Massive Cyberattack Was Waged From Within US, Top Cybersecurity Firm Says

(post is archived)

You are currently inside a comment thread.

[–] • 0 pt

Re-read your post again. You have simplified the attach and distilled it down to the point where you are loosing the fidelity needed to evaluate the attack in it's entirety.

Solarwinds was advised well over a year ago that it's systems development and management practices were as porous as the proverbial screen door. Company management processes were pretty much non-existent, especially for a security products development company, that has a large fanout effect. One of the simplest identified deficiencies was the password on their SolarWinds' update server was accessible by using the password "solarwinds123" in late 2019. This was just one illustration - there were others. Using NIST 800 for example, specifically 800-53, there are 20 families of controls, of which only 4 are technical in nature. Having management - especially C-level leadership dialed in, is of particular importance. Without having the entire leadership stack understanding security - you (and your products) become just an expensive infection path for your customers.

Yes, the delivery mechanism was the SolarWinds' update process via their server, however SolarWinds did not service the infection's command and control backhaul path. The backhaul was from the infected systems back through the target company's infrastructure (not through the SolarWind's infrastructure). One of the main problems is having the target's actually understand what their nominal loading and bandwidth interactions are - such that they are able to recognize non-normal connections and traffic patterns (both size and direction). Also, within the target's system design, they relied too much on SolarWind's product suite, and did not mitigate their overall attach surface with little if any defense in depth architectural components and practices. Additionally, SolarWinds did not design any internal defense in depth and orthogonal mitigations within their product's architecture. The use of homogeneous products is also an architectural design problem (both within SolarWinds and their customer's architecture and system design). Utilizing both defense in depth in an orthogonal non-homogeneous through a set of products and services provides a better mitigation than the traditional layering approach.

The main overall problem is designing an architecture such that it provides a reasonable level of protection without crippling the system to the point that useful work is not able to be done, and the overall administration & maintenance of the system is affordable and efficient - while rendering the necessary level of security.

Re-read your post again. You have simplified the attach and distilled it down to the point where you are loosing the fidelity needed to evaluate the attack in it's entirety. Solarwinds was advised well over a year ago that it's systems development and management practices were as porous as the proverbial screen door. Company management processes were pretty much non-existent, especially for a security products development company, that has a large fanout effect. One of the simplest identified deficiencies was the password on their SolarWinds' update server was accessible by using the password "solarwinds123" in late 2019. This was just one illustration - there were others. Using NIST 800 for example, specifically 800-53, there are 20 families of controls, of which only 4 are technical in nature. Having management - especially C-level leadership dialed in, is of particular importance. Without having the entire leadership stack understanding security - you (and your products) become just an expensive infection path for your customers. Yes, the delivery mechanism was the SolarWinds' update process via their server, however SolarWinds did not service the infection's command and control backhaul path. The backhaul was from the infected systems back through the target company's infrastructure (not through the SolarWind's infrastructure). One of the main problems is having the target's actually understand what their nominal loading and bandwidth interactions are - such that they are able to recognize non-normal connections and traffic patterns (both size and direction). Also, within the target's system design, they relied too much on SolarWind's product suite, and did not mitigate their overall attach surface with little if any defense in depth architectural components and practices. Additionally, SolarWinds did not design any internal defense in depth and orthogonal mitigations within their product's architecture. The use of homogeneous products is also an architectural design problem (both within SolarWinds and their customer's architecture and system design). Utilizing both defense in depth in an orthogonal non-homogeneous through a set of products and services provides a better mitigation than the traditional layering approach. The main overall problem is designing an architecture such that it provides a reasonable level of protection without crippling the system to the point that useful work is not able to be done, and the overall administration & maintenance of the system is affordable and efficient - while rendering the necessary level of security.

parent
link

[–] • 0 pt

That's all very well and good, but you are expanding the scope of the discussion greatly to things like how SW's deployment mechanism was hacked and bad internal defense within a network compounds the issue. While those things are fair points in a vacuum, they weren't the point of the article, nor were they the point I was making.

parent
link

[–] • 0 pt

(edited )

Son, listen up - from the original article...

>The massive cyberattack was conducted using servers and computers within the U.S. and often from within the same town or city as the victims of the attack, FireEye told The New York Times. Because the attack came from domestic servers, the perpetrators were able to evade the National Security Agency’s (NSA) authority, which does not extend to domestic private sector networks.

If you are an intruder, as indicated in my initial post - you are going to make it look like a local connection. To connect from a foreign location you might as well march a band through the front door. The NSA has domestic authority - it's the CIA who has a prohibition on domestic activity. The article is very mis-informed. And, there were many levels of connections - both at SolarWinds (into the development servers) that served as the basis for the distribution of the trojan, and from the victim's systems back out to the command & control networks for backhaul of the take.

>“[Russia’s Foreign Intelligence Service (SVR)] is deliberate, they are sophisticated, and they don’t have the same legal restraints as we do here in the West,” former government intelligence analyst Adam Darrah told The Times.

Anyone with access to Vault 7 (which is anyone and everyone on the web) has enough information (even utilities) to make their fingerprints appear to be Russian, Chinese, NorKn, Pak, Israeli, Iranian, French, German or who ever you wish to impersonate (right now the only innocent ones are the Native Americans). To call out the SVR is probably a bit premature. Just remember with Clinton's email server - there were no foreign hacks - well a couple of years later it came to light that EVERYONE was linked into her email one way or another (they were stumbling over one another - trying to avoid each other's hacks - to the point of needing hack management) - the only ones NOT reading her email were the American voters.

My second post was spot on, since folks similar to yourself have little demonstrated appreciation (folks - you gotta think out of the box here on this stuff) for the overall systemic problem illustrated by this type of attack. Perhaps, that's why - I have (yet another) conference call in a couple of minutes on just this exact topic. Even though I'm retired, I keep getting sucked in (their idea, not mine) - and bring some external clarity to the situation.

Son, listen up - from the original article... >>The massive cyberattack was conducted using servers and computers within the U.S. and often from within the same town or city as the victims of the attack, FireEye told The New York Times. Because the attack came from domestic servers, the perpetrators were able to evade the National Security Agency’s (NSA) authority, which does not extend to domestic private sector networks. If you are an intruder, as indicated in my initial post - you are going to make it look like a local connection. To connect from a foreign location you might as well march a band through the front door. The NSA has domestic authority - it's the CIA who has a prohibition on domestic activity. The article is very mis-informed. And, there were many levels of connections - both at SolarWinds (into the development servers) that served as the basis for the distribution of the trojan, and from the victim's systems back out to the command & control networks for backhaul of the take. >>“[Russia’s Foreign Intelligence Service (SVR)] is deliberate, they are sophisticated, and they don’t have the same legal restraints as we do here in the West,” former government intelligence analyst Adam Darrah told The Times. Anyone with access to Vault 7 (which is anyone and everyone on the web) has enough information (even utilities) to make their fingerprints appear to be Russian, Chinese, NorKn, Pak, Israeli, Iranian, French, German or who ever you wish to impersonate (right now the only innocent ones are the Native Americans). To call out the SVR is probably a bit premature. Just remember with Clinton's email server - there were no foreign hacks - well a couple of years later it came to light that EVERYONE was linked into her email one way or another (they were stumbling over one another - trying to avoid each other's hacks - to the point of needing hack management) - the only ones NOT reading her email were the American voters. My second post was spot on, since folks similar to yourself have little demonstrated appreciation (folks - you gotta think out of the box here on this stuff) for the overall systemic problem illustrated by this type of attack. Perhaps, that's why - I have (yet another) conference call in a couple of minutes on just this exact topic. Even though I'm retired, I keep getting sucked in (their idea, not mine) - and bring some external clarity to the situation.

parent
link