SolarWinds breach: What can we learn about
Third Party Risk Management?

The SolarWinds “Sunburst” supply chain attack is challenging security teams across the world. From a Vendor Risk Management perspective, it is already a time of soul searching, learning and improvement.  We expect the situation to continue to develop over the coming days, weeks and months.  However, this is what we at C2 Cyber think so far.

Attackers inserted their malicious code into a Solarwinds Orion network management product software update, way back in March 2020. Customers that implemented the update gave the attackers access to their networks. They used this to steal credentials to gain access to more data and largely do as they please. Key targets were US Government departments, but any Orion users will have been at risk. FireEye is so far the other best publicised victim.

1. It was a complex attack.
The attackers are believed to have poisoned SolarWinds source code, so that all customers got infected when they updated the software. This is not a trivial thing to do, as most modern software development has strong technical and procedural controls to prevent this happening. How did the attackers circumvent Solarwinds software update code signing? Or did SolarWinds drop the ball around their source code commit procedure? Similar attacks in the past have gained access to the target environment using a Remote Access Trojan and then found ways to access the credentials of authorised users. This means they could modify the code as though they were an authorised developer. Fireye has declared that the trojanised component is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.  

2. It was very stealthy.
The adversaries used highly developed technical measures. A two-week dormancy phase, steganography, minimising malware use, all helped to masquerade as legitimate activity. This would suggest that the aim was to covertly steal and use credentials rather than disrupt. The backdoor delivered a stealthy malware dropper that does not leave traces on the disk. Luckily, Fireye went public when its red team tools were compromised. Otherwise, the Bad Actors could still be quietly working away within systems across the world.

This supply chain attack emphasises the critical importance of supply chain risk management. But this was a highly sophisticated, targeted attack. It would be naïve to claim that using our service would have prevented your business being affected.

Luckily, the attack was clearly focussed, both from the perspective of the targets they were going after and the proxy through which they chose to attack. The prevalence of the Orion software means that the protagonists could have run amok through many other organisations if they chose to do so. In reality, the damage that has been done in terms of stolen information may never be known.

But just because you don’t believe you are a target of Foreign Intelligence Services does not mean that you won’t be attacked in the same way in six months' time. The aftermath of the NotPetya virus in 2017, and even Stuxnet in 2010, showed how quickly resources, tools and techniques that start off being the province of nation state actors move into the broader world of organised crime within months. The success of this exploit suggests we will see many more examples. And even if none of your direct vendors uses the affected system, one of their critical third parties may.

The real lesson from these types of attack is that vendor risk management needs to be a holistic practice.  Digital transformation has brought with it an exponentially complex supply chain risk – it is hard not to be inundated by third parties who all protect their networks in different ways and characterise their risks according to their own perspectives.  Working with critical vendors so that you both have a common view of the risks is key.  Collaborating and sharing concerns, intelligence, and observations can be a catalyst for action with a mutual purpose. The real solution must be a long term, continuous, standardised VRM programme based on self-assessment, external monitoring, technology-led questionnaires, threat feed monitoring, and ever more collaboration between customer and supplier.

The simple answer to this question is that although you can reduce the chances of it happening again, eliminating the risk is very difficult. Nation States, and organized crime groups, can access huge capabilities if they are confident that they will get a decent return on their investment.  And in the case of headline grabbing incidents like this one we frequently see the boundaries between Nation State sponsorship and Organised Crime execution being blurred.

However, now that the dust is settling, there are important lessons we can learn.

Risk is not binary
An attack like this is rare and for the majority of us these most formidable adversaries have much larger and loftier goals in mind than finding out what our cash holdings were at the end of last month. If you look across the continuum of risk you will see its nature change from one extreme to the other.  At the most sophisticated end (as is apparent in the SolarWinds attack) you have rare events that can be minimized but probably not completely avoided.  At the other end of the spectrum you have the continuous, very real threats that are better understood, less sophisticated, and will impact regularly if steps are not taken to avoid them.

Beware focusing on the exciting but unlikely
This can create a fatalistic sense of inevitability.  Some people may feel that they might as well give up on security in the face of adversaries who can just roll in and do as they please.  Others might expend disproportionate levels of resource trying to prevent a recurrence of this type of attack, at the expense of the basics.  Or alternatively it may create such a crushing sense of fear about the worst case scenarios that it will be difficult to maintain objectivity when developing plans and managing risks.

Prevent what you can
A degree of pragmatic realism and the application of an 80/20 approach is useful.  The vast majority of third-party risks can be effectively managed – not eliminated but managed.  By having a broad programme in place to efficiently understand the risks, and remediate the issues that are aggravating them, it is possible to bring risk down to a tolerable level.  This addresses the majority.  But there are is still the minority – the most sophisticated and unpredictable where the cost to remediate will be too great.  This cost may be in business disruption, the expense of the controls, or the inefficiency of bringing multiple services in house that would be better remaining outsourced.

Prepare for what you cannot prevent
This brings me to the final point.  For those things you can’t prevent, you had better prepare!  Well prepared contingency plans and play books, rehearsed and practised, with well understood triggers to prompt their execution, can significantly reduce the impact when they arrive.  How quickly can you decouple, isolate or switch off a particular technology if it is found to have been compromised?  Is there a way of building some level of redundancy in to reduce critical dependencies?  These sorts of questions can help you to understand and then implement a reduced business risk exposure.

I think there are a number of ways that the SolarWinds breach can be used to help:

1. Increasing awareness of third party risk across the business; illustrating that these risks are real.

2. Recognising that the first step towards managing the risks is understanding their nature, and the difference between those that can be materially remediated versus those that can only be mitigated with contingency plans.

3. Focus the VRM programme on the 80%; getting them to a tolerable level where the management burden trends down.

4. Use the increased business understanding of the residual extreme risks to develop the processes, plans and resilience building capabilities that can be executed in the event that any of the risks impact.