Cybersecurity Blog | Ingalls Information Security

SolarWinds Orion: Cybersecurity Isn’t Software

Written by Jason Ingalls | Feb 11, 2021 5:00:00 AM
A Weapon of Epic Capability

The SolarWinds Orion software compromise has grabbed headlines like few other cybersecurity events in history. It will rank as one of the most serious security breaches of all time, and be studied as an early example of a supply chain insertion attack, performed as part of nation-state cyber espionage. It could have been much worse.

Read about our defense-in-depth approach to information security through our Managed Detection and Response (MDR) services.

Had the Orion software backdoor been fully exploited and used to control the networks it managed, it could have resulted in a cyber weapon with disastrous impact. As it was, the weapon had the potential to shut down every network that it was used in, or any networks that trusted Orion-managed networks for availability. This wide blast radius is why the CISA’s guidance to Federal agencies was so broad: essentially instructing all Federal agencies to remove the Orion product from any networks they were found in, assume those networks were compromised, “assume breach”, and follow incident response procedures.

Software alone cannot effectively defend against cyberattacks.


Three Lessons from this Debacle

The following observations illuminate a problem we commonly see in breach cases we are called on to manage: software alone cannot effectively defend against cyberattacks. People, process, and technology must all be integrated into any successful cybersecurity risk management strategy. 

  1. Supply Chain Insertion Attacks Will Proliferate
    After observing such a spectacularly successful supply chain attack, other nation-states are surely now searching their target databases for the next “SolarWinds Orion” opportunity. They will match the data necessary to identify a well-placed firm with typical, commercial-grade cybersecurity protection that is defeated via fundamental trust relationships. These trust relationships exist due to the global software supply chain, and there are parts of it that almost any nation-state can access or create themselves. These targets of opportunity exist up and down nation-states’ and their adversaries’ supply chains. How do we protect and trust software that is sourced from every corner of the planet? Some solutions exist today, but are not widely adopted and certainly aren’t required, even by the Department of Defense.

  2. Violation of Segregation of Duties In Software Creates A Juicy Target
    The SolarWinds Orion breach was a catastrophe that has taken a monumental effort to respond to across many Federal agencies. The computer networks that were known to have been compromised required from-the-metal-up rebuilds for rarely touched components like network devices, hypervisors, and other core infrastructure in datacenters and offices across the United States. Why would all this be required because a piece of software had an unauthorized backdoor?

    The reason is simple: because SolarWinds Orion software does pretty much everything related to management and configuration of a computer network from Operating System patches, network device configurations to firmware versions and application configuration management.What do you use to rebuild a firewall’s configuration when the last configuration that it used was provided by SolarWinds Orion? You must create a new one.

    If you are a moderately-well-funded intelligence operation, and you want to get a great return on investment, doesn’t it make sense to target software that is used by your adversary to manage everything under the sun? Would SolarWinds Orion have been as juicy a target to the Russian Federal Security Service (FSB) if it didn’t have such broad adoption by the U.S. Federal government? Did that adoption come because Orion solved so many different problems? These are rhetorical questions, but the root issue here is lack of segregation of duties, also known as SoD.

    When software is built that violates the Principle of Segregation of Duties, it becomes a single point of failure. Instead, infrastructure management software, servers, other components should support SoD by only being used for one specific purpose. SolarWinds Orion was marketed explicitly to help customers tackle many things at the same time. It was wildly successful at this, which may be one reason it was targeted.

  3. Cybersecurity Isn’t Software
    Software failed spectacularly at detecting, preventing, or correcting the SolarWinds Orion backdoor. FireEye, the cybersecurity experts who found this back door, spent untold amounts of labor investigating how versions of their attack emulation and penetration testing tools were found on a security research website, VirusTotal, when they’d never been released. They discovered that they had been compromised because they allowed SolarWinds to manage a part of their infrastructure. Software that was trusted to provide checks at multiple points in the production and use of SolarWinds Orion failed to detect, prevent, or correct for the vulnerability or intrusions that resulted.

    Software that presumably scanned the Orion source code failed to detect the addition of clearly malicious code that was inserted by humans over the course of months. Software designed specifically to detect malicious activity on US Government networks failed to detect the call-outs that the Orion server made to establish the backdoor link. Finally, software failed to detect the fact that attackers used the backdoor to gain access and steal (or “exfiltrate” in industry parlance) untold treasures from hundreds of sensitive computer networks.

It is reported that evidence sealed in the U.S. Federal court system was part of the data exposed. We can imagine the downstream effects resulting from unauthorized access to this trove of confidential information, and the potential for a U.S. adversary to recruit intelligence assets through coercion.

There is today an over-reliance on, and false sense of security derived from, software technology that promises to do everything, to fix everything, and to replace people and process, and other critical components of proper risk management. Cybersecurity is only as successful as the skilled people responsible for using a mature, functioning process to manage risk, and the use of technology (including software) as one part of that risk management process. 

We hope the SolarWinds Orion breach serves as a lesson that software alone does not itself make for good cybersecurity; it takes much more. To learn more about our layered approach to cybersecurity, download our defense-in-depth white paper. 


About Ingalls

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have. 

 

About the Authors
Jason Ingalls, CISA, CISSP
Jason Ingalls is an engineer-turned-entrepreneur who founded Ingalls Information Security in 2010. Prior to that, Jason was an Information Assurance engineer and Incident Responder for General Dynamics for 9 years. Jason's professional career in cybersecurity has been spent delivering solutions that reduce information technology risk. Jason leads a team of professionals who deliver information security services, with a core focus on providing technology-enabled services that scale, and serving our client's as a trust advisor for cybersecurity matters.

Janine Byas
, SSAP
Ms. Byas is a Cybersecurity consultant who has worked in the industry since 2017. She is an experienced Incident Handler and credentialed Security Awareness Professional (SSAP), has lead multiple digital modernization initiatives inside the government and nonprofit space, and is a communications expert.

Sarena O’Donnell
, GSEC
Ms. O’Donnell is an experienced Information Security professional with over fifteen year’s experience developing, implementing, and maintaining cybersecurity programs in highly regulated environments. Ms. O’Donnell’s foundational background in Information Security and Technology Risk Management as the ISO of a $3 Billion Virginia based Bank has allowed her to understand the opportunity in making risk-based decisions that balance business objectives, security, compliance and operational efficiency. Ms. O’Donnell currently provides virtual CISO, Consulting and Auditing services to clients in the Department of Defense, Financial Services, and Healthcare industries. Ms. O’Donnell holds a Masters in Business Administration with a focus in Information Security. and holds the GIAC GSEC.