Ah, the week before the holidays. A great moment to take a breather after a difficult year, cut out early, do some online shopping, spend time with the family.
Not in the world of enterprise security technology — at least not this week, and perhaps not for a while.
“The week has literally exploded,” said Alex Gounares, founder and CEO at Bellevue, Wash.-based security tech company Polyverse. “It is tough to overstate the impact of the SolarWinds breach. Much has been written about the immediate impact, but what is even more concerning is the damage that is yet to come. The attackers have had months of unfettered access to SolarWinds customers — what else did they do? How many more backdoors are now planted all over those organizations?”
Those are just some of the unanswered questions and far-reaching implications of the SolarWinds breach, in which hackers believed to be connected to the Russian government infiltrated computer systems at companies and U.S. government agencies by illicitly inserting malware into software updates for a widely used IT infrastructure management product.
Discovered on Dec. 8, the attack has been taking place under the radar since March, according to the U.S. Cybersecurity & Infrastructure Security Agency.
The scale and sophistication of the attack are “amazing,” said Michael Hamilton, co-founder and chief information security officer of Seattle startup CI Security. “What I’ve learned is that tactics used by nation-state actors are now being deployed very broadly across the government and business community, and the gloves have really come off.”
SolarWinds, based in Austin, Texas, said about 18,000 customers may have installed the compromised software.
“What happened with SolarWinds is indicative of how incredibly sophisticated cyberattacks have become, and how far-reaching their effects are once a system has been infiltrated,” said Eugenio Pace, CEO and co-founder of authentication technology company Auth0. “We probably won’t know the full extent of damage for a while, unfortunately. This type of attack just proves that there will always be a level of sophistication and breadth that can impact even the most prepared companies.”
Auth0 is not a SolarWinds customer itself, Pace noted, but it has been taking precautions nonetheless and actively monitoring for threats on behalf of its customers.
Security startups have been working long hours to help their business customers detect the presence of the malicious code in their systems.
“This particular piece of malware is difficult to detect. It lies dormant for long periods of time,” said Jesse Rothstein, co-founder and chief technology officer at Seattle-based network security company ExtraHop. “It doesn’t create a lot of activity. … This is one of the reasons why I’m concerned that we’re only just beginning to understand the implications of this attack.”
Another challenge is the surreptitious nature of the backdoor attack.
“I can tell you without a doubt that this backdoor was installed, and it was wide open, at a large number of organizations,” Rothstein said. “What’s difficult to say is, did anybody walk in through that backdoor? And did anybody leave through the backdoor with valuables? … And we do not know if they left other doors unlocked, or if they establish persistence through other mechanisms.”
Complicated by the cloud
The acceleration of cloud computing and software-as-a-service applications inside companies has further complicated the process of detecting attacks.
“With everything phoning home and leveraging cloud compute, it’s even more difficult to determine if it’s the intended behavior or if it’s some malicious or nefarious behavior,” Rothstein said. “There’s a pretty fine line between uploading data to your SaaS-hosted business intelligence platform and exfiltrating sensitive data to an attacker.”
Adding to the challenge, the malicious code was inserted into a SolarWinds software update that was digitally signed, which Rothstein said on Wednesday indicated that the server used to build the update was compromised. This was subsequently confirmed through an analysis by ReversingLabs.
“That’s very concerning,” Rothstein said. “As a software vendor and a supplier ourselves, I will tell you that one of the things that I’m most paranoid about is the integrity of the build system, and the integrity of the supply chain.”
After news of the SolarWinds attack broke over the weekend, ExtraHop issued an update through its threat intelligence feed to help customers detect activity on their networks that could be associated with the attack. In addition, its research team analyzed the initial list of domains believed to have been used in the attack and identified a much larger list, about 550 unique IP addresses, using its proprietary tools and open-source intelligence.
Microsoft took action against one of the key domains this week. However, Polyverse CEO Gounares, himself a veteran of the Redmond company, put that into perspective with another analogy. “Microsoft should be applauded for their quick response, but it’s sort of like having a frozen pipe burst in your house,” he said. “Yes, it’s super critical to patch the pipe (so thank you Microsoft!), but what about all the water damage in the walls and floors and other places that you can’t see?”
‘Massive’ demand for security technology
While tech security startups are careful not to be viewed as capitalizing on the incident, in many cases the situation demonstrates the need for the types of technologies and services they offer.
ExtraHop’s Rothstein, for example, pointed out that network detection, ExtraHop’s specialty, is one of the best ways to sniff out signs of the hack, due to the way the malicious code sits dormant. Progress in this area is one of the things that ultimately gives him some optimism in the face of new threats such as the SolarWinds breach. The application of data science and machine learning to analyze large data sets and network traffic for suspicious behavior “is a big advancement, and it does reap very, very big rewards.”
Gounares cited the importance of businesses having complete control of their software stack, which is the focus of Polyverse’s flagship product, to defend against attacks coming in through the software supply chain, as was the case in the SolarWinds hack.
In a research note Thursday, Wedbush analyst Dan Ives said the attacks highlight a “massive” total addressable market for cybersecurity. “We believe there is a $200 billion dollar growth opportunity in cloud security ‘up for grabs’ over the next five years for those vendors that have the solution sets to protect critical cloud deployments and seamlessly work with on-premise and public/hybrid workloads through a unified and deep solution set,” Ives wrote.
The concentration of enterprise technology companies in the Seattle area, along with the presence of cloud giants Amazon Web Services and Microsoft Azure, has made the region’s tech community a hotbed for cybersecurity startups, as well.
One key takeaway is that the attack marks a new era, and it’s only the beginning.
“The larger implications for IT security are that this event is moving from an espionage focus to a criminal one,” said Hamilton, of CI Security. “There isn’t a bright line between state and criminal actors in certain countries, and persistence gained in networks using SolarWinds may be transitioned to organized crime. Translation: affected companies may be extorted using ransomware soon.”
Not only is the current attack not over, Gounares said, it’s also surely not the last of its kind.
“We are looking out for the next attack. The attackers behind the SolarWinds breach were absolutely sophisticated and world class, but when you dig into the technical details, what it’s remarkable is just how easy the actual technical mechanics were,” Gounares said.
“I think there will be a lot of copycat style attacks in the coming months and years,” he said. “Other capable nation-state organizations will be emboldened by this attack and decide to do their own, and other bad actors will look at the technical details and realize they can do it, too.”