By Samuel Hutton, SVP North America, Glasswall
In the calm after the massive SolarWinds breach in 2020 that impacted the U.S. Treasury, Commerce, State, Energy, and Homeland Security departments, government agencies and the presidential administration were forced to rapidly evaluate what exactly went wrong — and how to right the sails. Perhaps most shocking, the nation-state hackers who were able to infiltrate defense organizations through the technology vendor by a tried and true method: password guessing.
SolarWinds Prompts Legislation
While SolarWinds stated that nation-state attackers were able to insert malware into two product updates in the spring of 2020, they likely already had access to the company’s software development system as far back as fall 2019, via stolen credentials from a Microsoft Office 365 account.
Once President Biden came into office in early 2021, work on an extensive cybersecurity executive order began. The Executive Order on Improving the Nation’s Cybersecurity aimed to shut the open doors that once allowed digital adversaries to seemingly waltz into government networks. One of the top priorities centered around improving information sharing between the public and private sectors to decrease the chances of another devastating third-party breach.
Executive Order Lays Out Key Technologies
In addition, to prevent credential theft, successful phishing attempts and nation-state espionage, which represent some of the most common threats to government entities, the order suggests vast improvement and modernization of defense agencies’ cybersecurity technology. Section 3 of the order, in fact, states that the federal government will adopt the following initiatives, which the private sector is heavily encouraged to mirror: Zero trust architecture, secure cloud services (SaaS, IaaS, PaaS), increased threat visibility, analytics-driven cybersecurity risk analysis, multi-factor authentication across all accounts, encryption of all data and increased investments in both tech and personnel.
Are the SolarWinds Hackers Back?
Alarmingly, in late October, reports surfaced from Microsoft, one of the organizations hit by the SolarWinds attack, that the Russian nation-state group behind the major breach is back and targeting IT supply chain organizations. As of initial reports on Oct. 25, 2021, 140 organizations had been targeted with 14 compromised. The group, known as Nobelium, is not leveraging a known vulnerability this time around but rather utilizing the classic methods of password spraying and credential stuffing, phishing attacks, API compromise and token theft to obtain legitimate user credentials. Luckily, a lot of the advice provided by the executive order addresses these attack methods, thus putting defense organizations a step ahead — but there is still more to be done.
But What About File-based Content?
The detailed proposals from the Biden administration aim to prevent digital adversaries from entering government networks and minimize the dwell time if they do somehow break through, such as in the case of the original SolarWinds breach. While the steps above are an impressive start, there is one aspect missing: file sanitization and security.
In every industry, including defense, document-based content is the lifeblood of a business. Excel, Word files, Google docs, PDFs and more enable collaboration, productivity and overall business success. Therefore, many people do not even think twice about opening a file from a colleague or perceived trusted source.
As the last year especially has demonstrated, cyber is the newest battleground after land, air and sea. Insider threats are also a major aspect here, whether intentional or unintentional. An intentional insider threat could encompass a disgruntled employee that wants to harm a government agency or staff member looking to profit off of confidential information — which could potentially lead them to work with nation-state groups. Alternatively, there are unknowingly compromised employees whose systems were infiltrated by a bad actor. All of these insider instances are often tied to file-base content.
In fact, a few years back, a major government contractor’s network was compromised via foreign actors sending malware-laced resumes to its HR department, which the employees unwittingly opened, allowing for access and lateral movement across the network. It’s time these file-based threats are taken seriously by both the private and public sector, or cybercriminals will increasingly be running through these open doors.
Shutting the Door on the Adversaries
Reactive security tools simply will not cut it. Zero trust security, privileged access management, analytics-driven risk analysis and more are absolutely essential to have in a defense agency’s security stack, but scrubbing every file exchanged on a network will help close a major, remaining entrance point for bad actors.
Known as content disarm and reconstruction (CDR) solutions, these tools clean and rebuild files to match a “known good” manufacturer specification that automatically removes potential threats. This is a more proactive solution as CDR eliminates the threat by removing any places for malware to hide for prolonged periods of time. In comparison, reactive technologies often only catch the threats when it’s already too late.
If both the public and private sector act now to fortify their security infrastructure using guidance from the federal government and their own research and awareness of prominent threat vectors — they can increase their chances of preventing foreign actors from compromising their systems in the first place, let alone having time to dwell.