Flash Read

Flash Read: Tis the season to audit the supply chain

December 17, 2020
min read
Aaron Towlson
Aaron Towlson
An image showing two office workers working on their laptops

We were supposed to be winding down for the holidays. Then again, maybe we suspected that 2020 had one last gut-punch for us. Thanks, ‘SUNBURST’.

‘SUNBURST’ is what FireEye is calling the recent cybersecurity attack that has government agencies scrambling, carried out by an unidentified agent FireEye refers to as ‘UNC2452’. FireEye, with barely contained awe, have described what they’ve uncovered as “...some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust.” Read the full blog post here, and find FireEye’s GitHub repository on detection and neutralization here. FireEye’s transparency and urgency in sharing what they’d discovered has earned plaudits in the cybersecurity community.

FireEye was the first company to detect a compromise in their own system. Once they’d identified the source as a SolarWinds software update, it became clear that this was a big one. Why? Because that same SolarWinds software update went out to hundreds of thousands of customers—including many top US federal agencies.

It’s a nefarious, evil-genius level attack. While gaining access through a classic Trojan Horse approach, the attackers were subtle, sitting within the tech stack and taking their time to learn what credentials were needed to access critical information. Once they’d identified targets and how to access them, they struck, using only the operations that enabled access to function in the first place. It’s ‘the butler did it’, except that the butler was possessed.

FireEye has characterized this attack as a problem in the Software Supply Chain (SSC). I’ve written about this problem previously with regards to open source software, but SaaS sprawl is turning this into a bigger issue. SolarWinds provides broad IT management software—the perfect tools for discovering access credentials. IT has to match its security and risk management in line with every new vendor that makes up that SaaS ecosystem—is each vendor doing everything they can to detect and treat vulnerabilities? Do you trust that new update? (Speaking of which, SolarWinds is urging customers to install their latest, presumably safe, update for the compromised Orion Platform software.)

In some ways, Christmas has come early for cybersecurity SaaS. Vendors are filling blog posts with all the ‘lessons learned’ which, strangely enough, are usually resolved by purchasing that vendor's particular threat detection tools. Paranoia pays, especially when that paranoia is justified.

What will this mean for cybersecurity in 2021? Will zero-trust finally rise to prominence? Do we need more AI/ML tools to detect those subtle differences in malicious behaviors that mimic normal protocols? One of the scarier aspects of the FireEye hack is that penetration test tools were stolen. If the enemy knows how we fight it, innovation may be key.

As details of the attack continue to accumulate like all those holiday chocolates, one thing’s for sure: this won’t be the last we hear of the SolarWinds breach this season.

“While we can consume research from traditional firms, in many cases we're guessing or approximating or assuming certain attitudes in senior IT from various pieces of broad, canned research. Pulse let us find out and dive into exactly what we needed to know about our target market.”
Lance Walter, CMO at Neo4j
“Before Pulse, we didn't drive our own surveys to learn about our market. We’re now becoming more methodical with how we approach market data. Pulse has been a key part of this data-driven marketing process.”
Dawn Mallyon, Vice President, Marketing at Hitachi ID Systems
"Pulse saved our marketing team hours of work by executing dynamic content specific to our audience. The quick poll graphics resulted in higher open rates and traffic to our website. The one-minute white papers are a big hit with our audience because they are a quick and relevant alternative to the longer reads they are used to. Pulse customer service is the best customer experience I have ever had with a subscription-based content creator."
Andrea DeLesDernier,
Data Management & Cybersecurity Marketing Director at Axis Technologies
"In order to get the media to even look at your survey results, there has to be news value. Using data derived from a survey of experts in a specific field is only part of the equation. It has to be timely, topical, statistically relevant, and not self serving. Let the data inform the story and then let the reporter tell the story. That’s why Pulse is great for getting the right topical data that amplifies a client's narrative."
Mike Lizun, Executive Vice President at Gregory FCA