The SolarWinds breach is one of the largest cyberattacks of 2020, impacting 425 of the US Fortune 500 companies, the top ten telecommunications companies, the top five US accounting firms, large percentage of the Inc. 5000 firms, all elements of the US government, and many universities and colleges across the globe.
This “supply chain” cyberattack will likely cause significant issues for US companies and governmental agencies for quite some time.
A positive to take away from this event is the awareness it can bring to cybersecurity for Chief Executives. Hopefully, the realization that simply investing and installing toolsets will not solely protect their infrastructure from attack. It is crucial for Chief Executives to be made aware of the impact and potential risk of third-party applications and this attack in general.
The collective cybersecurity community knows breaches can happen to any organization at any time and sharing the details of the attack with the community is vital for the ability to combat such threats moving forward.
The US is likely to impose diplomatic and economic measures on whomever caused the incident. Although, it has been reported as the worst cyberattack in history, there will be more sophisticated threat actors and attacks targeting prominent organizations and countries in the future. The only constant in cyber battlefront and threat landscape is that it is in a constant state of change.
Even though this initial incident has subsided from the news cycle, we will likely see more fall-out in the near future and there will always be long-term effects from the SolarWinds breach. The way in which organizations think about security will be approached with much more attentiveness and focus on continuous monitoring and the ability to deploy rapid response teams. This is an immediate wake up call to leaders in all industries. It is clear this particular incident wasn’t industry specific. It impacted every organization that was large enough to require network monitoring tools. SolarWinds was the tool of choice by network administrators, many of them had administrative access throughout the entire organization that could have been used by the threat actors.
Access was obtained through the malware dubbed SUNBURST. The malware was pushed through SolarWinds Orion updates for months before being detected and this allowed SUNBURST to gain administrative level access within the environment. There is a long list of organizations affected by the malware and identifying whether or not access was escalated is crucial. Reviewing logs and determining exactly where the threat actors moved laterally is required to get systems running back to normal and malware free.
Keep in mind, technology alone will not solve this issue. The security analysts monitoring 24/7 are the key component in protecting your organization. Expertise wins the battle in a cyberattack where any company is a target. Tools alone are not always going to stop threats. In fact, in the SolarWinds breach, it was cybersecurity personnel who acted upon the alerts and detected the incident. Experts were able to identify and counter the attack. Companies need to be extra mindful of their security posture. If you aren’t using any proactive cybersecurity services, now is the time to consider them to be secure for years to come.
In preparation for these types of events, SpearTip recommends having a dedicated cyber insurance policy with sufficient limits and the right coverage types. It is critical to work with a cyber insurance broker that fully understands cyber coverage. On average, a company will experience an outage/business disruption, even if the ransom is paid. This outage will be minimized by how quickly the collective team of the forensic firms, insurance carrier, and legal teams are engaged.
To help IT and security teams who utilize SolarWinds’ Orion software, SpearTip has released a free tool, SunScreen SPF 10. It was created and developed to root out compromised versions and also enable the detection of potentially malicious activity. ShadowSpear® Neutralize actively prevents malicious programs from injecting into memory, and our Security Operations Center (SOC) works 24/7 to respond to such events.
Fortunately, ShadowSpear® stopped and continues to alert on malicious activity related to SUNBURST malware in several of our clients’ environments. The world is bound to feel the implications of the SolarWinds breach for a while, so if there are any questions or concerns you may have about this incident, please contact our SOC at 833.997.7327.