Solarwinds Breach a.k.a SunBurst - Musings
The Solarwinds breach has brought a key supply-chain attack vector, especially software supply chain security problems into limelight. Some experts have ranted about secure development, but that is still an area that faces a lot of organizational, cultural and awareness challenges. Though it is improving, it is legions away from any level of maturity and it will never be the silver bullet that prevents threat actors from compromising software. While this is in play, we still need 3rd party software(s) and patches including privileged IT mgmt and cybersecurity tools. Many of the commonly deployed security and Infrastructure management tools and suites viz., EDR, anti-virus, dev toolkits, IT asset mgmt and Network mgmt. have unfettered access to everything on your infrastructure. That renders these tools far more dangerous weapons for the attacker, than any malware that they may build/download/run.
(Shameless plug: ask us about our agentless response and remediation which reduces this exposure.)
So, what do we do?
We have always been a proponent of Defense-in-Depth methodology. Build good old fashioned defense-in-depth architecture - operate in a well defined, segmented environments with good least privileged implementations. No one technology can save you. Work with the assumption that any of the 3rd party softwares in use could be used in a supply chain attack. Do not fall into the trap of some security vendors who vehemently claim detection is dead. It most certainly is not. Infact, Detection is the foundational aspect of Prevention too. A well implemented detection will certainly help detect the attack early on - allowing proper incident response, before crown jewels are compromised.
" Cybersecurity is a constant cycle of Attack and Defense. "
This means understanding the relationship of the attacks and their impacts - and creating layers of defense-in-depth that help in quick detection and mitigation of these attacks (read Cyber Resilience). Laws of computing hold for any attacker, as they do for the defender. That means to say that, even the most sophisticated attacker can be caught somewhere in their attack chain (refer MITRE Att&ck Matrices). Defenders may not be able to stop every threat actor from compromising the infrastructure - but defenders can definitely focus their efforts on detecting the threat actor well before they achieve their objectives and/or causes irreparable damage.
What do can we do now?
Incidents like this are good catalysts and bring cybersecurity into perspective for executive management and/or board. This is a good time to shore up the support you need to build an effective security architecture that follows the defense-in-depth principle with a key focus on rapid detection and effective response and remediation.
Sunburst TTPs (tools,techniques and practices) have been reported in non-Solarwinds customer(s) too. If you have not done so already, you should engage a good Threat Hunt team (internal/external) that can exercise a good hunt across your infrastructure and confirm the presence/absence of Sunburst threat. Also, consider a good Table Top Exercise with all the stakeholders and run through a compromise of your key IT management and security tools. What would you do, How would you detect, analyze, mitigate and respond to such a compromise. Do you have the ability to remotely/centrally contain the compromise etc.,
Beware of any one vendor who claims they can prevent this kind of supply chain attack(s). It is naive to fall for such FUD traps.