysts and SOC teams. They’d have to open up a new browser tab for every siloed tool in their environment and then pivot back-and-forth between all of those tabs to manually aggregate and analyze the relevant data to determine what they should investigate before they can actually respond. This method is not only burdensome and time-consuming, but it leaves a tremendous amount of room for error. On top of this, today’s data volume and data distribution make data centralization impractical and extraordinarily expensive, preventing security professionals from being able to access all of their data in the first place. We saw this exact phenomenon with victims of the SolarWinds attack, and as a result, it was impossible for them to define the scope of the compromise.
Four Parts to a Whole
Shoring up supply chain security is the most obvious lesson coming out of SolarWinds, but the attack also taught us that we need to reexamine our approaches to prevention, detection, investigation and response, too. Each of these areas is a piece of the cybersecurity puzzle, and they must all work together if you want to build and maintain a strong cybersecurity posture and cyber resilience strategy.