Late last year, governments and major corporations were left scrambling to lock down their systems amidst news of a security breach into SolarWinds software. The attack gave hackers access to thousands of companies and government officers, including high-profile clients such as Microsoft and parts of the US Pentagon.
Traces of malware have been found as early as March 2020. Yet, the insidious nature of the attacks meant that even after the breach was discovered, many organisations were unable to definitively verify if their systems had been affected. Indeed, it was only on 30 March 2021 that the US Department of Homeland Security announced that the hack affected its top officials’ emails.
SolarWinds’ top company executives blame an intern’s weak password for the attack. But what are some more fundamental reasons for the breach and its severity? Kunal Anand, Chief Technology Officer at Imperva, shares how governments can better equip themselves against malicious actors.
Why is the SolarWinds attack so disturbing?
For Kunal, the SolarWinds breach was deeply alarming because of how long it remained undetected. In hindsight, “this breach was in the SolarWinds infrastructure for quite some time,” he says. Attackers had patiently executed a sophisticated plan to maintain their cover.
Hackers did not kick off an attack immediately after entering the system, Kunal explains. Instead, they worked on a “proof-of-concept” to test if they could modify SolarWinds’ source code and push it into public release without arousing suspicion from human code viewers. Only then — after they realised they succeeded — did they strike.
“This was very clever. It should wake people up to the extent that people are willing to go to try and steal data and get sensitive information from large organisations,” Kunal notes.
Government agencies have much to learn from the SolarWinds breach. After all, a weak password is indeed a problem, but that alone should not have wreaked the kind of havoc caused by the attack. How can governments take active steps to protect themselves?
Don’t trust anything, not even your security vendors
Most importantly, organisations have to cast a critical eye to who and what has access to their data. In a cybersecurity climate where supply chain attacks are increasingly a problem, organisations have to be watchful.
“I would say that the biggest risk that all organisations have right now, including the government, is that of third party software risks,” he says.
Before deploying security vendors’ technology, organisations have to rigorously vet them and ensure they can comply with the security frameworks they hope to implement. This is especially critical because security software often has “access to privileged information” — any lapse could have disastrous consequences.
This zero-trust approach should extend to all aspects of governments’ software management. For instance, agencies have to be aware of the risks involved when drawing from unknown code libraries or third-party artifacts to build in-house applications.
Of course, it is simply infeasible for governments’ developers to build new programmes from scratch when open-source information is readily available. However, developers need to ask themselves if they trust the source, and consciously decide if they want to “accept that risk”, Kunal says.
Going back to basics
To pre-empt breaches, agencies must ensure that their cybersecurity fundamentals are strong. An organised, transparent system can stall attacks, or make them much easier to spot.
For instance, agencies need to invest in better access controls. In the case of the SolarWinds breach, “it was troubling that someone could get in and change the source code after it had gone through continuous integration and deployment,” Kunal reflects. To guard key systems and sensitive information, two-factor or even multi-factor authentication is essential.
Agencies should also keep a detailed and updated record of all of its assets. Having a list of software providers and their permissions – even mundane physical items such as computers – goes a long way in ensuring that every decision is accounted for.
When organisations buy software, they should request for a breakdown of the vendor’s actions. This will help them “better prepare for potential issues downstream”, Kunal notes. With better accounting, organisations can quickly intervene when malicious code changes happen and minimise damage.
Towards greater visibility and internal protection
To prevent supply chain breaches such as the SolarWinds attack, organisations need greater visibility into their operations and access controls. They also need security solutions that look inwards, rather than assuming that malicious actors lurk only outside of the system.
To this end, Imperva’s Runtime Application Self-Protection (RASP) security solution provides highly customisable, comprehensive protection. RASP operates on any application type — first- or third-party, on-premise or cloud. By learning how the application behaves, it can identify deviations and alert organisations before disaster strikes.
In the SolarWinds case, “if it was using cryptography to evade detections, we would have seen all of those things and given you more context to accurately shut down the attack,” Kunal explains. Indeed, in lab environments with customers, it was demonstrably proven that Imperva’s RASP solution “would have prevented SolarWinds from being exploited”.
As software supply chain attacks become increasingly complex and difficult to prevent, government agencies need to gear up to meet these threats head-on. “I think organisations need to ask more of their vendors”, Kunal concludes. “Data are our crown jewels, and we need to do a better job of protecting them.”