The costliest aspect of a cyber-attack is information loss. Data loss occurs due to hacks and the information, often belonging to third-parties, can be expensive to restore.
The recent Sunburst cyber-attack on software firm SolarWinds, has left thousands of businesses affected including multiple government agencies in the US. The breach, was uncovered by researchers at cybersecurity firm FireEye, which was in the process of investigating an attack against its own systems and found the trail led back to the third party IT monitoring and management tool. This incident highlights only too well how security attacks are becoming more sophisticated; the growing use of third parties as a proxy for gaining access, and that (as in this case), it can take months before discovering that there has been a breach
While the details are still emerging, it is clear the hackers breached SolarWinds and modified updates for its Orion Platform software, ultimately providing a highly privileged route for cyber criminals to exploit. The Orion product has been manipulated to compromise the IT network of several high-profile organisations, with the details of the FireEye and SolarWinds being widely broadcast across industry and mainstream media, but minimal visibility has given to guidance on what companies should do to protect themselves in such circumstances.
Firstly, the good news. Unless your organisation is a considered a high-profile target the chance of this vulnerability being exploited is extremely low. However, following good practice, where an organisation uses the effected SolarWinds Orion Platform, the organisation should ensure it has not been compromised. If a compromise is suspected, then you will need to consider how to adapt to protect the company, while also looking to preserve evidence. In essence, the first activity in such a situation would be to remove the SolarWinds servers from the company network.
To remediate the vulnerability, both the National Cyber Security Centre (NCSC) and SolarWinds websites provides some clear and detailed guidance on how to respond. The most obvious and preferred approach is to ensure that your organisation has applied the latest HotPatch. This alone should be sufficient to address the immediate issue. However, for those organisations unable to apply the HotPatch, the website provides a comprehensive set of suggested activities to mitigate the issue. These range from the understandable guidance regarding restricting access via the internet, through to a list of protocol security configuration suggestions. Once applied, these suggestions will no doubt provide a robust level of short-term mitigation.
Organisations should also be mindful of the potential social engineering activity that may follow because of this incident. We are already seeing clients being subjected to calls from actors purporting to be SolarWinds employees.
Should you need further guidance or support on this issue, or any other cyber related matter, Mason Advisory are on hand to help you ensure that you have a suitable level of cyber protection in place.
For a more technical details on how to respond to this incident the following websites provide some excellent guidance:
Author: Martin Lunt