On December 8th, FireEye, a leading cybersecurity provider, reported that a sophisticated threat actor had infiltrated its network and accessed proprietary penetration testing tools. Upon further investigation, the firm uncovered a global cyber intrusion campaign, which trojanized a software update to a widely deployed SolarWinds IT management software product.[i] Nation-state actors, likely of Russian origin,[ii] subverted SolarWinds’ software supply chain and inserted malicious code into the company’s Orion software product update. Because the SolarWinds Orion solution is used by thousands of large organizations, and is often enabled with elevated privileges, it is a valuable target for adversary activity.
The corrupted update was downloaded by as many as 18,000 SolarWinds customers, spanning U.S. government agencies, critical infrastructure entities, and private sector organizations. Major IT providers like Microsoft were also victimized by the incident, where attackers were able to gain access to source code repositories.[iii] The campaign, which new reports claim began as early as October 2019[iv], has demonstrated patience, persistence, and complex tradecraft. New details have emerged that offer greater understanding of how adversaries exploited the SolarWinds update process. Attackers successfully hijacked the update build operation and replaced the targeted source code with a malicious variant before it had been read by the compiler[v] Traditional integrity checking mechanisms would be unable to detect tampering because the baseline code had already been corrupted, nullifying hash comparisons to a known good, or other integrity checking methods. This vector, along with a number of other tactics to avoid detection, further reinforces the actors’ proficiency and sophistication.
Achieving confidence that the threat has been mitigated and safeguarding against future software supply chain attacks will be a challenging and resource-intensive endeavor for government and commercial enterprises.[vi]
Trendlines and Implications
Although this supply chain security attack may be unprecedented in scale and sophistication, it is consistent with a number of persistent trends in software supply chain risk.
• Software update hijacking is not a new tactic…but countermeasures can be elusive. While the SolarWinds attack demonstrates the increasing sophistication and potential magnitude of software supply chain vectors, a number of previous attacks also relied on the corruption of legitimate software updates. The 2017 NotPetya attack, with estimated damages of over $10B, was enabled by corrupting a legitimate tax software update server. Atlantic Council’s comprehensive report, Breaking Trust, Shades of Crisis Across an Insecure Software Supply Chain, highlights the growing update hijacking trend. The report’s dataset reveals that these attacks are significant force multipliers for advanced state actors and are the most likely to cause highly disruptive impacts (e.g., encrypt data, target physical systems, or extract information).[vii]
The adversarial effectiveness of exploiting a legitimate software update process was reinforced by the admission that the federal government’s EINSTEIN detection system and Continuous Diagnostics and Mitigation (CDM) program failed to alert agencies to suspicious activity. [viii] To compound the challenge, as detailed above, detecting the initial update tampering attack can be a complex undertaking. For example, decompiling the finished SolarWinds update and comparing it to the original source code could have alerted on malicious changes; however, this process is time-consuming and, depending on the languages used, can produce false positives due to the artifacts generated from the decompiling process.
• Software is increasingly complex and ubiquitous. Exploitation of software flaws is a longstanding attack vector, and the expanding scale, complexity and implementation of software can overtake security imperatives. While the agile software development evolution has been game-changing for productivity and responsiveness, the rapid pace of code changes can challenge more methodical security practices. Moreover, third-party code use adds complexity and a level of opacity to the software supply chain. A recent audit found open source components in nearly 99% of codebases and high risk-vulnerabilities in almost half of audited libraries.[ix]
• Exploiting identity and access services to bypass multi-factor authentication (MFA) has expanded the attack surface for enterprise environments and other crown jewels, like code repositories.The SolarWinds attack and subsequent customer infections has demonstrated malicious actors’ ability to bypass protective technologies like multi-factor authentication. Attackers stole the Active Directory Federation Services (ADFS) token-signing certificate and used it to forge tokens for malicious use. This enabled them to authenticate into a federated resource provider (such as Microsoft Office 365), without a password or corresponding MFA mechanism. Enhanced account auditing, enforcement, and strong certificate hygiene (including storing certificates on hardware security modules) can assist in mitigating this authentication bypass.[x] Organizations should prioritize high value assets like Active Directory, code repositories and other crown jewels for hardening activities.
•Geographical origin of software development can amplify risks. Reporting that some of the compromised SolarWinds software was engineered in Central and Eastern Europe, including Belarus—which is not part of the EU or NATO and is politically aligned with Russia—will likely increase risk perception and distrust of coding in high-risk geographies.[xi] While not all Central and Eastern European countries share the same threat profile, organizations should conduct deeper risk analysis on their software development footprint and associated risks and balance those against potential cost savings. In addition, emerging cybersecurity and privacy requirements in countries including China and Russia are engendering greater concern that such authorities could be leveraged to identify and later exploit vulnerabilities in technologies developed or marketed in those jurisdictions, irrespective of where those technologies reside.[xii]
•Heightened government scrutiny and intervention was underway before SolarWinds. Although U.S. government agencies have already implemented a number of new authorities targeting high-risk software, repercussions from the SolarWinds attack will increase the likelihood of further action, notwithstanding the change in Administration. A number of mandates including the Executive Order on Securing the Information and Communications Technology and Services Supply Chain[xiii] and the Executive Order on Securing the United States Bulk-Power System[xiv] are already in place. In addition, the Congressionally-chartered Cyberspace Solarium Commission boldly recommended Congress pass a law stating that software providers are liable for damages from incidents that exploit known and unpatched vulnerabilities.[xv] In response to the SolarWinds incident, some policymakers are calling for a set of minimum standards for all government-procured software products (though such standards would have to be enforceable across agencies to have an impact). Others have suggested sector-specific regulators establish software security clearinghouses, similar to Apple’s App Store, to certify product security before deployment.[xvi]
Technical Response Guidance
Both the U.S. government and commercial security providers have published technical remediation guidance and directives to address the SolarWinds attack threat. Key technical reporting includes:
• US Cybersecurity & Infrastructure Security Agency Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
• US Cybersecurity & Infrastructure Security Agency Alert (AA20-352A)
• SolarWinds Security Advisory
• FireEye Threat Research on SolarWinds Supply Chain Compromise and Detection Opportunities
• Crowdstrike SolarWinds Build Process Exploitation Analysis
So how do organizations address the persistent software lifecycle security risks that have been further reinforced by the SolarWinds compromise? They can do so by applying purpose-built software frameworks, evaluating national security risk, implementing scenario-based threat modeling, while also ensuring a risk-appropriate level of independent validation and testing. The U.S. government can also enhance its assistance with refined response functions.
1. Align to purpose-built software frameworks and tools. Existing security standards like NIST SP 800-53, 800-171, and CMMC offer little guidance on software security practices. Emerging frameworks like NIST’s Secure Software Development Framework (SSDF)[xvii] and Business Software Alliance (BSA) Framework for Secure Software[xviii], among others, offer greater precision on software lifecycle security best practice. The SSDF, for example, documents implementation guidance for mitigating unauthorized code access and tampering, a key vector in the SolarWinds compromise. These authoritative frameworks also feature mapping to other software security resources (BSIMM, OWASP SAMM, etc.) to promote interoperability. While not directly applicable to the SolarWinds incident, a software bill of materials (SBOM) is an important development for addressing software complexity. A software bill of materials offers a common taxonomy for documenting and communicating an application’s “ingredients” to reduce code opacity, particularly for third-party components.[xiv] Equipped with SBOMs, organizations can more efficiently identify and mitigate potentially vulnerable systems.
2. Consider national security risks and opportunities for transparency. While it remains unclear whether overseas coding environments contributed to the SolarWinds compromise, heightened risks (and risk perception) of foreign interference are growing. Companies should assess if product development centers are exposed to high-risk geographies in order to plan for risk reduction and anticipate customer concerns. Understanding national security risks should help to address any high-risk code development locations, supply chain dependencies and insider risks that could increase risk exposure and create government or customer headwinds.
3. Apply scenario-based threat modeling. Organizations can better defend themselves by understanding reasonably foreseeable adversary behavior and building threat-informed countermeasures. A threat modeling effort should also reflect an understanding of an entity’s critical assets or “crown jewels” to better appreciate what an adversary may view as an attractive target. The MITRE ATT&CK Framework can serve as a useful tool for enumerating threat behavior and mapping it to existing defenses, particularly for scenarios involving traversal from an enterprise network into a sensitive environment, like a code repository[xx]. Emerging adversary techniques like MFA bypass and build process subversion (described above) should be incorporated into modeling, as appropriate.
4. Risk-appropriate testing and validation. Internal testing can be validated and further strengthened through independent testing expertise. A sustainable risk-based test plan informed by customized threat modeling and conducted by qualified third parties can reinforce durable security and build credibility with key stakeholders. As the SolarWinds compromise highlights, testing and scanning should not be limited to the codebase alone. Comprehensive testing should seek to replicate threat behavior including unauthorized access to code repositories and other subversion techniques.
5. Refine national response protocols. In the absence of observed kinetic consequences publicly associated with the SolarWinds incident, the event can best be described as traditional espionage. With that in mind, national response considerations should focus on supporting government agencies and the private sector in identifying, containing, and remediating suspected breaches. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will have the primary Federal role in coordinating response efforts, although the sheer scale of such efforts could test the limits of CISA’s resources. U.S. Cyber Command’s National Mission Teams (NMT) can offer assistance in this effort[xxi] at the request of CISA via DSCA (Defense Support to Civil Authority); however, there are significant hurdles that have yet to be resolved that affect scalability and timeliness of response. Going forward, CISA-NMT engagement could benefit from a streamlined approval process as well as increased training and relationship-building between NMT personnel and CISA. This effort could enhance knowledge of standard operating procedures, improve activation time, and formalize funding mechanisms.
The SolarWinds compromise, like other recent software lifecycle attacks, demonstrates the tradecraft and impact of successful software supply chain subversion. This most recent incident will likely amplify calls for more thoughtful mitigation and comprehensive supply chain security commitments as well as the potential for robust government action.
For further information or questions, please contact David London (firstname.lastname@example.org) or Adam Isles (email@example.com) at The Chertoff Group.
x https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf; https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
xii See, e.g., https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf.
xx https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f371; https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/