More than three months after the SolarWinds breach became public knowledge, the company is still working to determine what the initial access vector for the intrusion was, with three possible scenarios still under consideration.
When the investigation into the breach was in its early stages, SolarWinds specialists and outside forensics experts had more than a dozen theories on how the adversary first got into the company’s network last year. After several months of digging into the details of the intrusion, the after effects, and the adversary’s tactics and movements, the company has narrowed it down to three possibilities: credential theft, spear phishing, or a vulnerability in a third party application.
“We had as many as sixteen hypotheses. We have not been able to narrow it down to the last one,” SolarWinds CEO Sudhakar Ramakrishna said during a discussion Thursday on the breach, software security, and other topics.
“As for who did it, I think there’s enough commentary out there on that.”
Security researchers and federal government officials have attributed the SolarWinds breach and the subsequent intrusions at Microsoft, FireEye and other companies to a Russian actor. That much hasn’t been up for debate for some time. But the details of how the attackers first got into the SolarWinds network are still unknown. What is known, though, is what the attackers did after they got in, which is to move laterally, eventually gaining access to a build server for the company’s Orion software and inserting a small backdoor into the code. The compromised version of Orion made its way onto the systems of thousands of SolarWinds customers, though a much smaller subset of them are actually known to have been targeted by the attackers.
The operation was multifaceted and long-running and likely required months of planning and development. The sophistication of the operation is clear, but Ramakrishna said that level of expertise does not necessarily mean it was the work of a massive group of a thousand or more engineers and developers, as Microsoft officials have suggested.
“I don’t believe the sophistication is related to the number of people involved. You can have highly organized and sophisticated attacks with two orders of magnitude less than what’s been reported,” he said.
“Information and knowledge asymmetry has been more or less eliminated. You can write sophisticated software anywhere. This is a perfect example of that.”
As part of the response to the intrusion, SolarWinds has not only been looking at its internal security practices, but also at the way that it builds applications. Ramakrishna, who has a software development background, said the company is experimenting with a new process that uses multiple instances of the software build infrastructure rather than just one.
“Information and knowledge asymmetry has been more or less eliminated. You can write sophisticated software anywhere."
“Just as attacks are getting more sophisticated, we have to become smarter about how we design and build software as well. Instead of a single build system, we are running parallel systems through parallel chains so we want to establish software integrity through two or three pipelines,” he said.
“In other words an attacker will have to be right three different times. We want to get to a place where we build in a level of non-repudiation. ”
Ramakrishna said the company has had discussions with officials from the Cybersecurity and Infrastructure Security Agency and other federal agencies about the approach and is planning to publish information on it at some point in the future.
The SolarWinds breach and the recent exploitation of four zero days in Microsoft Exchange by attackers from China have again reignited discussions in Washington and elsewhere about the possibility of retaliatory actions by U.S. offensive cyber teams. If that ever happens, it likely won’t be made public, and the issue, as always, is that offensive capabilities are not unique to any specific country. Some may be more capable than others, but the tools, tactics, and techniques are available widely and don’t generally require massive budgets. The area where investment and expertise can make an immediate and marked difference is in building more resilient and secure systems and applications.
“We should try to institute an arms race about building more secure systems. We can afford it and we can outspend our adversaries, so let’s do it,” said Gary McGraw, a software security expert and author of several seminal books on the topic.