Sunburst – A New Dawn

The event was well attended by nearly 100 security professionals from both organisations. Chairs Paul Stevens on behalf of BCS and Colin Robbins on behalf of CIISec introduced their respective branches before the main event.

In December 2020, it was revealed that IT firm SolarWinds had been compromised by highly skilled threat actors who had modified their software with a vulnerability known as Sunburst. This software was then supplied to a large number of SolarWind’s customers, triggering a global and complex cyber incident.

The event reviewed three different perspectives of the incident, firstly an overview of the attack, followed by what this may mean to systems and software going forward and finally as administrators, what lessons can we take away to ensure we mitigate against future compromises.

• Guest speakers were:
• George Glass – Head of Threat Intelligence at Redscan;
• Darren James – Product Specialist and Technical Lead at Specops Software;
• Sarah Knowles – Principal Security Consultant at Nexor.

George Glass

George Glass began the discussion with a great insight into the timeline of events as summarised below:

Attacks like this are typically state sponsored.

The initial attack actually began back in September 2019 where threat actors made their initial access into the SolarWinds environment. Once in, they were able to inject test code so a trial run of the attack could commence. This took place between September and November 2019.

The Sunburst exploit itself was not deployed until February 2020. This is where the threat actors carried out the malicious code insertion into the SolarWinds Orion software.

On the 8th December 2020, FireEye reported their suspicion that they had been a victim of a nation-state attack, and on the 13th December 2020 they released a press update after the discovery that this was a supply chain attack via SolarWinds.

A day later on the 14th December 2020, SolarWinds filed an SEC stating a cyber-attack had inserted a vulnerability within its Orion monitoring products.

On the 15th December 2020, a number of US government agencies released statements saying they believed they had also been breached. More events unfolded and further victims of the attack were reported between 17th and 19th December 2020.

On the 31st December 2020, Microsoft reported its source code had been breached but no code had been modified. On the 5th January 2021 the FBI/NSA/CISA released a statement stating that an Advanced Persistent Threat (APT) actor, likely Russian in origin, was responsible for most or all of the ongoing compromises.

Between 6th January and 24th February 2021, investigations took place along with US congressional hearings for Microsoft and FireEye. SolarWinds Security Advisory issued further guidance to SolarWinds customers to enable them to tell if they had been affected and what actions to take if so.

Following this summary, George pointed out that for the threat to sit undetected for this amount of time takes skill and would require a number of threat actors on a large scale working together.

Darren James

Darren James then gave an overview of what this may mean for systems and software going forward and what we can proactively review within our own organisations to learn from this attack, ensuring we have at least covered the basics in order to mitigate risk.

The SolarWinds attack challenges us to review our own security practices, especially those around the use of software. The scale of the attack, estimated at 18,000 SolarWinds customers, highlights that the level of compromise was unprecedented.

Darren asked those in attendance to consider if they have updated all of their security controls and processes regarding patches, antivirus definitions, and Active Directory. He highlighted that it was key to review and update our own processes then investigate and action any irregularities discovered.

Looking ahead he asked “do we have processes in place to ensure we are conducting due diligence on all future software?”. We should be checking security assurances made by the vendors we use and have supporting documentation regarding the development process. Our supply chain must provide the same security assurance as our own organisations have in place.

Sarah Knowles

The next speaker, Sarah Knowles, gave an overview from the viewpoint of an administrator, referencing the alarming amount of breaches and attacks currently in the news. She made a great reference to the tweet sent by NCSC’s former Head, Ciaran Martin, shortly after the SolarWinds attack where he stated a private company cannot be expected to take on a nation-state’s A team, and governments must give all the support they can to protecting against a state-sponsored threat actor.

Sarah’s clear message was the attack was highly sophisticated from a state-sponsored group with a lot of resource. She acknowledged that whilst it is impossible to remove all risk, we must continue to do the basics such as ensuring all your virtual doors and windows are locked, again referencing Ciaran Martin when he stated he “did deal with lots of incidents where state-backed hackers had got into the equivalent of an unlocked car door”.

Risk assessments are a key component to reducing risk to a business. By first establishing your business security objectives, you can identify what or where your organisation’s crown jewels are. By reducing the likelihood of becoming infected, you help to reduce any impact of an attack.

Once risks have been identified, you can decide on what mitigations you will implement, and action these as required. Deploying defence in depth measures, whilst not directly preventing an attack, will make it more difficult for threat actors to access your systems.

However, Sarah stressed that risk assessments are not a one-off exercise; they are a cyclical process to ensure that any emerging threats are identified and controlled within our organisations.

Close the doors

In conclusion, all the speakers delivered really informative presentations with great takeaways. The overarching message that ran through all three was that defending against state sponsored threat actors is extremely difficult, but if we do not ensure we are following and applying the basic security principles and processes, whilst delivering defence in depth then, we are essentially leaving doors open for them to enter without challenge or detection.

Author Bio – Dawn O'Connor

Dawn O’Connor is an associate of Nexor with an extensive business background across different market sectors including retail, local and central government and law enforcement. She is a member of the Chartered Institute of Information Security and co-chairs the Nottingham/Derby/Leicester Branch.  Dawn holds the Certificate in Information Security Principles and the ISO 27001 Foundation certification.

• LinkedIn profile
• View all of Dawns's posts