alswart - stock.adobe.com
The SolarWinds supply chain hack -- unprecedented in both scope and sophistication -- marks an historic inflection point in how CISOs view the digital supply chain, experts say. By hiding malicious code in a trusted software update for SolarWinds' popular network monitoring platform, Orion, attackers may have gained backdoor access to the networks of thousands of customers, including federal agencies, such as the Departments of Treasury and Justice, and private organizations, such as Microsoft and Cisco. The continuing SolarWinds fallout has prompted companies of all kinds and sizes to regard their third-party technology partners with heightened uneasiness, if not outright suspicion.
"I expect a lot of CISOs are taking an internal look at the possibility of something similar happening in their environments," said Steve Tcherchian, CISO at security software provider XYPRO Technology and a member of the Information Systems Security Association CISO Advisory Council. "I know we are. It has certainly shaken up the industry."
Software like Orion requires some degree of implicit trust to function properly, said Tommy Todd, vice president of security at cybersecurity SaaS provider Code42. But the SolarWinds hack demonstrates the risks of giving even highly reputable third parties routine access to private networks.
"CISOs are definitely on edge after this event," Todd added. "The attack exposes the vulnerabilities associated with the software supply chain and has forever altered trust in vendor patching."
As the SolarWinds fallout continues to unfold amid ongoing federal and corporate investigations, Todd said some organizations have even considered moving certain information offline entirely. In January, for example, the federal judiciary system announced it would require legal professionals to deliver highly sensitive court documents in person, via hard copies or secure electronic devices, such as USB drives, until further notice. The judiciary reported it was working with the Department of Homeland Security to investigate "an apparent compromise" of its electronic filing system related to the SolarWinds attack.
Attacks expose 'soft underbelly' of digital supply chain
Robert Bigman, former CISO at the CIA and president of cyber consulting firm 2BSecure, noted that the nation-state attackers suspected of engineering the SolarWinds hack appeared to be targeting classified government information rather than corporate data.
"This was a classic espionage operation," he said. "It's as if they recruited people inside these agencies to steal information, but instead, they did it via cyber channels."
Jon OltsikSenior principal analyst, ESG
Nevertheless, the exposure of the digital supply chain's "soft underbelly" has serious implications for the private sector as well, Bigman added. According to many experts, it's only a matter of time until cybercriminals launch similarly insidious, sophisticated copycat attacks on enterprise targets.
"These adversaries seeded the market for other activity," said Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "They may not go after my organization today -- they may have higher priorities -- but it was there for the taking."
He added that, according to U.S. officials, the Russian intelligence services that perpetrated the attacks have close ties to cybercriminal organizations to whom they could readily sell access to compromised customer systems. Tomorrow could also bring a new catastrophic supply chain attack via another near-ubiquitous infrastructure provider. "It's everyone's problem," Oltsik said.
Tcherchian agreed, adding everyone across every business should worry. "Some of the industries that are lagging behind in terms of security posture, like healthcare, could be in for a world of hurt -- especially in light of the pandemic," he said.
As many as 95% of organizations don't have the skills or technology to uncover a SolarWinds-type intrusion, said Rick Holland, CISO at cybersecurity services provider Digital Shadows, calling the implications troubling. In the worst-case scenario, such backdoor attacks could ultimately become as pervasive as phishing campaigns, according to Ondrej Krehel, digital forensics specialist and CEO of cybersecurity intelligence firm LIFARS. "Even the average cybercriminal may be able to use them as the initial vector of compromise," he said.
Most experts agreed the SolarWinds hack should serve as a huge wake-up call to enterprise executives to more thoroughly and consistently vet third-party suppliers. Thomas Graham, CISO at cybersecurity consulting firm CynergisTek, said the SolarWinds fallout has exposed the blind trust too many organizations still put in their third-party partners -- despite the long-acknowledged, well-documented risks inherent to the digital supply chain.
"You are only as good as the security of the parties you connect with and the products or services that ride on your network," Graham said. "As I learned early in this business, 'Trust is not a security control.'"
Security teams spend enormous time and energy comparing the cost and performance of security tools and services, added Fred Cobb, CISO and executive vice president at IT service provider InfoSystems. "But what is still off many CISOs' radar is proper vendor risk assessment and reconnaissance."
In the past, organizations have typically asked vendors to fill out routine questionnaires about their security practices, ESG's Oltsik said, but they rarely held their feet to the proverbial fire. He believes that will change because of the SolarWinds attack. "As a CISO, I'm not going to give my vendors a free pass on their security."
Identify, control and audit third-party providers
Tony Howlett, CISO at third-party remote access software provider SecureLink, called the SolarWinds incident "a perfectly executed supply chain attack" that underscores the importance of aggressively identifying, controlling and auditing technology vendors in the enterprise.
"This is another reminder to the typical CISO that third-party access can't be treated like internal employee access," Howlett said, adding that third parties are a "clear and present danger" to enterprise security.
But, for some cybersecurity leaders, just identifying which vendors have access to their extensive software ecosystems will likely prove challenging, according to Simon Gibson, former CISO at Bloomberg and currently an analyst with GigaOm. "Many executives probably have no idea where SolarWinds is deployed internally," he said.
Once they identify all their third-party providers, CISOs should strategically prioritize audits of those that pose the greatest risk, said Joel Fulton, former CISO for application management vendor Splunk and founder of asset discovery startup Lucidum. He recommended organizations approach third-party vendor risk assessments like emergency room doctors triaging patients.
"Not everyone gets a full work-up," Fulton said. "But, for some, you should review not only their code, but also their own third-party security programs." In other words, CISOs must bear in mind that their IT providers also have vendors capable of exposing them to fourth- and even fifth-party risk.
Enterprises should also require vendors to demonstrate their vulnerability notification and disclosure programs, recommended Fred Chagnon, principal research director at Info-Tech Research Group, and favor those with established bug bounty programs. Jackson Shaw, CSO at identity governance and administration software company Clear Skye, added that CISOs should either undertake their own penetration and security reviews or require key vendors to provide evidence of independent testing results.
"There are many providers who are capable of doing code reviews, penetration testing or security reviews that could have caught this," Shaw said.
Plan for the inevitable breach
Some experts argued, however, that enterprises should accept they have limited control over third-party application security. According to Chagnon, they should focus most on their ability to quickly and cleanly respond to and recover from a breach.
"Tempting though it may be in the wake of an event like this to react by tightening controls on vendors in the supply chain, this was a sophisticated attack that doesn't leave a lot of room for prevention in most organizations," Chagnon said. To some degree, he added, CISOs must trust independent software vendors or resort to developing every tool, system and service in-house -- a largely impractical proposition.
Given the rapidly evolving digital ecosystem, the virtually universal reliance on third-party software providers and the increasing sophistication of cyber adversaries, enterprises have to accept a certain level of supply chain risk, agreed Greg Rattray, former global CISO at JPMorgan Chase and former director for cybersecurity at the White House.
"Therefore, organizations must invest greater resources in contingency planning to contain the impact and severity of incidents," he said, adding that those measures should include the following:
- network segmentation;
- strong identity and access management controls; and
- periodic threat hunting.
In light of the SolarWinds fallout, 2BSecure's Bigman, formerly of the CIA, said many of his consulting clients have completely reevaluated who they allow to access their networks in a support capacity, relegating third-party service providers to isolated DMZs. Similarly, Neil Daswani, co-director of Stanford University's Advanced Cybersecurity Program, advised running any and all third-party software packages on VMs.
"When a third-party compromise does occur, you can quickly contain the attack simply by shutting down those VMs or cutting them off from the rest of your network," Daswani said.
XYPRO Technology's Tcherchian said CISOs also need to embrace more proactive threat hunting and support overworked security teams by adding machine learning and AI to their arsenals. "These types of attacks are going to continue to morph and evolve, becoming harder and harder to detect. It's not a matter of if they're going to get in -- it's when," he said. "The focus should, therefore, be on quickly identifying when they do."
Experts also cautioned security leaders against shifting all their resources and attention to planning for the next SolarWinds-type attack, either at the expense of other cybersecurity initiatives or in ways that don't properly align with their organizations' risk appetites and business objectives.
"CISOs should be mindful of not fighting yesterday's war. We need to be thinking ahead," Holland said. "It is a balance. Take the lessons from SolarWinds, and apply them to your enterprise, but don't build up the equivalent of a 21st century Maginot line."
Still, some CISOs believe the worst of the SolarWinds fallout could be yet to come, given the time it took to discover the attack and its historic severity.
"Any of the software we are using right now might contain malware," said Aviram Jenik, CEO and CISO at vulnerability management provider Beyond Security. "That's like saying we could be in the middle of a second Pearl Harbor attack and don't even know it yet."