The Solarwinds Hack for Dummies

Although information security (a.k.a. Cyber) is all the rage at the board level today, securing information as a practice outdates contemporary computers, networks and even modern civilisation. In fact, it’s been around since the Roman Empire. Cyberpunks and script-kiddies alike know the story of the ‘Caesar Cipher’. For the uninitiated, a Caesar cipher is arguably one of the oldest and best-known encryption techniques.  A type of substitution cipher, it involves replacing plain-text letters with other letters which are a fixed number of positions down the alphabet. For example, a right shift of 3 makes the letter ‘G’ become ‘J’ in the written text. So the phrase “this is a secure message” becomes “wklv lv d vhfxuh phvvdjh” under a 3 right shift cipher. And the reason it’s called the Caesar cipher - because it’s claimed that Julius Caesar used this technique in private messages to thwart unwanted eyes from knowing his intentions. 

Encryption is just one of many concepts in the domain of information security. Whilst the Cyber-experts babble in obscure language with tales of Ransomware, Trojan Horses and DDoS attacks, it’s not terribly complicated. Confession – in the 90s, I cut my teeth in the security space implementing firewalls and VPNs (both contemporary technologies back then) for clients. I also provided host-based vulnerability analysis and intrusion detection services (see how easy it is to talk fancy about security?) on Unix, VAX/VMS and eventually Windows-based systems. 

But here’s the dirty little secret security professionals won’t tell you today – the basics of managing security is the same today as it was back in the day with one notable difference: the risks are far greater and the speed at which vulnerabilities are exploited today are exponentially faster than they were 20 years ago. And that is because we are increasingly connected via our mobile devices which link multiple authentication methods (Facebook, Google, etc.) in a world of increasingly sophisticated exploits.

That’s why it’s so important to have a basic understanding of what happened earlier this month around the so-called ‘solarwinds’ breach.

What Actually Happened?

On December 8th, news broke about a novel security attack. FireEye, an enterprise security software provider was first to detect the vulnerability after they had their penetration testing toolset stolen. Very quickly FireEye identified that the attack was widespread, having started back in March of 2020 targeting various public and private sector companies across the globe. The technical term for this attack is a ‘supply chain’ attack. In a supply chain attack, a hacker exploits a third-party vendors' software which is then installed on the target’s network and sits idle until receiving further instruction from the hacker. 

In this instance, the third-party was a software called ‘Solarwinds’. Solarwinds is a well-known and widely used IT management solution which allows network and computer administrators monitor the health and wellbeing of their computer environment. Solarwinds' marquee software offering called ‘Orion’ represents 45% of Solarwinds total revenue and is used heavily across industry and various US governmental departments. 

In summary, a hacker(s) initially attacked the Solarwinds company early in 2020, successfully breached their network and stored some malicious software (a.k.a. malware) inside Solarwinds flagship Orion product. Customers of Solarwinds then installed the infected update to the Orion software onto their networks thus infecting an estimated 18,000 of the 300,000 total customers with malware called SUNBURST by security experts. After a period of sitting quietly dormant on the infected computer network, SUNBURST fires up, receives further instruction from a rogue domain name and sends network commands whilst masquerading as Orion Improvement Program (OIP) protocol to transfer files (steal information), execute programs (delete files), reboot servers and disable system services. Noting that SUNBURST is a very sophisticated malware that leverages multiple techniques to disguise its malicious activity and evade detection, most security experts suspect that a state-sponsored group is behind the attack. 

Unfortunately, expect more (not less) of this in the future. Many press outlets are suggesting Russia as the state actor and the fact that Trump denies this further evidence (IMHO) to suggest it is may be Russia. Interestingly and falling in the category of complete bullshit behaviour by capitalists, Solarwinds announced both a large stock transaction and the transition out of their CEO (effective early 2021) on December 9th, two days before allegedly learning of their software’s pivotal role in the hack. But I digress…

Where to from Here?

For now, things seem to be quieting down around the attack with ample security expertise and and large software companies all over this now. A week ago, security experts commandeered a key malicious domain name that SUNBURST used for coordination as a ‘killswitch’ to slow the attack. As the dust settles it is estimated that 198 organisations were hacked according to Allen Liska, a threat analyst at Recorded Future based on a Bloomberg report. As companies rush to patch the Solarwinds Orion software, the fallout will continue. Realistically, it will be months before people really understand the fuller implications. Unfortunately, and as with most of these types of attacks, we may never really know the full extent of the breach. Historically, companies and government agencies do not fully disclose the extent of the losses for fear of reputational damage, stock impacts, lawsuits or all the above. Solarwinds saw their stock drop by from $24 a share to about $14 a share before recovering slightly. 

At this point, the only thing left is to take the lessons on offer from this latest attack.

The first point is that as we become more and more dependent on external providers to provide security, we need to balance that dependency with some common sense around single points of vulnerability/failure. As organisations move in-mass to the cloud, imagine the damage if hackers execute a similar play on a major provider of cloud services? Let’s face it, the days of hiring a Chief Information Security Officer (CISO) and ticking the ‘secure’ box are long gone. Considering that this attack has been gestating for months and was only detected after a prominent computer security company was thoroughly robbed by exploitation, it speaks to the level of sophistication of modern-day attacks. Be prepared.

Secondly and this will seem at odds with my first point, don’t buy into the hype. By that I mean make sure that any advice comes from a credible source who has your organisations’ best interests at heart. You can spend a hell of a lot of money on tools only to find yourself MORE vulnerable than before starting on the security journey. Over the years, I’ve seen all sorts of security practitioners, most of whom are dedicated professionals with a passion for the subject matter. There are however those who spruik the latest fads for their own personal gain. There is no substitute for doing the basics – understanding what your spending in the security domain (where, what, how), understanding how many people dedicated to the function and gauging the effectiveness of your governance practices goes a long way towards answering the question of security risk management. Show me a 2-3 person security organisation with minimal oversight/governance and a small budget and I’ll show you a vulnerable organisation.

Lastly, a basic knowledge of information security is a must for all management and board-level executives. I have been astounded by the lack of ‘basic’ understanding of the solarwinds hack by several executives I’ve spoken to since the initial revelation. Sure, most are aware of the incident but when probed a single-level deeper as to what actually happened, many of the people I’ve spoken to haven’t the first clue. Offload or outsource control of this critical function at your own peril. Understanding the basics of layered security (physical, network, database, operating system, application, process) along with the need for security strategy, policies and real-time reactive/proactive monitoring of an organisations’ security profile is imperative.

At the end of the day there’s no way to ensure 100% of the risks are addressed in the security chain. It is a complex system with numerous interdependencies with any single weak link exposing the whole chain. Think about it – even though Caesar had his cipher to encrypt communications, he was still ambushed on the steps of the senate.

 Jeffery Eberwein is a senior partner focused on business transformation delivered through technology enablement. He can be contacted at jeffery.eberwein@au.ey.com