The article is ok as far as it goes. That said, most (if not all) companies monitor where the connection originates. For example, if you have no customers in India, you might as well reject any Indian connections. This reduces your attack surface. If you are a hacker, you are going to connect to a "local"/domestic PC (either via a VPN - virtual private network or just hack someone's system) and hop through them. You are not going to expose where you are in this kill chain. If someone is going to wack you, you want to have some cover.
The article makes it sound very sinister to use a local connection so as to get around NSA monitoring. The NSA does not care, they monitor everything - and it's the CIA who has the legal prohibition in terms of not operating within the US - not the NSA.
You misunderstand how this particular attack occurred. This was executed via a trojan horse installed in compromised Solarwinds patches. And thus the connection originated from the local Solarwinds ecosystem inside each company. The servers they are talking about are the Sunburst destination servers that each company's Solarwinds reached out to.
The only way to catch that is to have endpoint management on all OUTBOUND connections. Which a great many companies do not have.
Re-read your post again. You have simplified the attach and distilled it down to the point where you are loosing the fidelity needed to evaluate the attack in it's entirety.
Solarwinds was advised well over a year ago that it's systems development and management practices were as porous as the proverbial screen door. Company management processes were pretty much non-existent, especially for a security products development company, that has a large fanout effect. One of the simplest identified deficiencies was the password on their SolarWinds' update server was accessible by using the password "solarwinds123" in late 2019. This was just one illustration - there were others. Using NIST 800 for example, specifically 800-53, there are 20 families of controls, of which only 4 are technical in nature. Having management - especially C-level leadership dialed in, is of particular importance. Without having the entire leadership stack understanding security - you (and your products) become just an expensive infection path for your customers.
Yes, the delivery mechanism was the SolarWinds' update process via their server, however SolarWinds did not service the infection's command and control backhaul path. The backhaul was from the infected systems back through the target company's infrastructure (not through the SolarWind's infrastructure). One of the main problems is having the target's actually understand what their nominal loading and bandwidth interactions are - such that they are able to recognize non-normal connections and traffic patterns (both size and direction). Also, within the target's system design, they relied too much on SolarWind's product suite, and did not mitigate their overall attach surface with little if any defense in depth architectural components and practices. Additionally, SolarWinds did not design any internal defense in depth and orthogonal mitigations within their product's architecture. The use of homogeneous products is also an architectural design problem (both within SolarWinds and their customer's architecture and system design). Utilizing both defense in depth in an orthogonal non-homogeneous through a set of products and services provides a better mitigation than the traditional layering approach.
The main overall problem is designing an architecture such that it provides a reasonable level of protection without crippling the system to the point that useful work is not able to be done, and the overall administration & maintenance of the system is affordable and efficient - while rendering the necessary level of security.
That's all very well and good, but you are expanding the scope of the discussion greatly to things like how SW's deployment mechanism was hacked and bad internal defense within a network compounds the issue. While those things are fair points in a vacuum, they weren't the point of the article, nor were they the point I was making.
(post is archived)