Sunburst/Solorigate Aftermath: 4 Lessons Learned from the SolarWinds Breach
Organizations everywhere are only just beginning to come to terms with the Sunburst/Solorigate compromise. Even at this stage, it’s clear the backdoor into SolarWinds’ Orion network monitoring and management platform represents one of the most substantial cyber security breaches in recent memory. SolarWinds’ client list reads like a who’s who of the public and private sectors, including Fortune 500 companies, telecommunications and cyber security giants, and core government agencies. While it may come as little consolation to those impacted, there are lessons to be learned from this incident that can help all organizations better their own security efforts.
Before we get into the takeaways from this breach, first let’s go over what exactly took place. State-sponsored hackers (believed to be APT29, aka Cozy Bear, of Russian intelligence fame) were able to gain access to a server used to build updates for the Orion platform, likely back in March of this year. The origins of this access are still being investigated, however, there’s some evidence a suspect security culture may be prevalent within SolarWinds. Last year, a security researcher discovered an especially weak administrative password (solarwinds123) made weaker still by the fact that it was inadvertently made public in a Github repository.
Once inside, attackers pushed out a malicious update that would grant them widespread visibility into the network of any organization that downloaded the update. All told, it is believed roughly 18,000 of the more than 300,000 organizations that leverage Orion implemented the fraudulent update. Looking for some good news? Here it is: Using a “Death Star”-like display of power, Microsoft was able to disable the malware, bringing the attack, mercifully, to an end.
So, what have we learned? Let’s go down the list:
- Patch your systems! This point is especially critical given how this attack went down. In this case, organizations that promptly downloaded and implemented the update, a security best practice, were burned and those that waited were spared. It’s important to note that, most of the time, it’s the other way around. Those who wait are the ones leaving themselves open to attack. The SolarWinds incident shouldn’t scare you away from doing the things that, more often than not, will keep you safe from cyber criminals.
- Embrace the principle of least privilege. Zero trust, least privilege, whatever you want to call it, this idea should be reflected in your approach to technology and vendors. Newly implemented (and existing) solutions should only be given the rights and access they need to function and nothing more. The same goes for vendors, technology partners, service providers, etc. It’s tempting (and time-saving) to grant newcomers broad access, particularly if it involves a trusted industry leader, like SolarWinds. The above scenario shows the risk of that approach. By compromising SolarWinds tech attackers were able to gain, in some cases, almost unfettered access to organizational networks down the supply chain – access that Orion didn’t necessarily require to operate.
- Be careful with your passwords. It’s as elementary a tip as there is, and has been for years, but it is still worth repeating. Use strong, complex passwords (not the name of your company followed by 1-2-3) unique to every account. Use a password manager to help keep track of these otherwise-impossible-to-remember sequences of upper and lower case letter, special characters and numbers. Don’t share passwords with others. Turn on MFA wherever possible. If you suspect a credential has been compromised, don’t wait, change it immediately. Passwords, for better or worse remain a key part of our increasingly digital lives. Until this is no longer the case, the best we can do is make passwords as secure and private as possible.
- Leverage data loss prevention (DLP) capabilities wherever they exist. No matter their primary industry, nearly all organizations these days are also in the data moving business. With all of the data being shuffled to and fro, it’s no wonder sensitive information sometimes finds itself in the public eye. With SolarWinds, it just so happened to allegedly be a password exposed on Github. However, it could just as easily have been a credit card number sent in an email or social security numbers posted to an unencrypted database. DLP functionality, like that built into Microsoft 365, should be utilized wherever possible to automatically scan postings for secure data and raise the appropriate red flags should it find anything.
Next Steps: Put your security under a microscope
Every organization, regardless of size, industry stature, or budget is at risk for a cyberattack. That’s not to sound hopeless. Instead, it should be seen as a call to action. Continuous improvement is the name of the game in security. There are always ways to get better and there is always more that can be done to keep the bad guys out. Security, to use the cliché, is a journey not a destination.
The Arraya Cyber Team (ACT) can help you along on your own security journey. They can do so by guiding you through “table top” scenarios where you take on a fictionalized version of your cyber security worst nightmare. Or they can put your environment to the test through pen testing or gap analysis. Reach out to the ACT to learn more.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.