The effects of the SolarWinds attack will be felt for a long time, and will ripple far beyond the government alone. Even though investigations and analysis of the discovered hack remain ongoing, it has become clear that the scope is extensive, and the full impacts will likely prove to be devastating.
To recap, at the end of 2020, FireEye discovered what it described as a “global intrusion campaign” perpetrated via malicious, trojanized updates to SolarWinds’ Orion network management software. According to the latest estimates, the compromised SolarWinds software made its way into approximately 18,000 enterprises, government agencies and other organizations around the globe.
The SolarWinds revelation has shone a light on something that many knew could happen but didn’t believe would. We now know that both government organizations and their software partners need to step up their security game.
It won’t be easy. It is going to take a good deal of time, effort and money to build cyber resilience into government business practices. However, we know that this has to happen. By following the principles of DevSecOps and Zero Trust, government supply chains can be prepared for the next cyber assault.
The need for Zero Trust
In recent years, a strategy of Zero Trust has become increasingly popular. In a Zero Trust environment, cybersecurity moves from the traditional focus—protecting static, network-based perimeters—to one centered on users, assets and resources. In February 2020, the National Institute of Standards and Technology (NIST) updated its Special Publication 800-207 to help to make the case for Zero Trust in government. That update became all the more important as the COVID-19 pandemic led to more government staff working remotely and more services being accessed online.
Prophetically, NIST warned that users coming from another trusted network or location—where their credentials had already been verified—are normally given full access to data and agency resources without any further review, even though they could be a potential threat. The same is true for software, as SolarWinds has demonstrated.
The result of this: Organizations have built silos of trust, where there is an intrinsic belief in the integrity of the source. Even where red flags are raised, the security team is likely to pay little heed.
The SolarWinds attack has shown that this approach is no longer sustainable. It’s now clear that an organization can trust nothing but must instead assume that everything—even from the most trusted of sources—represents a potential threat. This requires continuous monitoring and complete verification of every user, asset and software application on the network.
Zero Trust can’t be achieved with a single product or platform. It will always require multiple tiers of different techniques and technologies: multifactor authentication, single sign-on, continuous monitoring, and intelligent threat modeling and detection. And all of these must work together in a Zero Trust framework. Recent developments indicate that organizations recognize this: the US government, for example, is encouraging departments and agencies to take steps toward Zero Trust by supporting security programs such as the Continuous Diagnostics and Mitigation (CDM) program and the Federal Identity, Credential and Access Management (FICAM) program.
The Zero Trust environment requires taking a multi-layer approach. It involves a holistic, integrated framework that recognizes that any single security solution or small combination of solutions will not deliver adequate protection.
So how do you build cyber resilience into a business to deliver effective protection, rapid remediation and ongoing business continuity? It requires the correct blend of people, process and technology.
Starting with this perspective, it’s possible to build upon the Defense in Depth models that government organizations have invested in for years. This approach can address virtually all threats, including SolarWinds-type supply chain attacks.
Assistance for your response
OpenText issued a customer advisory providing EnCase Endpoint Security customers with detection rules for SUNBURST. These can be downloaded from the MySupport portal.
For advice, guidance and assistance with your SolarWinds compromise, our Professional Services team is available to conduct an advanced threat hunt to look for the SUNBURST infection. We can also search the network for Indicators of Compromise (IoCs) running in your environment, manage a digital forensics and incident response of infected systems, develop preventive cyberattack measures to alert on IoCs and assist with Tactics, Techniques and Procedures (TTPs).