The SolarWinds Hack and Life Lessons from a Nation State

If you have been keeping up with Cybersecurity news during the month of December you are no doubt aquainted with what started as FireEye reporting a breach of its internal network. Their efforts uncovered the larger breach of the technology vendor Solarwinds. Details are still forthcoming but the blame game is already in full swing with stories of lax security practices at Solarwinds are already starting to surface (https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack).

This article however is not to throw stones at SolarWinds (good information security is hard and expensive) or speculate whose chestnuts might be roasting over an open fire this holiday season since the SolarWinds CEO just announced his retirement. Instead I would like to use this high profile story to pull some universal life lessons from this Nation State APT group that can help us make our own life better as we start the new year.

Patience is your ally

We have all heard that “good things come to those who wait” which I interpret as “good things come to those who wait for the right opportunity”. One of the hallmarks of a more seasoned cyber operative is patience. A cyber operative that is uncalculated, over zealous and acts with uncertainty will be easily discovered. However one that is prepared and waits for the right opportunity will likely find success. There are two things that about the SolarWinds hack specifically that caught my eye as it relates to patience.

• The first changes to the SolarWinds Orion codebase were innocuous and more of a proof on concept to see if anyone noticed. It was only after the first change went unnoticed that the code was modified to include the malicious backdoor(SolarWinds.Orion.Core.BusinessLayer.dll) that would go on to be widely distributed to SolarWinds Orion customers.
• As reported by FireEye in their published research “After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com.” (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)

Both of these facts show us that these operators were playing the long game and were comfortable biding their time and waiting for the right opportunity. This brings us to our next life lesson.

Flexible people never get bent out of shape

Any high level cyber operative, nation state, or corporate red team has specific objectives to complete and a loose plan to achieve them for each operation. However, the path to that pot of gold at the end of the rainbow is rarely a straight one. There are many variables to solve for, a constant flow of new information to be taken into account, and dead ends and speed bumps are the norm. After initial access, it is often unpredictable where you will land on a network or what defensive measures will be encountered along the way. These types of situations necessitate that a plan never be held too tightly. I have a feeling that if the three presumably Russian bears (FancyBear, CozyBear, and Grizzly Steppe respectively) could talk as they conduct this cyber mischief they would tell us to have a plan, always keep the end in mind, but always remember to remain flexible.

Focus your time on areas where the outputs are disproportionate to the inputs

In cybersecurity they have a name for this one-to-many multiplication of effort — it is called a supply chain attack and that is exactly what is being used to describe the SolarWinds hack. Bad guys, who would never have made it in to the party without their name on the guest list, rode on the existing trust relationship that SolarWinds Orion customers had extended to SolarWinds as a trusted vendor. The outcome for 18,000 organizations that had SolarWinds Orion on their trusted guest list is they now have malicious code in their environment and a lot of questions to answer. The list of affected organizations will continue to grow (estimated to be 200+) but as of now the list of publicly identified victims is listed below.

• Microsoft
• FireEye
• The US Treasury Department
• The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
• The Department of Health’s National Institutes of Health (NIH)
• The Cybersecurity and Infrastructure Agency (CISA)
• The Department of Homeland Security (DHS)
• The US Department of State
• The National Nuclear Security Administration (NNSA)
• The US Department of Energy (DOE)
• Three US states
• City of Austin

This is a very high profile list of compromises and the effort that would have otherwise been required to obtain code execution in each of these organizations individually might have been infeasible or prohibitively expensive.

Takeaway

Supply chain attacks like this are tangible examples of how cyber threat actors carefully consider desired outcomes and return on investment of time and resources before choosing a target or making a move. The everyday takeaway for us is that by deconstructing our own objectives and directing our efforts toward areas where we can achieve the biggest return on investment we will come out the other side with bigger and better results — or at least a little more free time to do what we please with.

Embrace your circumstances and deal with problems head on

We are still early on and the script has yet to be written but SolarWinds has already received some criticism for their response to this incident. I bring this commentary up, not to criticize or pass judgement on SolarWinds but rather to point out that they have one shot, one opportunity, will they capture it? Jokes and song references aside, security incidents are a lot like problems in general in that it is not IF but WHEN they will come along.

The truth is that few if any companies can actually keep a determined, skilled, and well resourced threat actor group at bay for the long haul. With that as the backdrop, the mere fact that SolarWinds was compromised by a formidable adversary is no reason for them to hang their head. Deleting what appears to be official recommendations from their support pages at least gives the air of managing appearances rather than owning up to their shortcomings. The night is still young as they say and I hope their overall response ends up being one they can be proud of when looking back.

Takeaway

Suffice it to say that in the game of life you will lose and in the game of cyber life there is a high probability that a data breach will eventually find its way to your door step. In either case the takeaway is the same in life and business: face your failures head on with humility, integrity, and transparency and you will most likely be respected for it. But even if you aren’t praised by the world at large; by coming face to face with your shortcoming you can take their lessons and be better equipped to handle the next obstacle when it comes.

Side Note: For a good example of a company following this advice, check out Fox IT’s response after they were hit by a MiTM (Man-in-the-middle) attack in 2017 (https://www.fox-it.com/en/news/blog/fox-it-hit-by-cyber-attack/)

Wrapping it up and putting a bow on it

So as you watch the news this holiday season, don’t move your Christmas tree and New Year’s party to the faraday cage just yet. Even though Gene Hackman in Enemy of the State was social distancing way before it was cool, “deck the cage” just doesn’t have the same ring to it as “deck the halls”. Instead try to take the eggnog and champagne glass half full approach and extract the positive lessons from the cyber armageddon news stories that come your way.

Key Takeaways

• Be prepared yet patient
• Have a plan but remain flexible
• Direct your time to the places where you can make the biggest impact
• Face your problems and undesirable circumstances head on.