The SolarWinds supply-chain attack that compromised numerous high-profile targets, including a leading cybersecurity company and U.S. government agencies, has brought to the forefront not only the risk of third-party security vulnerabilities, but also the fact that these breaches can remain undetected for a very long time.

Why security hygiene isn’t enough

SolarWinds is neither the first such incident nor will it be the last. What’s notable, though, is the fact that the attack bypassed best-in-class security mechanisms and exposed the limitations of security hygiene alone in avoiding data breaches. This begs the question of how should organizations manage their security investments to adequately protect their bottomline.

Third-party risk is the Achilles heel of application security

The SolarWinds attack once again highlights the role of third parties as the weak link in the security chain.

As part of the SolarWinds attack, the threat actors gained access to the SolarWinds Orion build system and added a backdoor to a legitimate DLL file. This file, now effectively malware, was then distributed to SolarWinds customers via an automatic update platform used to push out software patches. Once installed, the malware “phoned home” to a command-and-control network run by the hacking group, which enabled them to enter the network and take further action.

Since the malware was disguised in a patch that was digitally signed by SolarWinds, few companies would have known it was compromised.

Protecting the supply chain is not a new problem. Among the more notable past incidents, the Target breach resulted from a weakness in their third-party supplier that was exploited to distribute malware that compromised point-of-sale systems. Recent forms of supply-chain attacks have also included the hijacking of Ruby Gem and npm repositories that could compromise the distribution of software libraries used by thousands of developers worldwide.

After each such incident, we are reminded of the importance of third-party risk management. However, despite the best efforts of organizations to put in place security protocols to evaluate their vendors, there remains a risk of compromise, in part due to the increasing sophistication of the attack vectors.  

Security breaches can remain undetected despite best-in-class tools

The more notable aspect of the SolarWinds hack was that the attack remained undetected for a very long time. The threat actors began distributing the backdoor in March 2020, which sat silently in some of the compromised networks for months while harvesting information or performing other malicious activity. Among these victims was FireEye, a security company that helps detect data breaches.

According to FireEye, this attack was the work of sophisticated attackers. This more specifically includes the sophistication of both development and operational teams. The development teams deployed anti-analysis countermeasures. The malware was developed to check file system timestamps to ensure the product has been deployed for 12 to 14 days before it phones home. This effectively prevents the use of malware sandboxes or other instrumented environments to detect it.

The operational teams appear to have used specific infrastructure for each victim, reducing the use of network-based Indicators of Compromise, which companies like FireEye use in part to detect malicious activities. Using these techniques, the attackers were able to evade even best-in-class detection technologies.

Security investments must include mechanisms to mitigate risk of cyber loss

As much as the SolarWinds attack teaches us a lesson in managing cybersecurity risks and improving the capability to avoid data breaches, it also exposes the limits of good security hygiene alone to stop them. In other words, organizations must be increasingly prepared to deal with breach events and focus on mitigating the risk of resulting loss.

Organizations must be increasingly prepared to deal with breach events and focus on mitigating the risk of resulting loss.

Risk of loss, in the legal sense, means which party bears the burden to pay the cost of a breach. The risk of loss may shift depending on applicable laws, as well as contractual obligations that may be in place between the two parties.

To adequately protect their bottomline, organizations must increase investment in mechanisms to mitigate the risk of loss when security measures to prevent or detect a breach fail.

Increase focus on risk mitigation

Mechanisms to mitigate the risk of cyber loss include the ability of an organization to evaluate and minimize the risk exposure of an organization to potential incidents, as well as to withstand an incident both technically and financially, with the minimum impact on the bottomline of the organization.

The following mechanisms assist with these objectives.

• Risk assurance: Evaluating and minimizing risk exposure is done through risk assurance mechanisms. While managing third-party risk through security evaluations helps reduce the likelihood of breaches, the risk is never zero. Tools like data protection impact assessments should be used to identify the level of scrutiny that the third party warrants and the resulting data protection requirements should then be translated into contractual obligations. Under laws such as the EU General Data Protection Regulation and California Consumer Privacy Act, organizations not only have the duty to ensure reasonable security safeguards to protect personal data, but they also have the liability for a data breach, even if caused by third parties. Therefore, they should mitigate the risk of loss by making sure that contractual commitments commensurate with the risk exposure are put in place with the third parties.
• Incident response: A well-designed incident response plan is a tool that can help mitigate both the technical and financial impact to an organization in case of a data breach event. An incident response plan that provides a clear protocol for recovery and remediation, as well as incident notifications, can save valuable time when time is of the essence, not only as a matter of site availability, but also downstream financial and legal consequences. Under most regulations, there are strict requirements in case of a breach event to provide notifications to the appropriate parties, including regulatory authorities. Delays in the notification have increasingly become the cause of stiff penalties from regulators and can lead to additional liabilities if deemed in violation of an organization’s contractual obligations.
• Risk transfer: Most organizations purchase cyber insurance to help with the cost of performing breach management protocols, such as those outlined in an incident response plan. A cyber insurance policy typically covers the costs of engaging a forensics team to investigate the incident and establish a root cause, as well as a public relations firm for handling breach notification to affected parties and regulatory agencies. Perhaps most importantly, a well-written cyber policy shields the company from potential liability resulting from cyber loss. It must be emphasized that organizations should not solely rely on risk transfer, rather use it in conjunction with risk assurance and incident response mechanisms. The former, because the organization should negotiate the contractual commitments from third parties to align with the liability protection cap in its cyber insurance. The latter, because recovery on a cyber claim is typically limited based on an organization’s ability to respond quickly to an incident, and a lack of a well-designed incident response mechanism may significantly reduce it.

The lesson from SolarWinds incident is not just the obvious fact that no one is immune to data breaches. Nor is it enough to manage cybersecurity risks by improving our security hygiene. An important lesson that must not be ignored is for organizations to increase their focus on adopting risk mitigation mechanisms to protect their bottomline.

Photo by Philipp Katzenberger on Unsplash