CISO Perspective: SolarWinds Breach

As the former Chief Information Security Officer of the United States government, I’ve been inundated with questions from colleagues in federal and military service, industry partners, academics, and the press to comment about the ongoing reports of cyber attacks directed against FireEye, SolarWinds, and elements of the United States government. Given all these queries, I’d like to share with you my thoughts based on what I know, what I don’t know, and what I believe based on the information available right now.

What I know:

• Unattributed malicious actors successfully gained access to FireEye. FireEye publicly disclosed the breach and shared indicators of compromise. Bravo to FireEye for their leadership in sharing their lessons learned.
• Shortly after the FireEye disclosure, it was announced that SolarWinds had been breached by a malicious actor who compromised the Orion product with a capability that gave the attacker the ability to access Orion customers through a purpose-built “backdoor.” SolarWinds disclosed that of their 300,000 customers, “only” 18,000 customers downloaded the poisoned Orion code. SolarWinds posted and later removed an online list that indicated 425 of the Fortune 500 firms and most US government agencies are customers.
• The Cyber and Infrastructure Security Agency and Federal Bureau of Investigation have issued a series of products acknowledging ongoing investigations into compromises of US government entities associated with the compromised Orion products.
• FireEye subsequently posted a video discussion and analysis of the breach findings (https://www.pscp.tv/w/1YpKkzMXorBxj) in the aftermath of the FireEye, SolarWinds, and US government breach reports. Noteworthy in the presentation is a discussion about how easy it is to steal the token (in this case via Chrome) and gain access to O365 via Azure AD. The government and critical infrastructure uses both O365 and Active Directory. Later in the FireEye presentation is a great discussion about intermediate keys and how they work in the process of this hack into the O365 environment.
• The US government has convened a meeting of the Unified Coordination Group (UCG), which is a committee chartered by Presidential Policy Directive-41 to coordinate interagency response to major cyber incidents and event.

What I don’t know:

• While evidence sure makes it appear that the malicious actors behind this attack are Russian-based hackers, I have yet to see conclusive proof. Nevertheless, I’d put twenty bucks on it they are.
• I have no information that leads me to believe the Intelligence Community or US Cyber Command saw this coming, warned the victims, or conducted any actions to interdict the adversaries. This indicates the high level of sophistication of the malicious actors yet does not make them immune to counterfire. The US government will find them and those who directed them. When they do, “appropriate” measures will be taken.
• I don’t know what the malicious actors “left behind” in any of the exploited networks. With the reported access to the FireEye/Mandiant pentest/red team tool sets, it is possible the malicious actors knew what tools, tactics, techniques, and procedures would be used to hunt them, thereby giving them the advance to “burrow in and hide.”
• I don’t know whether the attackers are still hiding in their victim networks (see bullet above)
• What’s the attacker’s end game? What are they trying to achieve? Are they seeking specific information? Are they planting toe-holds to do destructive attacks in the future? Who else is a victim yet may not know yet?

What I believe:

• The FireEye/SolarWinds/US government breach reports are indicative of a well-orchestrated and coordinated strategic cyber attack.
• FireEye and SolarWinds likely are not the only supply chain targets these malicious actors attacked and defeated. Every vendor ought to closely check their networks for indicators of compromise and verifying the integrity of their product codebase.
• If you have used or are using the contaminated Orion products, consider yourself breached.
• I’m wondering why the intelligence community didn’t discover this and give US Cyber Command the information needed to interdict these actors before they struck? Given the publication of Sandworm and recent DoJ indictments of Russian cyber operators, you’d think the intelligence community would be on the lookout for these actors. An attack like this highlights just how hard it is to find and interdict attacks at cyberspeed.
• Given the presumed attribution of the attackers, it is highly likely they may still have hidden capabilities in their victims networks that will be extremely difficult to detect and eradicate. That will likely force many to conclude that the only way to neutralize the threat is to “burn down” their existing network and rebuild, probably leveraging more cloud-based “as-a-Service” capabilities and/or taking a Zero Trust approach.
• Like the folks in the FireEye discussion cited above, I believe implementing Zero Trust would have helped defend against the attack and certainly would have limited it.
• I believe a zero trust capability that cloaks the edge, prevents man-in-the-middle attacks, continuously validates users devices (using information from the user, the device and items not on the device), can be integrated into an overall security posture leveraging other technologies to make them both stronger would have been a hurdle the attackers would not have been able to vault over.
• The attackers had multiple objectives:
  

• The revelation that government instances of Microsoft 0365 email were penetrated by the attacker by highjacking user credentials indicates that Microsoft’s conditional access is insufficient to properly implement Zero Trust. I also don’t believe it was just email that was exposed in the O365 environment. Assume it all was breached.
• This isn’t over. I suspect that we’ll find there are a lot more victims in both public and private sectors.

What do you think? If you want to learn more about Zero Trust, please check out our website https://www.appgate.com/to-your-network/zero-trust