Solarwinds Hack: The Intersection of Cybersecurity and Third-Party Risk

6 minute read

March 2021

by Sophia Corsetti

The continuing fallout from the SolarWinds hack is creating a mashup of Cybersecurity Program Management stuffed inside of Third-Party Risk Management… Or is it Third-Party Risk Management stuffed inside of Cybersecurity Program Management? In either case, the more that the industry learns about the rippling impact of the SolarWinds hackthe more focus that is being applied to the intersection of Cybersecurity Program Management and Third-Party Risk Management. 

Let’s do a quick recap of the SolarWinds hack in plain English, and then we will get back to the mashup. 

The short version of the story: SolarWinds is a third-party provider of a very popular suite of IT management and monitoring products. The company’s website touts the fact that 425 of the U.S. Fortune 500 companies depend on the SolarWinds platform. SolarWinds is very popular with governmental agencies as well – their list of governmental agencies includes the Defense Department, NASA, Commerce Department, Treasury Department, Department of Homeland Security, the NSA and more. 

On December 8, 2020 one of SolarWinds’ customers, FireEye, reported that they were attacked by a highly sophisticated threat actor. FireEye is a very high-profile cybersecurity firm. Their in-house team of experts worked with the FBI and Microsoft to investigate the hack and the results were worse than anyone could have imagined: 

  • In the words of FireEye’s CEO, Kevin Mandia, the attack “was the work of a highly sophisticated state-sponsored attacker utilizing novel techniquesThis attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye.” The Cozy Bear hacking group, which U.S. authorities suggest gets backing from Russian state intelligence, likely performed the SolarWinds cyberattack. 
  • The attacker was very disciplined and only targeted two areas of FireEye’s enterprise – FireEye’s very powerful Red Team assessment tools that they use to test customers’ security and information pertaining to FireEye’s list of government customers. 
  • FireEye’s investigation determined that the attackers gained access by concealing sophisticated malware inside legitimate updates to SolarWind’s Orion IT monitoring and management software. The intrusion was detected in December of 2020, but the campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft.   

In summary, a state-sponsored attacker targeted SolarWinds not because of what they had…they targeted SolarWinds, because of who they were connected to. By embedding their malware inside of an officially signed and verified software update, from a ubiquitous Third-Party software provider like SolarWinds, the “Cozy Bear” hacking group has literally created a modern day “Trojan Horse.” Like the original “Trojan Horse,” this hack, which is being called “Sunburst,” has been VERY effective. SolarWinds says that roughly 18,000 companies downloaded the “trojanized” update, some were lucky and did not install it; most were not so lucky.  

Here is a partial listing of the companies and governmental agencies that have been infected by the “Sunburst” malware: FireEye, Microsoft, Cisco, VMWareIntel, Cox Communications, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, Digital Sense, the United States Department of Homeland Security, Commerce Department, and Treasury Department. The State Department, Pentagon, and the National Institutes of Health, were also reported as being affected. 

While some companies check vendors’ security through questionnaires or independent assessments, many others choose not to invest in the crucial process of vetting their suppliers/business partners. The SolarWinds attackers pounced on this, security experts say, weaponizing the firm’s scale as a provider of network-management tools to reach many victims and cause widespread confusion. 

“You can’t assume that [supply chains] defend themselves,” said Chris Inglis, former deputy director of the National Security Agency “That’s the principal failure that we’re observing in SolarWinds.” 

BUT WAIT, There’s MORE…

In a blog post dated December 17, 2020 Microsoft said its investigation led to the discovery of a second actor:

 “In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the company wrote. 

Now we get to the “Mashup 

According to Eric Parizo, Cybersecurity Operations at Omdia: The biggest takeaway from the SolarWinds cyberattack itself should be the importance of supply chain security.” 

“The reality in 2020 and for the foreseeable future is that every organization is only as secure as the weakest link in its supply chain,” Parizo said. “As SolarWinds has proven, one breach incident can cascade across the world with devastating effects. Unfortunately, these sorts of incidents involving third-party vendors, contractors, suppliers, service providers and the like have proven to be difficult to detect in advance, and impossible to prevent.” 

“In order for supply chain security to improve, it must happen at the security governance level. 

What does this mean for Cybersecurity, and Third-Party Risk Management? 

Is Cybersecurity just a component of Third-Party Risk Management? Is Third-Party Risk Management just another risk domain within Cybersecurity 

The reality is, that Cybersecurity and Third-Party Risk Management are simply two sides of the same coin; it is time the enterprise applies the same level of focus to both sides.  

Data breaches and Third-Party/Cybersecurity Risk 

This is not a new challenge. Headlines over the last few years are filled with major breaches caused by hackers accessing companies’ data through their third-party vendors. 

Seven years ago, attackers breached Target by using login credentials stolen from a company that provided HVAC services to the retailer. That breach should have been a wakeup call for enterprises and cybersecurity vendors to address the challenge of third-party cyber risk, but years later these types of incidents are becoming even more frequent. 

Last year, an unauthorized user gained access to data on 11 million Quest Diagnostics patients through the company’s partner debt-collection agency. Another bad actor accessed data on millions of Capital One credit card applicants through a misconfigured Amazon cloud container. 

Estimates indicate that around 60 percent of data breaches are linked to third parties, and we can expect that percentage to increase as more companies embrace digital platforms and new operating models that require sharing of data with partners and service providers. 

If CISOs continue to focus cybersecurity tools and resources exclusively within the company perimeter, they are fighting the wrong battle in an increasingly multi-front cybersecurity war. 

Elevating ThirdParty Cyber Risk to the C-suite and Making it a Board Imperative 

One of the most important things CISOs can do to put the appropriate focus on third-party cyber risk is to make it a corporate reputation issue requiring support and oversight from C-suite and Board executives. 

Along with the opportunities for greater innovation, productivity, operational efficiency and customer engagement, digital transformation has created new vulnerabilities across the enterprise – and beyond its borders – that could impact corporate reputation if exploited. 

With the average enterprise engaging with several hundred partners and other third parties, it’s not a question of “if” the data will be exposed, but of “when” and how much corporate reputation will suffer as a result of loss of trust. 

CISOs must get better at educating business leaders about these unintended consequences of digital transformation. The reality, however, is that 63 percent of CISOs don’t regularly report to their boards, according to a recent Ponemon Institute study. Worse, a stunning 40 percent of CISOs said they never report to their boards at all. This lack of connection and accountability at the C-suite and board level is a major problem. 

What Should CISOs Do? 

CISOs in 2021 must become stronger advocates for shifting from reactive to proactive cybersecurity postures. They must advocate for creating more resilient and cyber-aware cultures where cybersecurity is seen as everyone’s responsibility. 

CISOs should also start to align their investments in cybersecurity with the new reality that threats are more likely to materialize through third parties. 

That means not only assessing third parties for potential vulnerabilities but using new approaches and emerging cybersecurity tools in the market to identify actual data that a third-party can inadvertently expose.   

As the cybersecurity threat landscape continues to evolve, CISOs need a centralized platform to manage their third-party risk. ProcessUnity’s Cybersecurity Management platform is designed to help CISOs avoid disasters like the Solarwinds breach by arming organizations with robust tools for threat mitigation. To learn more about ProcessUnity’s Cybersecurity Management Platform, click here. 

 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.