In December 2020, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a warning to U.S. agencies, including the departments of Homeland Security, State and Justice, that hackers had breached their computer systems. While it’s unclear how much government data hackers had made off with, the breach gave attackers the ability to steal information, execute files and disable IT systems.
What made the attack especially serious was less the source — cybersecurity experts point to members of a Russian hacking group — and more the vehicle they used to access IT systems. The hackers managed to hijack a popular IT monitoring and managing tool, called Orion, from security software vendor SolarWinds. They found a way to insert malicious code in an Orion update, which was then distributed to SolarWinds customers.
The use of a “trusted agent” like Orion marks a significant new threat for federal agencies. Not only will they need to rewrite their cybersecurity playbooks to deal with novel threats, they must step up their practice of basic security hygiene to play better defense against many conventional threats.
Many organizations aren’t wasting time making changes: According to a DomainTools survey published in March, 20% of organizations, including government agencies, say they are already boosting their cybersecurity budgets as a result of the SolarWinds breach, and spending the additional funding on forensics tools, zero trust initiatives, and increased staffing for threat detection.
Close the patch gap
The first step in fortifying cyber defense, post-SolarWinds, is to get a better handle on the potential risks posed by trusted agents that have been granted access to an organization’s IT systems. The threat is so new that agencies lack good estimates of how many of these tools or systems the average agency has. Agencies need to evaluate the ones they’re using to see if the value they provide is worth the risk and eliminate or consolidate the ones that don’t, says Garret Grajek, CEO of YouAttest, a security compliance vendor.
“SolarWinds has shown us that we add these agents at our own peril,” he says.
Just as important, security experts say, is agencies must make sure they’re paying attention to security fundamentals.
Perhaps the most basic is patching vulnerabilities once they’re identified. SolarWinds has already released a set of software patches, issued a security advisory and provided users with a new digital code-signing certificate, which uses encryption to ensure a software’s trustworthiness. It almost goes without saying that the patches should be installed and updated. But organizations also should make sure they have a comprehensive patch-management program in place for all devices that touch the Internet.
Be a better traffic cop
Once their systems are patched, government organizations — especially those hit with the Orion breach — should run malware detection tools to look for malicious code. In addition to scanning their own systems, agencies should also run Internet-wide searches for their own hostnames, says Bryson Bort, CEO of Scythe, a vendor of adversary-emulation systems. This would identify fake IP addresses that are masquerading as the agency’s own website.
Another step would be to check the systems’ outbound network traffic for connections that don’t fit the standard traffic profile. Because the malware in the SolarWinds attack requires external Internet access for hackers to steal data, a connection that has a long response time could indicate it’s sending files to Russia, Bort says.
Some agencies have even more basic work to do. CISA says some networks were compromised because the hackers guessed their passwords, suggesting the need for policies that require more complex passwords or the use of multifactor authentication. Since hackers frequently use “social engineering” techniques to persuade employees to turn over passwords or share sensitive information, investing in cybersecurity awareness training is also a must.
Cover all endpoints
Another important step is to reassess all endpoints where IT systems are vulnerable to attack. That includes an audit of all those who have administrative access to network systems, and an evaluation of the security protections on any sensors or other IoT devices tied to their networks, such as environmental and building sensors. Even the physical security of rooms with critical systems should be checked.
Federal agencies need to re-assess all endpoints where IT systems are vulnerable to attack.
Longer term, agencies need to rethink how they collect, store and categorize the growing quantities of data they manage. That means segmenting data so that more stringent security controls can be placed on access to the most sensitive data.
The National Institute of Standards and Technology provides a useful Cybersecurity Framework to help organizations identify their most important data assets, says Adam Nichols, principal of the software security practice at cybersecurity vendor Grimm. (A 2017 executive order now requires federal agencies to develop a plan for implementing the framework.)
Guard critical assets
Agencies can also use threat modeling tools to identify critical assets and potential risks and “to make sure that the efforts are being spent on the most important things first,” Nichols says.
Protecting those assets isn’t a simple matter of adding another layer of access control, such as passwords, keycards or fingerprint readers, says Ani Chaudhuri, CEO of Dasera, a cloud data security vendor. The problem, he says, is that employees or contractors who have access to sensitive data can (inadvertently or intentionally) misuse that information. To combat that threat, agencies need to be able to monitor how that information is being used in real time.
“Many organizations think they can categorize data into buckets of sensitivity and then place the more sensitive data into a physical or logical location that has extra protections,” he says. “The only way organizations can truly protect sensitive data is to go beyond access control.”
In the end, the biggest shift required of government agencies may be changing their mindset. The best defense against the next attack is the knowledge it will happen—so agencies’ IT systems need to be designed, tested and run under that assumption. “Always assume the organization or agency will be breached,” says Scythe’s Bort. “The perimeter is dead.”