The SolarWinds breach in December 2020 demonstrates the importance of having a fortified cybersecurity approach to protect data. SolarWinds, a US-based software company, was hacked late last year. This breach remained undetected until early 2021. The supply chain attack introduced vulnerabilities in SolarWinds’ Orion product which resulted in several large IT companies and government agencies also being attacked. However, the SolarWinds hack was a very difficult one for organizations to protect against for several reasons. The very nature of the SolarWinds application requires it to have privileged access across most of a company’s systems; it monitors the performance, uptime, and metrics of a wide variety of systems. As a result, a company running the SolarWinds software was vulnerable to exploit across its entire infrastructure.
We can glean many lessons learned from this incident to prevent something like this happening in the future. This goes for any IT company or government agency.
At T-Rex, we gained valuable information that we can use to strengthen our network security. Below are some of these lessons learned:
- Have a robust and well-exercised incident response capability that allows you to respond quickly and effectively to any incident, including SolarWinds.
- Provide a clear delegation of authority (DOA) to a leader, and at least one backup leader, who is authorized to “pull the plug” immediately on a compromised system.
- Ensure that your logs are secured so that an attacker with elevated permissions cannot delete them. For example, consider shipping an archive copy of your logs to an AWS Simple Storage Service (S3) bucket in an account that is not managed by the same set of admins.
- Focus on the MITRE ATT&CK techniques that can be used to move laterally or exploit an Identity and Access Management (IAM) system once the attacker has a privileged foothold. Even if you can’t block it, you can at least detect it.
- Carefully control the use and permissions of service accounts and remove their cached passwords. Service accounts are frequently given too many permissions.
- Use a privileged account management tool to require a privileged user to request the ability to use their admin account, which requires an approval step and generates logs.
Not coincidentally, April is National Supply Chain Integrity Month. To learn more about Supply Chain Integrity, check out these articles below:
- Supply Chain Threats | The National Counterintelligence and Security Center
- Supply Chain Integrity Month | Cybersecurity & Infrastructure Security Agency
A massive supply chain attack, like the SolarWinds event, is unfortunate for all parties involved but can be turned into a learning experience. In the ever-evolving threat landscape, it is important for us to take a breach and use it to learn more about the new methods in which hackers are gaining access to our networks. Additionally, we can use these incidents to enhance our prevention efforts. We can culminate all the lessons learned from this one incident to further improve our cybersecurity hygiene.
Learn more about T-Rex’s cybersecurity capability here.
Want to stay in the know? Subscribe to our newsletter to stay up-to-date on our content.