How to review fail-safe design now that FireEye and SolarWinds have been hacked | GLM

About the author: Occupational hacker David “Moose” Wolpoff is the CTO and co-founder of Randori, a company that builds an automated red team exercise platform.

In the security industry, news of hacking attacks on FireEye and supply chain attacks on SolarWinds (or at least partly because of), such as the US Treasury, the US Department of Homeland Security, etc. The announcement that several government agencies have been hacked is of interest.

These attacks are reminiscent of the reality that “no one is immune to risk and hacking.” There is no doubt that both FireEye and SolarWinds are taking security seriously. But every company is exposed to the same reality that “security breaches are inevitable.”

The author decides to judge these attacks not by “whether someone was hacked” but by “how much effort the attacker had to spend to make a successful security breach.” I’ve heard that FireEye’s focus on sensitive tools and access protection has forced Russian hackers to put in a surprising amount of effort to break in.

FireEye’s commitment to security is evident in its rapid move towards releasing countermeasure tools. The attack on SolarWinds had an immediate and enormous impact, but I will refrain from commenting on SolarWinds until the details of the entire attack are known. Infringement across the supply chain is a very rare case, but it will continue.

That’s all, but this news isn’t surprising to me. Security companies are the number one target for attackers, and nation-states like Russia believe they will do anything to thwart FireEye’s ability to protect its customers. FireEye is a good target for espionage because it has built relationships of trust with many corporate organizations. With a large number of government and large corporate customers, SolarWinds is an ideal target for attackers looking to reach their full potential.

Once Russian hackers have hacked SolarWinds, they will be able to break into many of the company’s key customers. This is not the first or last time an attacker with nation-state support has attacked the supply chain.

For big security companies, this attack is a good time to rethink their credibility and trust in technology solutions. Such infringement is a reminder that it does carry an invisible danger. This means that organizations can suffer enormous harm from risks accumulated through providers who generally do not take appropriate risk aversions.

One should ask, “What if a managed security service provider (MSSP), security vendor, or technology vendor is compromised?” Instead of just looking at SolarWinds hacks, you should review all the vendors that can push updates to your environment.

There is no tool that can never be compromised.

You need to assume that all vendors in your environment, such as FireEye and SolarWinds, will eventually be compromised. In the event of a failure, one must ask, “Is the rest of the work sufficient? Is the organization resilient?”

Do you know what your backup plan is in the event of a failure?

If a security program relies heavily on FireEye (that is, FireEye is the primary security platform), the security program will leave FireEye’s program implementation, execution, and auditing to FireEye itself. And management need to accept that.

Organizations often purchase a single security solution to cover multiple features such as VPNs, firewalls, surveillance solutions, and network segmentation devices. However, in that case, you will have a single point of failure, and if your computer stops working (or is hacked), it will fail the entire environment.

From a structural point of view, when something like SolarWinds becomes an entry point, it’s difficult to prevent widespread impact. However, trusting SolarWinds’ Orion platform, which communicates and works with everything in the environment, means that we took the risk of thinking that “there will be no such infringement.” is there. Whenever I think about using a tool (or service), I think about “how do I know what to do if it breaks down or is hacked” and what to do about it.

Sometimes the simple answer is “insure”, but I’m thinking more often about another way to send some signal to the defenders. If SolarWinds becomes an intrusion route like this, there is a mechanism that allows the defender to be signaled by something else in the stack that the network is sending traffic to Russia. Is there something?

Building a fault-tolerant security program is not easy, and in fact it is a very difficult task to overcome. It has been proven many times that there is no perfect product or vendor. It is necessary to stack the control layers in multiple layers. I would like you to check all the scenarios that assume “what can happen”. Organizations that focus on defense in depth and forward defense will have greater resilience. To prevent important data from easily falling into the hands of Russia, measures must be taken to prevent hackers from failing many times before reaching what they want.

From the perspective of probability and possibility, it is very important to have a management system in place to prevent accidental changes in basic security. The principle of least privilege should be standardized and multi-segmentation should be used to prevent rapid lateral movement. You should also start responding to attacks based on surveillance and warnings. If an abnormal deviation occurs, failsafe must be activated. Conduct a red team exercise (a test that actually conducts a realistic attack to verify the effectiveness of security measures) to see how well you can compete with the attack and learn from the mistakes.

The impact of security breaches on FireEye has received a lot of attention. In fact, Russia already has tools equivalent to FireEye’s tools. So experts may want to make a big deal about the tool itself, but in fact, this is the same thing that happened in 2017 when the US National Security Agency (NSA) tool leaked. It seems that it will not happen.

The exploits leaked from the NSA were very good and were readily available to the enemy. The exploit was also used for hacking by The Shadow Brokers, temporarily putting the industry at higher risk than before. However, this exploit is different from the rootkits and malware stolen from FireEye this time. In the case of FireEye, information and exploits about zero-day vulnerabilities do not appear to have been stolen, so it is unlikely that this breach would cause a huge shock wave.

Such large-scale infringement will continue to occur. If your organization needs to be highly resilient to breach, it’s a good idea to be prepared for breach now.