Supply Chain Hacks: Fallout from a nation-state-backed attack


By Jesse Wilson, CISSP, Sr. Security Engineer —

Two weeks have passed since the discovery of Sunburst (https://us-cert.cisa.gov/ncas/alerts/aa20-352a), an exploit so vast it likely will become the biggest breach in history – at least to date. Government agencies and private businesses alike are scrambling to detect indicators of compromise (IOCs), install patches and implement damage control measures. (https://cyber.dhs.gov/ed/21-01/)  

This event has turned the industry on its head. It is painfully clear we must work together in collaboration on the information superhighway to protect and defend each other as best we can. We can no longer merely suggest that security be integrated into the lifecycle of the business; we must demand it. Further, we must take the time to fully understand what is going on with the ones and zeros on our networks.

I recently had a conversation with a customer who couldn’t understand why they were targeted in a ransomware attack. The simple fact is we are all targets any time we connect our networks to the internet. We are always being scanned by someone or something. If you doubt this, go check your firewall logs — I am confident you will see port scans, probes and exploits. Hopefully, those exploits are being blocked.

Crossing your fingers and hoping you won’t be breached is not sound strategy. To combat pervasive and persistent threats, we must apply a serious, methodical defense in depth approach when designing the backbone networks that support our businesses.

Here are the basics of present-day cybersecurity: a next-generation firewall filtering traffic in all directions with that traffic being decrypted for inspection as appropriate, log retention of all connected devices and a means of correlation, an endpoint protection suite that applies advanced heuristics against the cyber kill chain, and backups (yes, backups should be a part of your security plan).

If this recent event can tell us anything, it is that the basics of cybersecurity no longer suffice. We need a hard shift to zero trust networking — the concept that even least-privileged access to information and network resources is extended only after granular examination proves that detailed and specific trust thresholds have been met by the requestor. Zero trust must be the new standard.

Few of us have the resources and capability to review logs for IOCs that pinpoint entry from March of 2020. This fact is a scary indicator that we are not prepared as an industry for this type of espionage. Like it or not, sophisticated supply chain hacks are the new norm. We must prepare for them — they are our reality.

At Structured, we do not practice security through obscurity. We develop real world plans, practices and procedures that help your organization to be better prepared for all the advantages and disadvantages of connectivity within a global community. We are also here to help those who need assistance building a more robust and cyber-resilient network. And, if you are among those who have suffered a breach, please know we can help you along your road to recovery.

In the meantime, if you want to do a little reading on your own, here are a few good cybersecurity product guides in relation to Sunburst:

Fortinet: https://www.fortiguard.com/threat-signal-report/3770/supply-chain-attack-on-solarwinds-orion-platform-affecting-multiple-organizations-worldwide-apt29

Palo Alto Networks: https://autofocus.paloaltonetworks.com/#/tag/Unit42.SUNBURST

Check Point: https://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/     

CrowdStrike: https://www.crowdstrike.com/blog/identity-security-lesson-from-recent-high-profile-breaches/

Cybereason: https://www.cybereason.com/blog/the-solarwinds-supply-chain-attack-and-the-limits-of-cyber-hygiene

Varonis: https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/