SolarWinds Orion: Cybersecurity Isn’t Software

A Weapon of Epic Capability

The SolarWinds Orion software compromise has grabbed headlines like few other cybersecurity events in history. It will rank as one of the most serious security breaches of all time, and be studied as an early example of a supply chain insertion attack, performed as part of nation-state cyber espionage. It could have been much worse.

Read about our defense-in-depth approach to information security through our Managed Detection and Response (MDR) services.

Had the Orion software backdoor been fully exploited and used to control the networks it managed, it could have resulted in a cyber weapon with disastrous impact. As it was, the weapon had the potential to shut down every network that it was used in, or any networks that trusted Orion-managed networks for availability. This wide blast radius is why the CISA’s guidance to Federal agencies was so broad: essentially instructing all Federal agencies to remove the Orion product from any networks they were found in, assume those networks were compromised, “assume breach”, and follow incident response procedures.

Software alone cannot effectively defend against cyberattacks.

Three Lessons from this Debacle

The following observations illuminate a problem we commonly see in breach cases we are called on to manage: software alone cannot effectively defend against cyberattacks. People, process, and technology must all be integrated into any successful cybersecurity risk management strategy. 

1. Supply Chain Insertion Attacks Will Proliferate
   After observing such a spectacularly successful supply chain attack, other nation-states are surely now searching their target databases for the next “SolarWinds Orion” opportunity. They will match the data necessary to identify a well-placed firm with typical, commercial-grade cybersecurity protection that is defeated via fundamental trust relationships. These trust relationships exist due to the global software supply chain, and there are parts of it that almost any nation-state can access or create themselves. These targets of opportunity exist up and down nation-states’ and their adversaries’ supply chains. How do we protect and trust software that is sourced from every corner of the planet? Some solutions exist today, but are not widely adopted and certainly aren’t required, even by the Department of Defense.
   
   
2. Violation of Segregation of Duties In Software Creates A Juicy Target
   The SolarWinds Orion breach was a catastrophe that has taken a monumental effort to respond to across many Federal agencies. The computer networks that were known to have been compromised required from-the-metal-up rebuilds for rarely touched components like network devices, hypervisors, and other core infrastructure in datacenters and offices across the United States. Why would all this be required because a piece of software had an unauthorized backdoor?
   
   The reason is simple: because SolarWinds Orion software does pretty much everything related to management and configuration of a computer network from Operating System patches, network device configurations to firmware versions and application configuration management.What do you use to rebuild a firewall’s configuration when the last configuration that it used was provided by SolarWinds Orion? You must create a new one.
   
   If you are a moderately-well-funded intelligence operation, and you want to get a great return on investment, doesn’t it make sense to target software that is used by your adversary to manage everything under the sun? Would SolarWinds Orion have been as juicy a target to the Russian Federal Security Service (FSB) if it didn’t have such broad adoption by the U.S. Federal government? Did that adoption come because Orion solved so many different problems? These are rhetorical questions, but the root issue here is lack of segregation of duties, also known as SoD.
   
   When software is built that violates the Principle of Segregation of Duties, it becomes a single point of failure. Instead, infrastructure management software, servers, other components should support SoD by only being used for one specific purpose. SolarWinds Orion was marketed explicitly to help customers tackle many things at the same time. It was wildly successful at this, which may be one reason it was targeted.
   
   
3. Cybersecurity Isn’t Software
   Software failed spectacularly at detecting, preventing, or correcting the SolarWinds Orion backdoor. FireEye, the cybersecurity experts who found this back door, spent untold amounts of labor investigating how versions of their attack emulation and penetration testing tools were found on a security research website, VirusTotal, when they’d never been released. They discovered that they had been compromised because they allowed SolarWinds to manage a part of their infrastructure. Software that was trusted to provide checks at multiple points in the production and use of SolarWinds Orion failed to detect, prevent, or correct for the vulnerability or intrusions that resulted.
   
   Software that presumably scanned the Orion source code failed to detect the addition of clearly malicious code that was inserted by humans over the course of months. Software designed specifically to detect malicious activity on US Government networks failed to detect the call-outs that the Orion server made to establish the backdoor link. Finally, software failed to detect the fact that attackers used the backdoor to gain access and steal (or “exfiltrate” in industry parlance) untold treasures from hundreds of sensitive computer networks.
   
   

It is reported that evidence sealed in the U.S. Federal court system was part of the data exposed. We can imagine the downstream effects resulting from unauthorized access to this trove of confidential information, and the potential for a U.S. adversary to recruit intelligence assets through coercion.

There is today an over-reliance on, and false sense of security derived from, software technology that promises to do everything, to fix everything, and to replace people and process, and other critical components of proper risk management. Cybersecurity is only as successful as the skilled people responsible for using a mature, functioning process to manage risk, and the use of technology (including software) as one part of that risk management process. 

We hope the SolarWinds Orion breach serves as a lesson that software alone does not itself make for good cybersecurity; it takes much more. To learn more about our layered approach to cybersecurity, download our defense-in-depth white paper. 

About Ingalls

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.