Learning from the SolarWinds Cyberattack

Let’s Talk Security

Having spent 15 + years in the Financial/Banking vertical, I have always stayed abreast of the mainstream attacks that made the national news. In December 2020, we were notified of probably the most significant and brazen cyberattack ever. It is well documented where these attacks were sponsored, so I will skip past that for this article.

FireEye, one of the global leaders in cybersecurity, was the first to address this with the media when they detected the breach within their very own walls. During a recent 60 Minutes interview with Kevin Mandia (FireEye’s CEO), Mr. Mandia noted that their use of Multi-Factor Authentication was the catalyst for looking into an anomaly as an employee had two mobile devices registered. From there, discussions took place, and then more research was conducted until it was determined that their SolarWinds server was the origin. More research was conducted, and they found that malware was added to a SolarWinds upgrade.

The Impact

Microsoft was also impacted, and its President, Brad Smith, noted that 18,000 organizations around the world were impacted once the SolarWinds upgrade was executed. The upgrade provided a backdoor for the attackers. Microsoft alone assigned 500 engineers to dive deeper into this attack.

The compromise was not identified for months, and impacted environments throughout the US Government, including the US Department of Justice, US Department of Commerce, US Department of Energy, and National Institute of Health to name a few. Former NSA Deputy Director Chris Inglis noted that the Department of Homeland Security’s Einstein intrusion detection system did not catch this attack either, showing the attackers’ sophistication.  He also noted that the attack is far from being neutralized.

What is even more concerning is what John Miller, Founder & CEO of Boldend (a company focused on building next-generation cyber defense tools) noted during his 60 Minutes interview.  Most attackers when caught will withdraw and stop.  This does not look to be the case with this cyber-attack. With the companies and agencies that were compromised, it seems the impacts will continue for some time to come.

So…What Now?

For those of you involved, or flat out responsible for cybersecurity at your respective organizations, here are some actions that you can take:

  • Review and ensure that your cyber insurance policy has coverage for post-breach forensic investigations.
  • Manually review every account with administrator access to ensure that they are all legitimate.
  • Continue to enforce frequent password changes for all users, especially with potential impacts to MFA providers.
  • Increase security monitoring diligence.
  • Buy your SecOps resources lunches, as they are going to remain very busy!

Additional Resources to Keep in Your Toolbox

New information continues to surface, so keeping an eye on these unfolding events is important. Here are some additional resources I recommend saving: