An Emergency Unfolds
The recent discovery of a March 2020 supply chain attack that trojanized SolarWinds’ Orion product has sent CISOs throughout the federal government scrambling. Thousands of SolarWinds customers, including federal agencies, unknowingly opened backdoors into their systems by updating malware-laced versions of Orion. As a result, attackers have burrowed into networks to spy on communications and steal data for months.
Thus far, the Departments of Commerce and Treasury are known victims of the breach, with the Departments of Energy, Homeland Security, State, the National Institutes of Health, National Nuclear Security Administration, and parts of the Defense Department also reportedly compromised. Impacted agencies should take immediate steps to mitigate the collateral damage. The suspected Russian-backed attack was sophisticated and used new methods to breach its targets. However, the actual reconnaissance was detectable and cross infection was preventable.
3 Actions to Take Now
Secure critical communications
Agencies dealing with the fallout must reevaluate the security status of their communication platforms. An immediate remedy would be the enterprise-wide use of Wickr, an end-to-end encrypted communications tool. Currently used by the Defense Department and holding multiple ATOs, agencies can leverage Wickr to safeguard all their critical communications and ensure mission continuity.
Baseline network behavior
Darktrace is the world’s leading artificial intelligence company for cyber defense. Its Cyber AI Platform baselines all network traffic within an organization and creates profiles of the users, applications, and traffic. This provides immediate awareness when a tool or solution is compromised. Even in proprietary protocols, packet behavior still shows a normal pattern of life. Thus, even with the traffic hidden in the Orion protocol, Darktrace can detect it.
During a Proof of Concept at a government agency a day after the SolarWinds breach was disclosed, the Orion malware was seen in real-time in its compromised state. This prompted an immediate response by the agency’s SOC team. Darktrace had recognized a completely new threat.
Lock down access
Service accounts are a common tool across enterprises and can go unmonitored, unreported, and unsecured. With the Solarwinds breach, service accounts provided a free pass into the infrastructure and critical services across an organization’s infrastructure.
CyberArk is the market leader and trusted expert in privileged access management (PAM) for the federal government. Its comprehensive platform manages and secures service accounts, whether they’re local or domain accounts. CyberArk’s Core Privileged Access Security Solution centrally secures and controls access to privileged credentials, isolates and monitors admin sessions, and detects, alerts, and responds to anomalous privileged activity.
In the SolarWinds breach, the malware performed abnormal activities, created new user accounts, and accessed other devices. CyberArk could have immediately shut down new accounts and brought attention to the rogue behavior.