2020 ended with what has been called the biggest cyberattack of the year. A number of international cybersecurity companies fell victim. It’s unfortunate to say, but such an attack was expected. Happily, it’s not the end of the world.
In 2020, hackers attacked the SolarWinds IT company and deployed malicious updates on the Orion platform, which helps organizations centrally manage their networks, IT systems, and infrastructure. As a result, lots of SolarWinds clients installed a compromised version of the Orion platform and unknowingly let hackers penetrate their networks.
SolarWinds clients include more than 400 companies from the Fortune 500 list along with banks, healthcare facilities, and small businesses. Giants such as Microsoft, Cisco, and FireEye as well as many US government agencies including the State Department, the Treasury Department, and even the Cybersecurity and Infrastructure Security Agency (CISA) were victims of the attack.
FireEye cybersecurity company representatives have admitted that infected Orion software allowed attackers not only to successfully break into the company’s internal network but also to steal tools that FireEye uses to test its customers’ networks.
It was later discovered that the attack also affected other cybersecurity companies including Mimecast, Palo Alto Networks, Qualys, and Fidelis Cybersecurity.
In the early days of January 2021, the FBI, CISA, NSA (National Security Agency), and ODNI (Office of the Director of National Intelligence) issued a joint statement naming Russia as the most likely source of the SolarWinds attack.
This attack emphasizes an important point that has long been discussed by cybersecurity experts: No organization — no matter how large and powerful it is and no matter what it does — can be 100% safe from cyberattacks. Not even professional cybersecurity companies. Especially if the attackers have state support and unlimited resources.
Theoretically, the only guaranteed way to keep hackers out of your network is to disconnect all IT systems from the internet. It’s been said that a perfectly protected computer is a switched off computer. No one can use it from outside. But obviously, it’s impossible to turn off all equipment and disconnect everything from the internet, because then nothing works.
So what should you do?
First, you need to change your thinking, followed by changing your cybersecurity practices. Instead of adopting the position that you’ll use modern technologies and services and won’t be hacked, you should proceed with the position that there’s a 100% chance of your infrastructure being penetrated. That means applying solutions for constant monitoring systems in addition to perimeter protection technologies. It’s necessary to assess and learn the status of IT networks to find out if attackers are already inside and to chase them away on time. Using security and safety measures, you can build a maze which will be unclear and difficult for attackers on the one hand while being accessible to you with constant CCTV monitoring on the other.
Secondly, in order to properly build this defensive maze and know where to put surveillance cameras, it’s important to understand how criminals work. We see that the first choice of hackers – when they need to kill thousands of birds with one shot and capture as much territory as possible – is a supply chain attack. You don’t have to attack every single company when you can break into an IT service provider’s network, set up a backdoor in updates, and access thousands of customers through that vendor. That’s how the NotPetya attack worked in 2017 as well as the CCleaner attack the same year. We’re sure this is the same way the most powerful cyberattacks will occur in the future.
Thirdly, it’s worth providing cybersecurity training to the top management of companies. Or teaching CISOs how to speak persuasively to senior management to communicate the reality of existing threats, the possible impact, and the need for effective protection.
Unfortunately, many business leaders are still too careless about information security in general. Physical doors to rooms with money and other assets are locked with keys, but virtual doors to data storage are thought to be unreachable on their own. Too many companies, both small and global, are still unaware of the risks. They naively believe they don’t have something particularly valuable or that a threat will pass by them and the IT department (underfunded, understaffed, and set up for completely different tasks) will cope with everything.
Finally, you should carefully choose information security service providers. Large managed security service providers (MSSPs) have considerable experience protecting many customers, have numerous teams of professionals, and use sophisticated technologies. Unfortunately, their large size leads to management difficulties. After all, the larger and more complex the IT environment of the MSSP itself, the more effort is required for internal IT security control and protection. The SolarWinds case clearly demonstrates the demand for relatively small cybersecurity companies, which are compact and more likely to provide individual protection and security to customers. However, an MSSP that’s too small will simply not be able to protect itself due to the limited number of employees who are 100% focused on customer service. Therefore, your ideal security provider should have a team of at least 100 and no more than 200 to 300 people.
If we go back to the SolarWinds attack, we’re sure that the show is not over yet. We’ve watched the first act – directly hacking SolarWinds — and the second act: penetrating the network of those who have used the infected Orion software. But there will be a third act, a fourth act, and others. We will hear a lot more on this topic. After all, no one knows what the attackers had time to do before they were discovered, where they drilled through the worldwide information network, and what territories they managed to capture. Therefore, let’s continue to actively monitor our networks.
Artem Mykhailov, Enterprise Solutions Director, ISSP