Description of the Case Study SolarWinds is a major softwarecompany based in the USA, which provides system
Question:
Description of the Case Study SolarWinds is a major softwarecompany based in the USA, which provides system management toolsfor network and infrastructure monitoring, and other technicalservices to hundreds of thousands of organizations around theworld. Among the company's products is an IT performance monitoringsystem called Orion. As an IT monitoring system, SolarWinds Orionhas privileged access to IT systems to obtain log and systemperformance data. It is that privileged position and its widedeployment make SolarWinds a lucrative and attractive target forcyber criminals. On 8th December 2020, FireEye, a prominentcybersecurity firm, announced they were a victim to a nation-stateattack. The security team reported their Red Team toolkit,containing applications used by ethical hackers in penetrationtests, was stolen. On 13th December 2020 FireEye discovered thesupply chain attack against the SolarWinds products whileinvestigating a compromise of their own network and publiclyannounced the discovery of the SUNBURST backdoor. December 13th2020 SolarWinds begins notifying customers, including a post on itsTwitter account, "SolarWinds asks all customers to upgradeimmediately to Orion Platform version 2020.2.1 HF 1 to address asecurity vulnerability." December 14 SolarWinds files an SEC Form8-K report, stating in part that the company "has been made awareof a cyberattack that inserted a vulnerability within its Orionmonitoring products". December 15, 2020, Wall Street Journalreported that the U.S. Commerce and Treasury Departments, theDepartment of Homeland Security (DHS), the National Institutes ofHealth, and the State Department were all affected. Varioussecurity officials and vendors expressed serious dismay that theattack was more widespread and began much earlier than expected.The initial attack date was now pegged to sometime in March 2020,which meant the attack had been underway for months before itsdetection. How did the SolarWinds hack happen? The hackers used amethod known as a supply chain attack to insert malicious code intothe Orion system. A supply chain attack works by targeting a thirdparty with access to an organization's systems rather than tryingto hack the networks directly. The third-party software, in thiscase the SolarWinds Orion Platform, creates a backdoor throughwhich hackers can access and impersonate users and accounts ofvictim organizations. The malware could also access system filesand blend in with legitimate SolarWinds activity without detection,even by antivirus software. SolarWinds was a perfect target forthis kind of supply chain attack. Because their Orion software isused by many multinational companies and government agencies, allthe hackers had to do was install the malicious code into a newbatch of software distributed by SolarWinds as an update or patch.Attackers were able to gain access to the SolarWinds softwaredevelopment and delivery pipeline, which allowed them to add theirmalicious code into one of the SolarWinds Orion platform driversnamed SolarWinds.Orion.BusinessLayer.dll. Due to this supply chainattack, the infected dll was digitally signed which helped themalware remain unnoticed for a long time, allowing the adversary tomake a massive impact. The SolarWinds hack timeline Here is atimeline of the SolarWinds hack: • September 2019. Threat actorsgain unauthorized access to SolarWinds network • October 2019.Threat actors test initial code injection into Orion • Feb. 20,2020. Malicious code known as Sunburst injected into Orion • March26, 2020. SolarWinds unknowingly starts sending out Orion softwareupdates with hacked code • December 8 2020, first discovery byFireEye Who was affected? According to reports, the malwareaffected many companies and organizations. Even governmentdepartments such as Homeland Security, State, Commerce and Treasurywere affected, as there was evidence that emails were missing fromtheir systems. Private companies such as FireEye, Microsoft, Intel,Cisco and Deloitte also suffered from this attack. Manyorganizations have been compromised by the recent SolarWindsbreach, which seems to be a targeted attack against both governmentand private agencies. The complete scale of this attack is stillunknown, but what is known is that the hackers gained access tovictims’ systems via malicious SolarWinds Orion updates which werethen downloaded by thousands of users. Microsoft one of the victimsof this hack, identified the suspected nation-state hackers as agroup known as Nobelium. They gained access to the networks,systems and data of thousands of SolarWinds customers. The breadthof the hack is unprecedented and one of the largest, if not thelargest, of its kind ever recorded. More than 30,000 public andprivate organizations -- including local, state and federalagencies -- use the Orion network management system to manage theirIT resources. As a result, the hack compromised the data, networksand systems of thousands when SolarWinds inadvertently deliveredthe backdoor malware as an update to the Orion software. SolarWindscustomers weren't the only ones affected. Because the hack exposedthe inner workings of Orion users, the hackers could potentiallygain access to the data and networks of their customers andpartners as well -- enabling affected victims to grow exponentiallyfrom there. The breach was first detected by cybersecurity companyFireEye. The company confirmed they had been infected with themalware when they saw the infection in customer systems. FireEyelabeled the SolarWinds hack "UNC2452" and identified the backdoorused to gain access to its systems through SolarWinds as"Sunburst." Microsoft also confirmed that it found signs of themalware in its systems, as the breach was affecting its customersas well. Reports indicated Microsoft's own systems were being usedto further the hacking attack, but Microsoft denied this claim tonews agencies. Later, the company worked with FireEye and GoDaddyto block and isolate versions of Orion known to contain the malwareto cut off hackers from customers' systems. Investigators have alot of data to look through, as many companies using the Orionsoftware aren't yet sure if they are free from the malware. It willtake a long time before the full impact of the hack is known. Whydid it take so long to detect the SolarWinds attack? With attackershaving first gained access to the SolarWinds systems in September2019 and the attack not being publicly discovered or reported untilDecember 2020, attackers may well have had 14 or more months ofunfettered access. The question of why it took so long to detectthe SolarWinds attack has a lot to do with the sophistication ofthe Sunburst code and the hackers that executed the attack. Whatwas the purpose of the hack? The purpose of the hack remainslargely unknown. Still, there are many reasons hackers would wantto get into an organization's system. But the level of accessappears to be deep and broad. There are speculations that manyenterprises might be collateral damage, as the main focus of theattack was government agencies that make use of the SolarWinds ITmanagement systems. The techniques which the attackers used in thisbreach are very sophisticated: Supply Chain Compromise, DataEncoding, Impair Defenses and Dynamic Resolution to name few.Instead of doing major damage to the infected system, the attackershave focused on staying unnoticed from security products. Itsexpected that they will be widespread use of similar attacks in thecoming months
QUESTION :
a) Experts agree that SolarWinds and all Organizationsaffected by the hack did not pay proper attention to RiskIdentification and Threat Assessment. Describe the importanceof risk assessment and threat assessment.
b) Recommend the steps of risk assessment process that theaffected organizations should follow to improve its risk managementprocess.
Operations management in the supply chain decisions and cases
ISBN: 978-0077835439
7th edition
Authors: Roger G Schroeder, M. Johnny Rungtusanatham, Susan Meyer Goldstein