By Dr. Wesley McGrew, Senior Cyber Fellow; firstname.lastname@example.org
If it wasn’t already part of your intuition, then your career has probably taught you that when there’s trouble, the saying goes—put mildly here—that “it rolls downhill.” The problems you deal with daily are often not of your creation, but they become your responsibility. Supply-chain vulnerabilities and breaches in cybersecurity work like this too. Cybersecurity & Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise” (https://cyber.dhs.gov/ed/21-01/), which, if you work in cybersecurity at a federal agency, rolls some heavy information your way for a Monday morning.
This is what we call a supply-chain attack, where a product or service you rely on, such as a popular security monitoring product, falls victim to a breach, and that access is leveraged by the attacker to compromise you. SolarWinds Orion is a widely used platform for managing network assets and monitoring their logs, traffic, and configuration. From March to May of 2020, updates for SolarWinds Orion had backdoors inserted into the code by an advanced persistent threat (Russian foreign intelligence—SVR—according to sources that spoke to the Washington Post).
Even if you implement best practices of hardening, testing, and monitoring on your network, supply-chain attacks should always be a concern. You have very little control over the code that goes into products you rely on, and you likely do not have the resources (or even the permission in your license) to comprehensively reverse-engineer and test every third-party or open-source product you deploy to your own network. You will have imperfect knowledge and trust of code in your organization, and all you can do is follow defense-in-depth: layer security around potential problems to reduce risk. That and be ready to respond when something like this SolarWinds compromise happens.
The direction given by CISA is required to be acted on by federal agencies, exempting systems defined as “national security systems”, and those operated by the Department of Defense and the Intelligence Community (presumably, these actions and more are being taken there). Even if you’re not in the federal space, it’s good guidance. Here are the main points, summarized and discussed:
You can’t eliminate supply-chain threats, but you can prepare to detect and respond to incidents involving them. Based on the recommended response actions, think about what you need to have in-place:
Supply-chain attacks can and will happen, and while the fault may not be with you or your organization, the responsibility for responding to the attack (or potential for one) will be yours. Without preparation, there will be aspects of your response, recovery, and investigation that will suffer from a lack of resources. For many organizations, it’s expensive and inefficient to keep staff and resources on hand full-time to execute all of this (or test for the potential issues in the first place). Build relationships and agreements with vendors ahead of time to test, prepare, monitor, and respond to supply-chain attacks. Maintain awareness and capability so that “surprise” is short-lived, and work can begin to secure your networks.