UPDATED 11:21 EDT / FEBRUARY 26 2021

SECURITY

The SolarWinds breach was bad. Not learning from it could be far worse

If companies are prepared to believe that the impact of the massive SolarWinds breach is past us, cybersecurity analyst Brian Krebs has a different view.

The breach, which leveraged malware surreptitiously planted by a nation state in SolarWinds security tools used by government agencies and the world’s largest corporations, has exfiltrated troves of data from high value targets. Some estimates have pegged the cost of containing and repairing the damage caused by the SolarWinds attack at upwards of $100 billion.

For Krebs, who was the first to uncover major breaches involving Target Corp., Neiman Marcus Group Inc. and Adobe Inc., it would be naïve to believe that what the security community knows so far is the complete story.

“I do not think SolarWinds was the only target of this — whoever put this attack together spent a lot of time on it,” said Krebs, who spoke earlier this month as part of a virtual session hosted by Cybereason Inc. “There’s no reason to suspect there weren’t other SolarWinds. It’s about owning assets inside the network to get at assets stored in the cloud.”

Focus on trust

Fallout from this third-party supply chain hack has led chief information officers and chief information security officers to re-evaluate security practices, with a renewed focus on zero-trust security, two-factor authentication and endpoint protection.

However, in Krebs’ view, there are a number of important lessons to be learned from the SolarWinds attack that the security community would be wise to heed. Zero trust, for example, is not high on his list.

Krebs pointed to a recent analysis of the SolarWinds exploit by the Israeli security firm Sygnia that found the hackers used an attack technique to steal private keys and signing certificates.

This created an unusual behavior pattern in system logs because fake users were logging in and bypassing normal authentication procedures. In this case, it would have been better to trust and fully understand the behavior of known users to identify truly malicious intent.

“My favorite ‘buzzword de jour’ is zero trust,” Krebs said. “There are a ridiculous number of hardware and software solutions that are super-users in their own right. That was the whole point of the SolarWinds attack. It makes sense to pay closer attention to the things you do trust.”

Vulnerable code and DNS

One concern that’s beginning to receive more focus in recent months has been the security of key developer resources such as GitHub. Malicious hackers have the same access to code repositories as ethical developers, and they’re apparently taking advantage of it, as can be seen in this hacking blog.

One cybersecurity expert has documented how SolarWinds exposed FTP server credentials in a public GitHub repository. More recently, the popular audio-based social app Clubhouse suffered a data breach when a programmer in mainland China designed and posted open-source code on GitHub that bypassed the invite and iPhone-only service.

“So much sensitive stuff is stored in personal GitHub accounts,” Krebs noted. “Source code gets stolen and traded online. There’s a lot of downstream mess that happens as a result of that.”

In addition to exposed files within public GitHub repositories, there is another important path through enterprise IT which Krebs believes needs greater focus by security experts and that involves the Domain Name System.

Vulnerabilities around DNS, which facilitates communication between computers on an IP network, have been well-documented. DNS can be used to find important server names and redirect traffic to malicious servers.

The concern is that by functioning the way it is supposed to, DNS is not only helping threat actors find which bank vault holds the crown jewels, but it is providing the getaway car as well.

“The SolarWinds attackers used DNS to exfiltrate data,” Krebs said. “Pay much closer attention to what’s going on at the DNS level. A huge percentage of malware uses DNS, it sails through firewalls. Companies just kind of take it for granted, but it leaves a lot of blind spots in the organization.”

Problem of tool fatigue

Paying attention to the behavior of trusted users, careful inspection of imported source code and monitoring the DNS stream is a tall order, even for well-staffed information technology organizations. The massive size of the SolarWinds attack has brought new scrutiny to the overwhelming amount of security tools in use today among many enterprises.

Despite the deployment of tens or hundreds of security tools by the world’s largest enterprises, the SolarWinds breach still compromised major firms such as Microsoft Corp., Cisco Systems Inc., Intel Corp., and security vendor FireEye Inc. The gap was apparently in monitoring the monitors.

A comprehensive study released by IBM Corp. in June found that the use of more than 50 security monitoring tools resulted in a less effective security response. Perhaps even more sobering, 74% of organizations surveyed reported security response plans which were either applied inconsistently or were nonexistent.

“There’s not enough discussion of how we got here,” Krebs said. “Even companies that suffer from security sprawl are often the last ones to know they’ve been breached.”

The most valuable publicly traded company in Israel is Check Point Software Technologies Ltd., provider of IT, network and cloud security. The company’s shares spiked not long after the SolarWinds breach, and Israel has claimed the second-largest number of cybersecurity deals globally behind only the United States.

One of the reasons for Israel’s prominence in the field is that the country established a national effort to recruit top-flight teenage coders and hackers into elite government-run cyber defense units. Krebs believes that SolarWinds is a wakeup call for the U.S. to do the same.

“I really admire how Israel approached this topic in general,” Krebs said. “This probably calls for some kind of national program. We absolutely as a nation need to be focused now, and over the next five to 10 years, in a massive way on how we foster the next generation of cyberdefenders.”

Image: Pixabay Commons

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.