Security Summit: SolarWinds attack was an attack on trust
The SolarWinds hack last year offered some valuable insights into the true cost of a cyber attack, said Charl van der Walt, head of security research at Orange Cyberdefense, delivering one of the opening keynote addresses at the ITWeb Security Summit 2021 this morning.
SolarWinds, the US network monitoring software development firm, had about 300 000 customers. The company was compromised and a backdoor inserted into its software, which impacted or potentially impacted about 18 000 customers who downloaded the backdoored version of the software.
There were 109 confirmed victims, made up of about 100 commercial entities and about nine US government agencies.
“The number is probably even higher now, and it’s certainly much higher than we think it is,” noted Van der Walt.
Carried out allegedly by Russian state-backed attackers, the hack used a routine software update to slip malicious code into the company’s infrastructure monitoring and management software, Orion, and used it as a vehicle for a massive cyber attack against US entities.
A classic supply chain attack, incident responders believe hackers may have had access to the company’s internal systems since September 2019, more than a year before the incident was reported.
“I want to touch on systemic issues. We know we should all be thinking about the security of our hardware and software supply chains, but the supply chain, in this case, was really a symptom rather than the cause of the problem,” he said.
According to Van der Walt, there are three elements that contribute to incidents such as this one.
The first is the role of government investments in computer hacking operations. “And in this case, we know that this work was sponsored and directed by and funded probably by government budgets.”
The second major factor, he said, is security debt.
“There’s this idea that as we take shortcuts, and make compromises when developing and securing our systems, those compromises accrue on a kind of ‘side balance sheet’ as debt in the same way that financial debt would accrue on your business's balance sheet. This debt is passed down, so if there was debt in the SolarWinds product and you use it, you inherit that debt and it becomes part of your own balance sheet. Eventually, as this debt accrues, it reaches a critical mass which must be paid out, and failure to pay instantly leads to compromise, or worse.”
The third factor is interdependence.
“Interdependence is understood, most commonly, in the context of supply chain attacks,” Van der Walt said. “We understand that if our suppliers and our vendors have security problems and we inherit those security problems, we are dependent on their security for our security. But interdependence goes further than that and describes the relationships that we have with each other, security-wise not just as a top-down, but as a web, or network of dependency that is created because of the nature of cyber space and because of how interconnected our systems are, as well as how our risks are distributed across our homogenous networks.”
In the case of SolarWinds, he said, we would see that businesses have a connection by virtue of the fact they were all using the same software. This creates a shared risk, and highlights the complex, multi-dimensional and multi-directional relationships that we have with one another in cyber space and in the cyber security problem.
“This suggests that we can't think of security purely through the lens of our own risk. We can't think of supply chain security purely as a top-down matter where we have to consider our vendors. We also need to consider the impact our security decisions have on our stakeholders, and even secondary and tertiary effects on other people or businesses that might depend on what we do.”
He said the reason for this is because interdependence allows for what he called “contagion”.
“In a highly-connected, highly-direct environment, what you find is that ideas, patterns, attitudes, emotions, news − any sort of corrupting influence spreads very quickly from one node to another, and not just in one direction, but in multiple directions.”
The impact is an attack on trust, and the consequence of this is fear, uncertainty and doubt, which can be expensive and highly damaging.
“What you see in the case of SolarWinds is that when a component is compromised, then you end up with a list of potential victims. I want to note the delta between the 18 000 potential victims and the 109 confirmed victims in this case. Those 17 891 represent a very interesting theme.
“In a way, they [the 109] are the lucky ones. They know they've got a problem, and can get on with the business of triage, response and recovery. It's the 17 891 that aren't sure, because until you find evidence of a compromise, you can't prove there is no compromise.”
In this case, everyone who is potentially impacted, and everyone who's dependent on them, now sit with the burden of uncertainty, fear and doubt that emerges in these highly interconnected contagious environments.
“This principle illustrates the real cost of attacks like SolarWinds.”