The recent FireEye breach and US Government attacks, resulted from what is known as a “supply chain compromise.”
A supply chain attack occurs when someone penetrates your system through an outside partner or provider with access to your systems and data. In this case, that partner was SolarWinds which provides security management tools to FireEye.
Without SolarWind’s knowledge, legitimate software in SolarWinds Orion was modified by nation-state threat actors. Malicious code was embedded and masked in a software update that ran before the legitimate code could run, leaving an open back door for attackers.
FireEye indicates that the attack may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft.
What makes this compromise significant is the sheer number and types of SolarWinds customers impacted, including government, consulting, technology, telecom and extractive entities in North America, Europe, Asia, and the Middle East. There may be more. It truly underscores why a widely adopted and trusted software would be the target of a sophisticated state-sponsored attack.
The response: SolarWinds, FireEye, and CISA
- In response, SolarWinds released their recommendations which include upgrading to the latest hotfix as well as hardening guidelines.
- FireEye lists further information from their threat research that includes Tactics, Techniques, and Procedures. They’ve also published detections/signatures to help the community.
- CISA has also issued an Emergency Directive for government agencies which include isolating Orion servers from the network, reimaging the OS, removing threat-actor accounts, resetting credentials, and more.
What can you do to protect against a supply chain attack?
Organizations have been working hard to put preventive measures in place to secure their environments. But we all leverage software from trusted companies and partners. So what can you do to ensure that you’re protected?
While organizations do not directly control the code or software development, making security difficult, there are precautionary measures you can take to minimize risks and improve your security posture:
- Align your security program to an industry-recognized cybersecurity framework, such as:
- National Institute of Standards & Technology Cybersecurity Framework (NIST CSF)
- Center for Internet Security Critical Security Controls (CIS-CSC or CIS-20)
- International Organization for Standards – Information Security Mgmt (ISO-27001)
- Perform regular patch management to update software and potential vulnerabilities.
- Continuously scan for vulnerabilities.
- Establish third-party risk management into your security program to identify risks during onboarding as well as continual monitoring after due diligence.
- Perform real-world tests against your environment, such as table-top exercises to create awareness and identify deficiencies.
- Implement segmentation to prevent lateral movement of threats.
- Implement behavioral- and anomaly-based detection tools in addition to signature-based tools.
Employing a defense-in-depth strategy, taking a proactive approach to your security program, and keeping employees educated on the current threat landscape will all help to reduce the risks and potential impact for unforeseen threats.
Logicalis stands ready to help you harden your security posture. Contact us or call 1-866-456-4422 for more information.