When the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed that a persistent hacker group was behind the incident and they used multiple tactics to gain initial access, it sends the alarm bells ringing. Initial investigation suggested that the hacker group belonged to Russia and succeeded in spreading the malware to thousands of organizations that are a part of SolarWinds Orion network.
They did this by hiding the malware inside a legitimate update for the Orion network management software. CISA added to this by identifying that attackers also used multi-factor authentication bypass by gaining access to secret keys stored in the Outlook Web App server.
Attackers took advantage of software updates and installed a backdoor known as SUNBURST on government and military-based systems. The long list of victim includes
In this article, you will learn about key takeaways and lessons from a solar wind data breach.
Here are five lessons you can learn from SolarWinds data breach.
The SolarWinds attack proved one thing. Remote monitoring and management tools have grabbed the attention of cybercriminals. Since most managed service providers use these tools to efficiently manage and monitor cloud networks, devices and endpoints, they would become the prime target. This makes it easy for hackers to gain access to the data of thousands of customers.
According to Eran Farajun, Executive Vice President Asgira, “The Remote monitoring and management tools agents/probes normally have an operating system and low-level access. These agents/probes are normally not well protected, if at all.” So, how can you protect those agents?
He answers, “One of the best practices is to ensure your most important tools are ‘app-gapped,’ which means they are not integrated into a common platform, which, if compromised, enables the attackers to use it as a proxy to traverse any other tightly integrated application within a platform.”
The SolarWinds perspective was different. According to SolarWinds, hackers managed to install the malware in software updates by compromising a build system. This incident clearly shows why businesses should consider security as a priority during the app development process.
Since build systems are designed to package source code and make the code usable in the production phase, it is imperative to protect the system builds from cybersecurity attacks. It even plays a pivotal role in software deployment, which also makes it extremely important for the software development team as well.
Systems are passed through rigorous testing to ensure credibility and consistency. Hackers exploit those vulnerabilities and fulfill their malicious designs.
Did you know why hackers inserted malware into legitimate software updates? Because they knew that it would be trusted and easily installed by all the users, which would enable them to deliver malware to millions of devices without getting noticed. The software updates are not something that has ever been seen with suspicion as far as security is concerned. That is why they have never been checked for security issues.
The SolarWinds also proved that third parties supplying technologies and services have now become the soft target for hackers. Since the customers trust those third parties blindly, it gives cybercriminals a great opportunity to insert malware through these third-party service providers.
Hackers can hide malware inside software and infrastructure components, which makes it tough to identify for cybersecurity experts. That is why they frequently use trusted software to inject malware. It can even bypass some of the best vendor vetting processes and supply chain security checks.
Thankfully, you can minimize the damage by segmenting your network. Another great way to do that is through app gapping. Create gaps between your critical application. This goes a long way in preventing the attacks from infecting different parts of the network or applications. By containing the damage, you can also increase the effectiveness of remediation efforts.
Security professionals should rethink access control and choose a different security methodology that puts more emphasis on zero-trust while focusing less on blocking malicious and suspicious traffic. Instead of manually whitelisting and allowing traffic, it should be done explicitly by the security methodology.
From sophisticated and hard to detect to ones that are difficult to contain, Cybersecurity attacks come in all shapes and sizes. To make matters worse, an initial investigation might point towards a different finding than the final report. This can divert you in a different direction while the real culprit might be in a different direction. That is when you have to wait before taking action and dig deeper to identify the real cause behind the attack. That is exactly what happened in the SolarWinds incident.
Which lesson did you learn from the Solar Winds data breach? Share it with us in the comments section below.