John Pescatore - SANS Director of Emerging Security Trends
SolarWinds, Building Implosions, and Supply Chain Security
This week's Drilldown is a bit different. Rather than focus on or two items from the previous week, I'll focus overall on the SolarWinds compromise, which we have commented on in NewsBites, and drill down into necessary short-term reaction and long-term actions to prevent future damage from supply chain attacks.
Near term: DHS CISA has put out revised guidance on immediate actions here, SolarWinds here, and Microsoft here. If you used SolarWinds at all, by now you should have already gone through most, if not all, of these steps. Even if you have, the Summary of Required Actions in the CISA revised guidance is worth reviewing to make sure you were thorough.
Long term--supply chain security: Most information security professionals are familiar with the basic need to identify the crown jewels of the business in order to perform risk assessment. However, the crown jewels of the IT infrastructure are often overlooked.
When I worked for the U.S. Secret Service back in the 1980s, we did a bomb security during the advance work before a protectee visited or stayed somewhere. In one of the various explosives training classes the Secret Service sent us to, they described how building implosions are done. By analyzing and identifying the key support elements in a structure, a small amount of explosives (with proper timing) can be used to bring down enormous buildings.
The same is true for core elements of the IT infrastructure. While most programs focus on operating systems and key business applications that store sensitive business data or personally identifiable information (PII), the SolarWinds compromise points out that highly privileged IT applications and appliances are often overlooked. Network/system management systems, software development platforms and tools, load balancing appliances, and collaboration applications are examples of key support elements that attackers are going after to gain the building implosion effect.
Supply chain security is a complex topic, but if you’ve identified those key products in use and at risk, the old "If you put all your eggs in one basket, you have to really, really watch that basket" wisdom applies. In the SANS 2019 Top New Attacks and Threat Report, Johannes Ullrich, Dean of Research at SANS Technology Institute and Founder and Director of the Internet Storm Center, addressed related issues, with a focus on baseboard management controllers that have the same level of access.
Some high-level steps:
- Security analysts need to be involved in procurement decisions of any products or services with high levels of infrastructure access.
- All RFPs and contracts for critical infrastructure software should require evidence of current and ongoing testing of new releases for security vulnerabilities.
- Critical infrastructure software and appliances should be under continual monitoring and have regular threat hunting processes performed.