The COVID-19 pandemic defined the year that was 2020 but there are additional significant moments it brought – one of the most notable being the increase in supply chain attacks with the SolarWinds Orion security breach at the center of it. Thinking about the CISA (Cybersecurity & Infrastructure Security Agency) Security Bulletin, and the frenzied panic created industry-wide will be remembered well into the future. What makes this breach so unique? Many would likely speculate how sophisticated the attack was and how it went undetected for months.

The Quickest Summary Ever

In December 2020, CISA announced an “Active Exploitation of SolarWinds Software” (found online here). The CISA announcement includes a link to the FireEye Advisory uncovering the supply chain attack that compromised multiple global victims with the SUNBURST backdoor. The FireEye GitHub provides countermeasures, including signature-based detection styled mitigations. Although helpful, these mitigations are not enough to prevent future breaches impacting the supply chain. An Advanced Persistent Threat (APT) actor currently suspected of Russian origin was able to compromise government and nongovernment entities using the SolarWinds software. The actor infiltrated the software platform’s update mechanism and subsequently infiltrated all devices requesting updates, making this a supply chain attack after all.

How Bad?

CISA’s alert labeled “SUPPLY CHAIN COMPROMISE,” [2] will grab anyone’s attention. In their announcement, CISA warns us: “This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.” [1] Multiple government agencies are collaborating internationally through the newly formed task force called the Cyber Unified Coordination Group (UCG). With numerous federal agencies coordinating, you know it’s a significant event. 

Mitigation and Detection

At this point, the risk is ongoing and no remediation is available if you’re running the infected software versions. While no one has all the answers for addressing supply chain attacks (yet), there are available mitigation and detection solutions. CISA released a tool called Sparrow [3] to assist with detection the Azure/m365 environment. Required permissions are listed in the GitHub repository. We can also learn from the events in 2020 to help future proof ourselves. For one, the CISA alert bulletins helped reshape how we view the supply chain and inform our vigilance:

• A scenario of an APT actor being discovered. Pick a random software used internally, which relies heavily on a supply chain and analyze it; threat modeling comes to mind. We continue to refine our scenarios and act out with all teams to coordinate efforts and ensure our policies and guidelines can meet the demands of an ever-changing landscape.
• Rule/signature-based detection, while viable now, isn’t the future of security. Focusing on machine learning capabilities to learn and perform behavior anomaly detection would help mitigate risks exposed by the supply chain.
• Lockdown version updates until they’ve been reviewed and are ready for release. Note, however, that in this circumstance it wouldn’t have helped unless you stuck with versions that are significantly outdated. In the realm of security this is highly unlikely to be the case – as we patch, patch, and then patch again.
• Review releases by vendors and follow vulnerability information released to remain updated.
• Educate all teams internally about the supply chain and the risks it brings.
• Follow CISA Recommendations Actions for Today (Jan 2021, CISA – Insights)

Pivoting

When you’re working in a red team situation, and you’re exploring vulnerabilities to build the proper payload to launch your attack; you’re likely to find other weak points or exploitable areas during various phases of the process. Once your payload is successful, the next portion would be covering your tracks while also finding a way to maintain continued access and find other weaknesses now exposed by your elevated access.

Why is this important? It shows that training helps discover these threats in environments by blue team scenarios and active red team exercises. But it also exposes vulnerabilities within the global supply chain on a scale unseen before. FireEye and Solarwinds are both international companies, and if they can be breached, it might even mean many have already been breached and remain unaware.

References

[1] CISA. December 2020. Supply Chain Compromise.
Retrieved from https://www.cisa.gov/supply-chain-compromise

[2] CISA. January 5th, 2021. Joint Statement by the Federal Bureau of Investigation (FBI), The
Cybersecurity and Infrastructure Security Agency (CISA), The office of the Director of National Intelligence (ODNI), and The National Security Agency (NSA).
Retrieved from https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

[3] CISA Sparrow Remediation. December 2020. Sparrow.
Retrieved from https://github.com/cisagov/Sparrow

CISA. January 2021, Actions for Today, Insights.
Retrieved from https://www.cisa.gov/insights