The holiday season is usually a time of year where many employees take time off to relax and be with family. However, at the end of 2020, the infosec community was dealt a surprising blow first when cybersecurity provider FireEye announced that it had been breached by a nation-state. Days later, news of a major breach at IT management software company Solarwinds Orion software impacted 30,000+ of its customers, including some of the largest companies in the US.
It brought to light an issue that many in security have recognized and have been trying to combat for years: the security of third-party vendors.
Nearly all companies rely upon the technology of a third-party company for some piece of their business, be it payroll, infrastructure, web hosting, marketing automation, etc. In regulated industries such as finance and healthcare, those third-party providers must be compliant with security regulations in order to protect customer data. But, if a third-party solution is breached, it leaves all customers vulnerable.
In the case of the Solarwinds Orion breach, a nation-state (the identity of which has not been confirmed but is suspected to be Russia) was able to gain access to the Solarwinds software through hacking back in 2019. Unnoticed by the security team, the sophisticated hacking group was able to install code into the software that looked benign. They completed a “test run” of an attack by adding some extra, non-malicious code to an Orion software update that Solarwinds pushed to their clients. Following the success of the test run, the nation-state threat actor moved forward with adding malware to the Orion source code, which was then pushed out to targeted victim companies in a Solarwinds software update.
The complete financial impact, as well as the nature of the stolen data, from the Solarwinds Orion breach won’t be known for quite some time. But it’s clear that the damage is fairly extensive. And it’s also clear that attackers now know that this is a proven method to breach businesses’ defenses. Binary Defense Chief Technology Officer and Co-Founder, David Kennedy, noted that “This isn’t going to be an unusual activity that happens once every five or 10 years; this is something that’s here to stay and companies are largely unprepared for it.”
Could your business experience a breach from third party technology?
Because the malicious code was pushed out through the normal software update through Solarwinds, their customers had no reason to suspect any foul play was happening.
You may think that as a small business, or a manufacturer with a niche market that you sell to, you would never be targeted by a nation-state actor. In fact, Kennedy says that most companies “don’t build those types of capabilities from a defensive perspective into their overall threat models. A third-party breach has been traditionally low on the probability chain, so most people don’t design their infrastructure that way.”
With security staff stretched thin due to the pandemic, budget restrictions and talent shortage, most companies aren’t equipped to find, let alone mitigate, an attack of this magnitude. In fact, the only reason the Solarwinds Orion breach was detected in December was an employee noticed that his multi-factor authorization had been changed without his permission. Otherwise, the breach could very well still have been going on unnoticed, leaving countless amounts of data, intellectual property, financial and personal information vulnerable.
Adding to the shortage of staff, and lack of budget, Kennedy said that organizations tend to rely on tools such as Windows Defender or ATP “to do everything for them to protect them against everything that’s happening out there,” he said. However, proper staffing is critical to monitor and interpret the alarms. Kennedy noted that Binary Defense Managed Detection & Response “would have actually flagged on a number of these attack factors” if a Binary Defense customer was impacted by Solarwinds.
Behavior-based monitoring and detection can set security teams up for success
Behavior-based detections are the critical piece in finding and mitigating attacks of this nature. Suspicious behavior is flagged and investigated by the security experts monitoring their security software. This sets businesses up to be proactive, rather than reactive, if a breach were to occur.
“Organizations now need to look at threat models and say ‘Supply chain attacks are absolutely a threat and we need to ensure that we have full visibility and coverage against these types of attacks in the future,’” Kennedy said. “Monitoring and detection is going to be more important.”
To learn more from David Kennedy on how you can protect your business from third-party types of attacks, register for this webinar:
