Blog

Here’s How the Recent SolarWinds Supply Chain Attack Could Be Easily Stopped

A Cybersecurity Vaccine Exists – and It Is 99% Effective. Learn How to Inoculate Your Organization From Attacks in 2021

There’s no sugarcoating it: COVID-19 helped make 2020 a bad year for almost everyone. There is one glaring exception, however — sophisticated hacker collectives. For them, 2020 has been a veritable wonderland of opportunity with cyber-attack reports surge of 400% according to The U.S. Federal Bureau of Investigation.

These developments were dramatically driven home by the recent uncovering of a massive cybersecurity attack targeting the US government and a multitude of large global corporations. According to the Wall Street Journal:

“The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.”

The Journal reported that 18,000 government agencies and companies may be affected in an attack that exposed “a critical vulnerability in America’s technology infrastructure.”

How the Attack Occurred

The hackers executed an attack exploiting a vulnerability in supply chain management software created by a company called SolarWinds. That software, called Orion, is widely used by Fortune 500 companies and government agencies. Hackers were able to compromise SolarWinds’ software and insert their own malicious malware (called Sunburst), which was pushed out as a regular update to Orion.

To increase their odds of success, the hackers used a variety of stealthy and novel techniques, including purchases of abandoned Internet domains. Attackers also ensured the component containing Sunburst was code-signed with the correct SolarWinds certificate, making the DLL look legitimate and free of suspicious scripts.

Security analysts are still poring over the incident, which will keep them busy for months to come. Early indications are that the attack had been planned for at least four years and was mainly espionage-focused, with hackers targeting a relatively small number of the 18,000 victimized entities for detailed operations.

A Frightening Landscape

This latest attack comes against a backdrop of larger developments concerning enough to send a shiver down the spine of defenders. Not only are state-sponsored attacks becoming more prevalent, sophisticated and damaging, the threat from so-called Private Sector Offensive Actors (PSOA) is growing. If we think of state-sponsored hackers as conventional soldiers, PSOA are more akin to contractors or mercenaries. Nation states — flush with cash but not always flush with top cybersecurity talent — can lean on PSOA to support their efforts.

The COVID-19 pandemic has disrupted normal on-premises security operations and created hundreds of millions of new telecommuters, greatly expanding the attack surface and generating significant shadow IT concerns. With regard to the US specifically, the presidential election — and the need to focus on electoral cybersecurity — may have also consumed some of the bandwidth of those charged with protecting larger government agencies or corporations.

Certain sectors are especially vulnerable. According to Microsoft, 44% of attack victims are in the information security space, while another 36% are either in the government or think tank/NGO categories, making them the three most high-risk targets by a wide margin.

So What is the Solution?

Part of the solution to deterring state-sponsored attacks lies at the highest government level. Governments must find ways to hold offenders accountable and share threat intelligence more effectively.

At the level of the individual private organization, it’s critical to head into 2021 emphasizing the use of defensive tools that analyze network operations in a complex fashion to detect attacks that may already be underway, while preventing future attacks by continuously identifying and remediating the vulnerabilities putting business-sensitive assets at cyber risk.

The Sunburst attack targeting SolarWinds was especially successful because it was designed to exploit human error, supply chain weaknesses and the tendency of defenders to rely on reactive security methods. By using novel techniques, patience and stealth, attackers left their victims blind to the threats bearing down on them.

Fortunately, there is a way to fight back: understand the attacker perspective and how they see your weaknesses by inoculating your security environments from the most sophisticated and damaging threats.

Getting the Right Cyber Vaccine

The average time to exploit a vulnerability has come down from 25 days to seven days. In the past 2 years yet the average time it takes organizations to patch a vulnerability has been 15 times longer.

In many of those breaches, different attack techniques were used, and not just exploiting a vulnerability, weak password to the Github, Reconn, privilege escalation and more. Sophisticated attacks are using multiple different techniques while traditional tools are using only one type like VA/VM.

Security leaders have come to realize that trying to patch all vulnerabilities is futile and turned to look at risk-based VM to focus and narrow down endless patching efforts.

Common VA/VM and Risk-Based VM employ methods such as CVSS, threat intelligence and data science in an attempt to help organizations reach the required level of security hygiene while having operational efficiency but these technologies still come short.

XM Cyber’s Attack-Centric Exposure Prioritization (ACEP) platform allows you to define critical assets, see your mission-critical security environments through the eyes of an adversary, empowering you to rapidly respond to cyber risks by continuously finding new exposures, including exploitable vulnerabilities and credentials, misconfigurations, and user activities.

By launching continuous simulated attacks using the same cutting-edge tactics and techniques used by state-sponsored adversaries, XM Cyber’s ACEP continuously probes your hybrid cloud environments for exposures and weaknesses, and identifies the gaps waiting to be penetrated with the aim of reaching the crown jewels. Once vulnerabilities are identified, XM Cyber provides prioritized context-sensitive least-effort remediation guidance.

The enormous scope of the recent SolarWinds attack may make it an inflection point for how organizations think about protecting their assets from advanced persistent threats (APTs). By providing an attack-centric exposure prioritization platform focusing on the one-percent of exposures that are exploitable, XM Cyber eliminates 99% of the risk to business-sensitive systems.

This is the closest thing we have to a “cyber vaccine.” As the world recovers from the pandemic thanks to the widespread distribution of COVID-19 vaccines, we urge CISOs to turn the table on the attackers and inoculate their organizations from APT risk by using a platform that continuously identifies new exposures and attack vectors, prioritizes cyber risk affecting business-sensitive systems and then offers context-sensitive remediation.

By Shaul Efraim, Senior Vice President Marketing, XM Cyber

mxcyber

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.