Solorigate Protecting Against Supply Chain Attacks

By Kim Blomgren
February 23, 2021

US-based remote management and monitoring company SolarWinds suffered a very sophisticated cyberattack that raised a lot of questions about security. While media think this was the work of foreign intelligence services, as of this writing, we don’t know who is truly responsible. Nevertheless, one thing is clear: this was not sloppy attack carried out by some script kiddies. It was a complicatedthought out and carefully executed attack that was probably planned over the course of a year or more. 

What happened? 

To quickly recap, attackers managed to inject discrete malicious code as a backdoor into a routine update of Orion, the infrastructure management and monitoring software by SolarWinds. Because of where and when the injection happened, it didn’t raise any red flags. The malicious code was then distributed to customers all over the world – including quite a few US government agencies.  

From here, attackers were able to access systems via the backdoor they created. Compromised files were digitally signed which suggests that the attackers had access to SolarWind’s development environments and/or its pipelines, which is typical in cases of supply chain attack. 

What is a supply chain attack? 

supply chain attack is an emerging threat where attackers target the weakest link in your supply chain – be it your development environment, build processes, pipelines and tools you use to do your work, or the contractors you’re working with. For example, you may remember the 2013 Target data breach in which the credit card data of approximately 40 million customers was leakedcosting the company millions of dollars.  

It all started when the credentials belonging to an air conditioning systems vendor working as a Target contractor were (allegedly) stolen. Ironically, this event happened six months after Target started to install its state-of-the-art, $1.6 million cybersecurity system. While Target thought it was secure, it overlooked the fact that suppliers can be a weak link. I think now it’s clear why it’s called a supply chain attack; your security is as strong as the weakest link in your supply chain. 

Strengthening your weakest link 

Is there a way to prevent supply chain attacks? While you may not be able to prevent every attack – especially when we’re talking about the massive scale of enterprises  it’s absolutely possible to reduce risk and the possible damage of an attack by taking some precautions. Here is what you can do to help minimize your supply chain ‘attack surface’: 

  • Limit the use of thirdparty tools and software
    While it sounds simple, this may be one of the most important preventative measures you can take to reduce the risk of a supply chain attack. Certainly, there are tools that you can’t do your job without, but there are others that are not really required. They are also usually less used and therefore updates less often, and hence prone to abuse. Prepare an inventory of tools you use, discard the unnecessary ones, and keep track of the remaining onesensuring they are updated and patched regularly.
     
  • Asses/evaluate the risk of third parties
    The risks carried by third parties are usually hard to notice and assessing them can be very difficult. Yet, knowing the risks will help you greatly understand possible damages and reduce your attack surface. For assistance, consider working with a partner who specializes in third party risk assessments, and/or work with established risk-management frameworks like ISO or NIST.
     
  • Monitor attacks toward your suppliers
    Your suppliers can be the victim of an attack and it may spread to you. Be aware of what’s happening within your supply chain so you can take action before it’s too late.
     
  • Establish a robust onboarding/deboarding process
    One of the most common mistakes organizations make is to forget to deboard contractors or give them excessive system access when onboarding. Understand least privileged access concepts and apply them. Have these processes monitored and updated frequently. 
     
  • Understand the shared responsibility model
    The security of your systems is a shared responsibility between you and your providers. Understand your responsibilities and make sure your supply chain is also aware of their responsibilities
     
  • Understand the Zero Trust concept and apply it
    As the name suggests, Zero Trust is a concept based on the principle that nothing can be trusted. All users, devices and applications inside your organization or a third party, must be authenticated, verified and continuously evaluated before being granted access. The concept alone won’t help you much if you don’t have a proper security posture beforehand, but it will help you to be more aware of possible threats. 
  • Pay your technical debt
    If you have a legacy code base, it’s quite possible that you have technical debt. If you don’t pay your debt in time it will accumulate interest, making it even more difficult to implement changes that can be crucial for your security. 

Developers, operators, security and other teams all have to work closely together to ensure the security of systems throughout the supply chain and they have to get it right all day every day. Conversely, attackers only have to get it right once in order to be successful. While the cards may seem to favor the attacker, there are steps you can take to help restack the deck in your favor. At the end of the day, having your supply chain evaluated and more visible, building a trusted relationship with your suppliersand being prepared for an attack can help you tremendously in your efforts to mitigatsupply chain attacks.  

Looking for hands-on help to accelerate your cloud security?

Written by Onur Özkaynak, Flux7 Labs

Flux7, an NTT DATA Company, is the only Sherpa on the DevOps journey that assesses, designs, and teaches while implementing a holistic solution for its enterprise customers, thus giving its clients the skills needed to manage and expand on the technology moving forward. Not a reseller or an MSP, Flux7 recommendations are 100% focused on customer requirements and creating the most efficient infrastructure possible that automates operations, streamlines and enhances development, and supports specific business goals.

Categories: Blog
Share This Article