SUNBURST: continuous clean-up and a way forward

Published: Friday, 08 January 2021 10:44

As organizations continue to explore the damage caused by the SolarWinds hack, BlackBerry’s Tony Lee, VP, Global Services Technical Operations, looks at how the impacts will continue into 2021 and what can be done to prevent similar incidents in the future.

As we take stock of a very strange 2020, we now add to the stack the lessons learned from the wide-reaching SolarWinds supply chain attack. As one can imagine, the detection and clean-up effort for an incident of this magnitude (affecting 18,000 organizations or more) will extend well into 2021. Many organizations are still investigating the full extent of their exposure while remaining in a state of constant vigilance and doubt.

The stealth and sophistication of this attack were paramount to its delayed discovery. This extended period of potential compromise has forced some organizations to thaw archived logs to search through them for indicators of compromise – that is assuming these logs still exist. This activity will hopefully be combined with other proactive activities outlined below. The remainder of the unwitting victims not performing any of these activities will eventually surface and, like others before them, will perform an assessment of damage and possibly make a public announcement. Although SUNBURST entered our lives quickly and brightly, the effects will linger and take quite some time to fade completely.

Going forward

No one should be surprised to see more breach notifications as a result of this supply chain attack and others yet to be discovered. Frustration will be felt by many – including victims of the victims – and this frustration will hopefully be appropriately directed at finding a solution to these constant attacks. Even if we see legislative action arise from this event, it will not deter all threat actors. After all, this is big business that continues to pay handsomely in both money and intelligence.

In addition to legislation, investing in layers of effective products will mitigate cyber risks. While this is also a step in the right direction, products are only as good as those caring for them, heeding their alarms, and taking necessary action. As we will see with future public disclosures, products alone are not the solution – especially when dealing with sophisticated and stealthy attacks such as supply chain compromise.

Our efforts going forward should be centred on continuous prevention and detection. As easy as that sounds, this means sufficient monitoring can no longer be considered 9-5 in a time zone of your choosing – this must be 24x7x365. Threat actors are globally distributed and do not rest, so neither should our defences. Additionally, we must continuously apply threat intelligence to our data and proactively hunt within our environments. If your organization is not watching and hunting around the clock, enlist the help of others who can provide this necessary augmentation of your security workforce. The final step must include artificial intelligence (AI) enabled adaptive endpoint security through continuous validation in a zero trust environment. If the threat actor gains entry to your network, possibly via tainted software, their presence should not remain hidden and their movement should not be made easy.

Closing thoughts: continued defensive improvement and vigilance are a must, not only for detecting any lingering effects of the SUNBURST malware, but also for detecting the next major attack since this will surely not be the last.

For details regarding BlackBerry’s response to the SolarWinds attack, please check our BlackBerry Perspective post found here.