Font Size: A A A

Home > News > Interviews > Learnings from the SolarWinds attack


Learnings from the SolarWinds attack

David Higgins, EMEA Technical Director at the privileged access management company CyberArk, offers some tips to protect your supply chain.

The subject of supply chain security was thrust into the limelight in late 2020 following the now infamous SolarWinds Orion attack, which targeted vulnerabilities in organisational software ecosystems to gain access into US government agencies and corporations worldwide. Yet, as a tactic, supply chain hacks aren’t new, and organisations such as governments or multinational organisations have long been at the mercy of threat actors due to less secure third-party vendors within their digital and physical supply chains.

Partners and suppliers often have weaker security ecosystems than their larger counterparts within the supply chain. It’s no surprise, then, that supply chain cybersecurity risk warnings increased 80 per cent in Q2 2020, or that supply chain hacks spiked by 78pc in 2018. With the continued interest threat actors have in supply chain infiltration, how can businesses reduce the impact of a potential attack on their supply chain? Here are four tips:

1. Identifying and managing privileged access

Ensuring every part of your supply chain is protected against attackers is imperative to business survival in the current climate, especially as cyber criminals continue to create and utilise new attack vectors on a daily basis.

The ever-changing cyber landscape and SolarWinds attack has led to a renewed focus on the role privileged access management has in protecting both businesses and their supply chains. Conversation now revolves around whether it’s the time for businesses to start reducing the level of access outside vendors and administrators have to critical company data. Organisations’ answer should be an unequivocal ‘yes’.

Privileged accounts and credentials are popular attack surfaces within organisations today. Identifying and managing privileged access is therefore paramount to disrupting the attack chain and stopping a potential supply chain attack from reaching its intended target. Implementing strong privileged access management practices and solutions throughout their chains means, businesses can prevent threat actors from getting a foothold into an organisation where they can steal and abuse legitimate identities and credentials, escalate privileges, and move laterally to access valuable assets and data from the larger, big-ticket organisations within the chain.

2. Adopting an ‘assume breach’ mindset

Even the businesses boasting the strongest security ecosystems understand there is no silver bullet for cybersecurity, and that no one vendor or tool can completely prevent an attack. Despite this, according to a 2020 report 43% of UK and US SMBs lack any type of cybersecurity defence plans at all.

Cybersecurity doesn’t have to happen all at once though, and should be a journey. As part of this, adopting an ‘assume breach’ mindset, where a business accepts an attack is going to succeed and builds its defences accordingly, is vital to good security posture. This mindset calls for multiple layers of security (or defence-in-depth), such as next-gen antivirus, strong privileged access management and application, and OS patching.

For those with little to no cybersecurity plan or systems in place – or those whose partners or suppliers have a weak security ecosystem – it’s important to first invest in security controls which reduce the greatest amount of risk. Once these are in place, focus can then be placed on the rest of the security suite, ensuring all attack surfaces are covered.

3. Following the principle of least privilege

Breaches are inevitable, no matter how secure an organisation’s security ecosystem. Following the principle of least privilege (PoLP) and eliminating unnecessary privileges and permissions however allows businesses to take steps to limit the impact of an attack.

PoLP is a concept in which users are only given the minimum level of access needed to efficiently perform their jobs, and is fundamental in the security of high-value corporate information and assets. The principle can also be applied to applications, systems and connected devices which require permissions, going above and beyond just human access.

Enforcing least privilege on systems is considered a best practice security procedure because it reduces an organisation’s attack surface and helps stop the spread of malware. Businesses should seriously consider implementing the practice to truly reduce the impact of a breach.

4. Monitoring for privileged credential theft

The great care threat actors take to avoid detection makes it particularly difficult to catch a supply chain infiltration. The SolarWinds attack, for example, is believed to have started in the Spring of 2020. The threat actors used a number of highly evasive techniques to avoid detection and hide their activity, whilst moving laterally. These include the use of a previously unseen memory-only dropper, dubbed TEARDROP. By matching their hostnames on their command and control infrastructure with legitimate ones found in the victim’s environment, the actor was further able to blend in and avoid detection. Monitoring privileged sessions means organisations can more easily spot and react to suspicious behaviour and patterns indicative of credential theft.

The supply chain is a critical and highly targeted attack vector, and a successful attack on it can be devastating, as shown by SolarWinds. Organisations need to act immediately and look to improve their own, as well as that of their supply chain’s, security posture. Those who take heed of the aforementioned tips will not only benefit from the ability to make faster, more decisive reactions to security, but will benefit from reduced exposure to potential breaches through their ecosystem partners.


Related News