Reflections on the latest big hack – in a security strategic context
By Henrik Christensen Lei, Director of Security and Identity at CTGlobal
Years ago, I agreed with those who believed that we needed “good” stories in cyber security, to raise security awareness. By “good” we meant “spectacular-in-the-fear-mongering-sense”.
I do not believe that anymore, because I no longer see anything good coming out of these cases. At this point in time we are drowning in spectacular security stories, and instead of helping, the stories are just putting even more pressure on a large and sore pain point that can’t be easily fixed, because they take away focus from the underlying issues that are far more critical than any one isolated security incident.
Every time a story breaks – the latest SolarWinds/FireEye hack being a prime example – our attention is on technology: How technology failed, and what to do to fix this short term. But the problem is not (never!) one single piece of software or hardware that failed. The problem is that in most organizations, security is out of balance and focus, and not sufficiently embedded in corporate culture. The reality is that most of the time security risks are not sufficiently understood in organizations and that, as a consequence, there is no consistency in how we accept or mitigate risks. When something like the FireEye/SolarWinds incident occurs, too many people are surprised and react irrationally, pulling a lot of other people down the same path. The big vendors scramble to argue that they have the best technology response to the specific issue. But in my opinion, in doing so they completely miss the point and inadvertently skew the conversation, doing more damage than good to the overall security posture of organizations.
What happened this time?
Before digging further into this, let’s talk about what happened in this latest “good story”:
FireEye, one of the most respected and capable security companies, got hacked. So, the first high-level conclusion must be that “if they can hack FireEye, nobody is safe – certainly not the majority of organizations, who are probably way behind on security”. And that’s true. We know that the initial shock-and-horror of a reputable security firm getting hacked, is of course just the headline-grabbing tip of the iceberg. More incidents will follow.
The short version of the story is this: We know that perpetrators managed to embed code into software from SolarWinds. Now, everyone using SolarWinds Orion will potentially carry malware, disguised as valid and signed secure code from SolarWinds, into their organization. Walking straight over the bridge past the guards. The result is that the bad guys now have a backdoor in the network and can potentially use this for any purpose. A large number of high-profile organizations have been impacted by this and the potential magnitude is quite significant.
The story continues to evolve, disclosing technical details about how advanced and sophisticated the perpetrators are. Unfortunately, the story will quickly become old news as other urgent-important things take precedence. Things move incredibly fast in security, and the fact is that until now we still know very little about the real damage done.
And do the details about what happened, actually matter?
Most speculations about the people behind the hack points towards the usual nation-state-perpetrator suspects. As for the actual goal, speculations flourish and it can be hard to point out qualified statements from clever guesswork.
Certainly, as a consequence of this hack a lot of organizations probably now have a backdoor (or several) in their network. But that doesn’t mean that they are actually, specifically and individually under threat in this particular case: If your organization is average, non-critical and you do not fall into a category where military grade security or similar is needed, my guess is that this is not the first backdoor in your network, and it will not be the last. Also, it should be said that this backdoor has probably been there for quite some time, as SolarWinds was compromised at least several months ago. So, should you investigate and close the gap? Yes. Should you panic? No. Why? Because your organization is probably not the intended target and rushing a response might do more harm than good.
As with many past security events on this scale, chances are we will never know what the real strategic purpose was. And, I might add, that most organization will never with any certainty get a clear answer to the question: “Did they use their access for anything bad”. Remember this.
What is an appropriate response to this type of incident?
There will be many variants of responses out there. Some organizations will be ready for fairly thorough investigations and will probably be able to provide limited clarity. The majority of organizations, however, will not be able to do so, and will struggle to answer that essential question: “Did they use their access for anything bad?”
I have no interest in downplaying this incident, but as early as before Christmas — just days after the hack was publicly disclosed – several media outlets named the incident “the worst in a decade”. I find these reactions quite concerning, considering the limited facts available. Sure, the sheer magnitude is potentially very big, but we still don’t know most of the facts, including information about the actual harm done. It could be a step towards something really harmful, but I would argue that most “normal” organizations have bigger and more qualified threat to worry about.
That is why I believe now is a time to reflect and learn — it’s still too early to let this incident define new short-sighted technical initiatives. In my opinion, crying wolf doesn’t help the cyber security agenda.