SolarWinds Cyber Attack

What is the SolarWinds cyber attack? SolarWinds, a significant player in the software sphere, suffered an attack that began in September 2019. As a result of the attack, over 18,000 SolarWinds customers ended up installing updates containing malicious code. Hackers used it to steal customer data and then spy on other organizations.

The SolarWinds cyber attack has been explained from the perspective of the vendors affected, but here’s a look at its process, lifecycle, and global impact.

The SolarWinds assault was a typical supply chain attack. In these kinds of hacks, the attackers don’t go after their victims’ networks directly. Instead, they penetrate the system of a third-party supplier with access to their targets’ network assets. In this case, the third-party supplier was SolarWinds.

Many of SolarWinds’ customers use a system called Orion, which is a performance monitoring solution that tracks the status of SolarWinds' Orion customers. It has privileged access to gather performance data and other information from logs generated by customer IT assets.

This made SolarWinds an ideal target for hackers who successfully gained access to several thousand companies' networks.

The SolarWinds cyber attack timeline stretched out over six months, during which time the hackers patiently and systematically executed their hack. Here are the most critical milestones in the attack:

• In September 2019, hackers were able to access the SolarWinds network.
• They started testing their code injection in Orion in October 2019.
• About four months later, they injected malicious code called Sunburst into Orion.
• On March 26, 2020, SolarWinds began distributing Orion updates that contained the hackers’ malicious code.

The malware spread as thousands of SolarWinds customers installed the malicious code in the hacked update. Once on a victim’s system, the malware gave hackers access to customer IT systems. At this point, the attackers could install more malware, which enabled them to spy on additional organizations.

By taking a proactive stance regarding how you audit system performance, use data loss prevention tools, and double-check the effectiveness of security systems, you can greatly reduce the chances of a similar supply chain attack impacting your organization. For example, you can do the following.

A SIEM system works by examining IT logs and looking for anomalous activity that could pose a threat. A SIEM system is, for many organizations, one of the fastest ways to detect a hack. This is because when you feed system logs into the SIEM, it can identify:

• Changes in how your network operates
• Unusual data movement
• Unsafe user behavior
• The presence of unauthorized users

Here are two examples:

• If a server on your company’s network suddenly starts sending out many gigs of data every minute, a SIEM solution could detect that kind of activity, trigger an alert, and pinpoint where it was happening. Then IT admins could immediately take steps to shut down that server or disconnect computers, databases, or other internal resources that could be communicating with it.
• If a database contains proprietary company blueprints, videos, photos, and other sensitive intellectual property, your SIEM could detect the abnormally large movement of data and enable IT staff to put a stop to it.

An Active Directory monitoring system inspects elements of your network and their activity, auditing what’s happening in real time. This way, if something out of the ordinary happens, the system can detect it.

You can use this information to both stop attacks as they happen and prevent future incidents. For example, by looking at the audit data produced immediately before and during an attack, you can identify the malicious behavior that occurs during that kind of hack. You can also pinpoint the systems that type of hack tries to take advantage of. With this data in hand, security teams can install tools, such as firewalls and web application firewalls, that safeguard the exact components and network segments hackers like to target.

Penetration testing is a powerful tool, not just because it lets you know whether your system is vulnerable to different kinds of attacks, but also because it comes with a full report on the overall health of your network. In addition, a comprehensive penetration test can predict the kinds of attacks your system and its assets are most likely to experience.

If you outsource your system's monitoring to a third party like SolarWinds, a penetration tester can provide a detailed outline of the types of attacks that could try to take advantage of that partnership. In addition, a penetration test can also give you a full report on other third-party relationships that could expose you to supply chain attacks, such as those that require you to share customer data outside your internal network.

With a data loss prevention (DLP) system, you can easily catch and stop an exfiltration attack and attempts at unauthorized access. For some organizations, DLP solutions can be problematic because they’re so sensitive that they trigger many false alerts. However, you can create a system that filters out the least significant alerts, surfacing those that may pose the most imminent threats. In this way, you reduce alert fatigue while also safeguarding your assets.

For instance, if your DLP sends alerts every time someone enters the wrong password, you can add an extra parameter, such as a geolocation factor, to fine-tune your alert system. For example, you can design your system to prioritize alerts that come from three or more errantly entered passwords—but also those made from IP addresses many miles away from where the authentic user typically logs in.

Regardless of how you use your DLP, the most important thing is to never completely ignore something suspicious. If a SolarWinds-style attack resulted in stolen login credentials, for example, the rules your DLP uses can serve as a powerful first line of defense. You can tune them according to many different parameters.