March 15, 2021 | 3 minute read
The U.S. government could take up to 18 months in its efforts to recover from the SolarWinds supply chain attack, explained the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
Brandon Wales, acting director of CISA, said that the U.S. government’s recovery effort from the SolarWinds supply chain attack could take well into 2022. The task of even determining the extent of the attack might still take the U.S. government several months, he went on to explain. Wales stated that this prediction reflects the complex nature of the breach and the length of time during which the attackers hid in their victims’ networks.
“I wouldn’t call this simple,” Wales clarified, as quoted by MIT Technology Review. “There are two phases for response to this incident. There is the short-term remediation effort, where we look to remove the adversary from the network, shutting down accounts they control, and shutting down entry points the adversary used to access networks. But given the amount of time they were inside these networks—months—strategic recovery will take time.”
As of this writing, the malicious actors behind the SolarWinds supply chain attack had succeeded in compromising at least 10 federal agencies and departments.
News of the first two victims emerged on December 13, 2020 when Reuters reported that nefarious individuals believed to be acting on behalf of Russia had infiltrated the email systems at the U.S. Departments of Treasury and of Commerce.
In the weeks that followed, the Pentagon, the Department of Homeland Security (DHS), the Department of State, the National Institute of Health (NIH), the Department of Justice and the National Nuclear Security Administration confirmed their own respective compromises.
Most recently, The Washington Post confirmed that attackers had also affected NASA and the Federal Aviation Administration.
Yonatan Striem-Amit, CTO and co-founder of Cybereason, explained that the SolarWinds attack represents an escalation of a strategic advantage that malicious actors have enjoyed in the digital space for years if not decades.
“This isn’t just a cyberattack—it is an escalation in the Cyber Cold War and could potentially represent an act of cyber warfare,” Striem-Amit said.
“This new era of conflict is being carried out in bits and bytes on an unprecedented scale with the intent to not only gain access to the opponent’s most critical and strategic secrets but to also gain a persistent foothold within the opponent’s networks for future operations. This is where our adversaries have for too long enjoyed a strategic advantage.”
Those actors have maintained that advantage despite defenders’ efforts to keep them out of their organizations’ networks. In the case of the SolarWinds attack specifically, it was actually those security best practices that helped the attackers infiltrate so many victims’ systems.
“Inadvertently, effective patch management is what let the hackers in,” Striem-Amit pointed out. “It’s one thing to have solutions in place that can detect one component of an attack, but it’s another thing to understand that individual events represent aspects of a larger malicious operation that needs to be detected as a whole in real-time and disrupted before the event escalates to the level of full compromise.”
This realization calls on defenders everywhere to assume a more aggressive, post-breach mindset that focuses on minimizing the time needed to detect and respond to a security incident. As part of that shift, security professionals must stop relying on indicators of compromise (IOCs) from known attacks as the primary means to defend against unknown attacks. That strategy is simply not working, as exemplified by the SolarWinds attacks.
Today’s more sophisticated threat actors customize their attacks according to each of their targets. These highly targeted attacks allow adversaries to stay under the radar of traditional security tools for longer periods, increasing their chances of success. Instead, organizations need to be able to detect based on the more subtle indicators of suspicious or malicious behavior so they can proactively act on deeper contextual correlations and halt an attack at the earliest stages before they escalate into full-blown breaches.
Rather than focus on indicators of compromise, organizations should take an operation-centric approach that leverages these more subtle indicators of behavior (IOBs) to detect and end attacks sooner by correlating otherwise disparate steps early in the attack sequence as it unfolds, giving defenders visibility they need to intercept the malicious activity in minutes rather than weeks or months. It also frees defenders from the need to sift through endless alerts so that they can spend their time on the important tasks that produce a meaningful impact on their organization’s security posture.
“That’s what good security should look like and how good security should perform,” Striem-Amit noted. “A proactive approach won’t guarantee significant security events won’t occur in the future, but they will work to reverse the adversary’s advantage and ensure defenders and the organizations they serve are better prepared and more resilient.”
David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.All Posts by David Bisson