Rather than throw more ink on the evolving story of the recent breaches of two security companies. The goal of this short piece is to give actionable insight into things you can do recovering from a vendor exposure. As expected, the FireEye/Mandiant breach was a result of another company that resulted in their breach. This daisy chain is the nature of incident response. Think of it as a contagion spreading by business contacts. This supply chain kind of attack is always talked about and very difficult to deal with. Looking at how COVID-19 supply chains broke down with durable goods and perishable foods so rapidly pales in comparison to the high-tech eco-system linkages of software and hardware dependencies.
There are two or three ways to think about your response to this event regarding SolarWinds, FireEye and your company. Though, you may be a customer of SolarWinds. Stretch your imagination and think about how you would respond if you were SolarWinds? That is besides hiring somebody like me to completely revamp your entire security portfolio and lead you into a new age of security. Do you have the logs, telemetry, evidence, forensics, and change control processes to withstand the withering scrutiny you would be under?
Compliance and due diligence in supply chain risk is difficult to do. Few companies take it as seriously as is required to keep from being part of a supply chain pandemic (why not coin that phrase in 2020?). The security conversation will morph to remote access found in tools, cloud enabled tools, and the associated risks over the next few weeks. Ink will be drawn across keyboards everywhere mixing metaphors and supply chain puzzles until blissful ignorance is allowed to return in a few months.
There are only a few ways the enterprise wiling to navigate these issues will be able to respond. Staying solvent, profitable, and intact while finding best in class security resources to solve business issues is non-trivial. I’m not going to jump on the fear uncertainty and doubt (FUD) anti-cloud parade of never use the cloud. Simply put that is a simplistic argument for a sophisticated problem. Business is competitive, tools that enable information technology and security teams to be effective while constraining costs are a requirement. The enterprise edge died about the time the cell phone became smart and your defense in depth strategy expired along with sexy flip phones. The simple guidance is as follows.
Assume breach as a security posture at all times. This basic philosophy associated with a lean forward mentality and hunt at all times perception will serve you well. You should push action and response as low into the organization as possible. Train your people well enough to leave and treat them well enough they never think about leaving (q. Branson). You should ban the executive skew level of “we’re secure” from the security team lexicon. Never blame the user and gain a foothold of trust by being the good guy everybody calls first. This is a cultural viewpoint that will then drive much of your standard operating procedures and playbook design effort.
Since security is a myth response is the plan. Do buy best in class security tools and eschew those tools that are bloated magnets for hackers. Build the best-in-class security you can possibly afford knowing failure could be an existential mistake for even an exceedingly large enterprise. Make sure your network is fully instrumented at the end points, all points of entrance, and at the network level. You can’t possibly defend what you can’t possibly see. The ubiquitously quoted SANS instructors carefully crafted their program to take into consideration the various forms of forensics and you can back into the supporting technologies and procedures for edge, host, and network security telemetry. In the SolarWinds event the software that is exploitable has been in play for 9 months or maybe more. The original phishing exploit could be months prior to that. A lot of blame will get thrown around but it much more productive to move your security program forward with this threat vector as a fulcrum to move leadership.
The idea that the SolarWinds and FireEye/Mandiant breaches are unique or rare is false. We’ve been here multiple times. Whether it was a technical glitch, a software repository hacked, or a law or regulation implemented. We have seen supply chain perturbances as unique as silicon chips being adjusted and ubiquitous as counterfeit equipment. Your only adequate response to an unknown unknown like supply chain breakdowns is a significant response capability. Software implants are not new and are historical in their prevalence across many tools and applications. Software problems can exist for long periods of time and even in open source be missed by many eyes.
Timelines matter when you’re trying to determine exposure and define log analysis parameters. I do not know the correlation at this time between FireEye and SolarWinds breaches though many are assuming there is one. There appears to be a linkage but I want to hear Kevin Mandia say that explicitly (may have already happened). Regardless there will be a lot of effort at some point showing the timeline. Timelines remove much of the fog in the decision criterion. In this case we can guess based on the public statements and the 8K filing for SolarWinds at what the timeline looks like. For companies reporting these things explicit timelines are important so that teams can take their change management process and align it with versions impacted. It’s an important factor in risk mitigation.
For those of us in security the next few weeks will be horrific, exciting, terrifying, joyous, career ending, humorous, insufferable, and so much more. Expect the information technology supply chain pandemic to continue to move out a few more rings. Add into that the current world political environment and the chances that there are persistence mechanisms behind the original many months old exploit capability. The list of IOCs in the next few days could explode by a thousandfold as variance in hashes and other signatures by very little on the surface still result in entirely new signatures. Between the explosion in additional information, the insta-pundits and experts, I expect an associated explosion in vendor calls.