Cyber security fundamentals – Cyber Security and Humans
We’re now into a new year, and the third year’s run of these articles.
Over 2020 cyber security and technology have only soared in terms of profile and importance, with talk about threats to remote working from technology, difficulties, and some dramatic outages. Logistics, enabled largely by technology, have been essential to keep things moving and give people support and normality.
We’ve also heard a lot about attacks on medical research centres, looking to access research information and believed to be carried out by nation states. We’ve seen attacks, traced back over multiple months, which have penetrated organisations to the deepest levels via their suppliers with the SolarWinds compromises.
Over the year, I’ll be looking in depth at some of these incidents as more details come out. In a timely fashion, I wanted to start the year off with the biggest of these, which is still ongoing, why it is far from the last, and what can be done about them.
SolarWinds make a suite of products aimed at helping organisations manage their technology. One of these is called SolarWinds Orion, which provides a dashboard and management interface for different technology environments. Referred to as a single pane of glass, it allows you to view and manage your physical on-premise technology, cloud environments, and the mixed environments, all from one place.
It’s simply not possible to manage everything without either a ten to a hundred fold increase in people for an IT team, or a management solution like SolarWinds. To manage these servers, that solution needs to have highly privileged access to the servers. It also needs to be able to deploy software, update systems, change their configuration, all from one central point.
Building software to do this safely and securely is a significant task, so it is extremely rare for companies to build their own. The Orion solution by SolarWinds was used by over 30 000 private and public sector customers to manage their networks. It was not always the only solution in place, but even where it was one of many it would be used to control a significant part of the network.
In early December cyber security company FireEye was breached through, at the time, unknown means. Their library of attack tools for penetration testing, mostly well-known exploits, was stolen. While embarrassing and, for FireEye, inconvenient as their arsenal of custom pen testing tools was now essentially useless after they had to release details, initially this did not seem like anything more than a single target.
Three days later FireEye announced that they had uncovered a much larger breach, with a component in the SolarWinds Orion software having been altered for malicious purposes sometime between March and June, and rolled out through SolarWinds own automatic update servers.
The malicious component provided a backdoor for an attacker group codenamed UNC2452 by FireEye to control the software. Since Orion controlled servers, the result was that the attacking group potentially had unfettered access to any network making use of the Orion software.
At this point we can make some guesses about the motives of the attackers. If it was an organised crime group, then as with the breach on Twitter it would likely have been a fairly short-lived attack in which ransomware or similar was deployed to cause as much chaos as possible and raise funds. Since instead the attackers have since been found to have moved slowly and carefully, identifying valuable targets – particularly intelligence targets – and maintained the compromise until FireEye discovered them after the leak of their tools, it is a reasonable assumption that an intelligence agency not motivated by a profit agenda is likely at fault.
FireEye’s UNC2452 group is known by the US government as APT29, and among other names is codenamed Cozy Bear. Any threat codenamed Bear is believed to be associated with Russia, and Cozy Bear have been involved with a number of other attacks including accusations in July of attempting to steal data on vaccines at treatments, made by the US NSA, UK’s NCSC, and Canada’s CSE.
Importantly, while Cozy Bear are a well-resourced, sophisticated threat, the main difference between a nation-state level attacker and an organised crime group is not the level of capability, but the motivation. The compromise of SolarWinds was sophisticated, but none of the attack vectors used were new in principle – they are well understood attacks which can be addressed by an effective security programme, and mitigated or prevented by effective security by design.
While there are understandable concerns about Cozy Bear, there are serious concerns around supply chain security as well. The supply chain has been considered a valuable attack vector by some in cyber security for a while, and one worthy of attention, but the difficulty of effective assessing the security of the chain and the risk for any individual company means it is often either overlooked or given only cursory due diligence.
At that point organisations have no choice but to trust their suppliers. When those suppliers are trusted to have all of the access and privileges of the most senior, highly-permissioned administrators it is stunning that most organisations put more effort into background checks on selecting their own trusted staff than into the supply chain.
The supply chain, obviously, is not a new threat and is often discussed in physical security arenas. The difference is that for any non-software supply chain there is a limit to the impact of a breach. Devices with malicious hardware installed can at least only affect new installations, while with automatic updates the injection of malicious software can affect not only new installations, but all of those which already exist.
The SolarWinds breach is going to be a long saga – at the moment I’m aware of a list of 250 organisations (including government agencies) confirmed as affected, and there is a much longer list of those potentially affected. In my next article I plan to write about the importance of incident response exercises – usually carried out by organisations no more than once a year at most – and how they can be run by anyone to help pull out the holes in a security framework or response plan, as well as used for training incident response teams and associated staff in how to deal with these attacks.
Cyber Security and Humans
By: James Bore
James Bore is an independent cybersecurity consultant, speaker, and author with over a decade of experience in the domain. He has worked to secure national mobile networks, financial institutions, start-ups, and one of the largest attractions’ companies in the world, among others. If you would like to get in touch for help with any of the above, please reach out at firstname.lastname@example.org