Whitepaper | In Response to The SolarWinds Breach: The Need to Return to Cybersecurity Fundamentals

In mid-December 2020, SolarWinds acknowledged that it experienced a massive supply chain attack where its compromised software channel was used to push out malicious updates to 18,000 of its Orion platform customers. Several government agencies were impacted in this unprecedented breach, including the Department of Defense, Department of Commerce, Department of Homeland Security, and others. The fallout of this attack continues even now with the Department of Justice announcing that hackers accessed its Microsoft Office 365 email server, gaining the ability to see internal emails and correspondence.

While much of the commentary around the breach focuses on how it happened, little has been said about how to respond moving forward. This incident reminds us: we’re never too far gone to ensure we’re implementing the fundamentals. Utilizing cybersecurity basics can alleviate a number of the issues that allowed the hack to happen. We’ve put together a white paper that covers just that.

The white paper can be found here.

Unanswered Questions from the SolarWinds (Sunburst) breach

There is a good chance that the SolarWinds supply-chain breach (Sunburst), will be the biggest cybersecurity story of 2020. The fact that the FireEye cybersecurity firm was hacked is especially concerning, and not just because of the tools, intellectual property, or sensitive information that may have been stolen.

 

FireEye specializes in helping other organizations respond to cybersecurity incidents. They would be considered a hardened target. One would assume that they have a strong security posture, comprehensive monitoring, and actively hunt for threats in their environment.

 

An attacker is taking a brazen risk in targeting FireEye and stealing their tools because even if they succeed, FireEye is probably going to be alerted, investigate the incident, and uncover the campaign, and that’s exactly what happened. So, what were the attackers thinking?

 

Maybe they didn’t know it was FireEye? Sunburst was a highly sophisticated supply-chain attack requiring significant resources and operational secrecy, and was already running for six to nine months, since Spring 2020. Attackers with this level of sophistication did their homework and knew the target.

 

Or maybe it was a rookie mistake? Sunburst was a team effort requiring manual hacking by experienced operators. While it’s possible that someone deviated from the hacking playbook, it’s low probability given the organizational cohesion that was demonstrated over those six to nine months.

 

Was it a calculated risk? FireEye is a hardened target. Attackers knew this would be noisy and would possibly alert FireEye.

 

Let’s say it was a calculated risk. If so, why did they take the risk? Maybe they had already achieved most of their objectives. After establishing persistent access and cataloging all the assets in an organization, at some point, attackers need to exfiltrate the data. A campaign of this size and scale is going to be noticed eventually. Perhaps they saved FireEye for last after they had already pillaged the other organizations.

 

However, the timing of the breach disclosure still bothers me.  Was this campaign an espionage campaign or something more insidious, perhaps a disruption and influence campaign made to look like espionage? After all, the elections are now over. If the elections were the primary mission, it would make sense for the attackers to pull out now and take whatever spoils they could with them.

 

Strong Crypto Innovations (SCI) Strengthens Cyber Security Portfolio with SentinelOne’s Next Generation Endpoint Protection

Strong Crypto Innovations, leaders in providing information security solutions to the Federal government, and commercial organizations of all sizes; today announced it has selected SentinelOne’s next-generation endpoint protection platform as an important component of its cyber security strategy.

SentinelOne provides an advanced solution that protects organizations from becoming victims of advanced malware, such as ransomware, and exploit-based attacks. Unlike signature-based security products that rely on static analysis, SentinelOne’s Dynamic Behaviour Tracking (DBT) engine closely monitors each newly-created process on a machine through its lifecycle, identifying malicious patterns and eliminating threats in real-time. This approach defends against advanced cyber attacks and insider threats that use stealthy evasion techniques, which can bypass traditional security methods.

Comments Alexander J. Fry, President at Strong Crypto Innovations

“SentinelOne’s solution is an important offering in our comprehensive approach to cyber security, and further strengthens the protection that we can offer customers as cyber attacks become harder to detect. As we’ve seen in recent months, the volume of ransomware attacks has grown substantially. In fact, today the Federal Trade Commission is holding several panel discussions on ransomware. So it’s more important than ever that we provide customers with the most advanced solutions to protect them from these threats, including zero day variants. SentinelOne’s solution stood out to us as providing an innovative and dynamic new approach, combining sophisticated machine learning with real-time threat intelligence to ensure customers have the best possible endpoint protection. SentinelOne is also the Only Endpoint Protection Company to Guarantee its Technology. If they’re unable to block or remediate the effects of a ransomware attack, they will reimburse the company or organization up to $1000 per endpoint, or $1,000,000 in protection overall for the company.”

Comments Magali Bohn, Head of Worldwide Channel Sales at SentinelOne

“We’re delighted to partner with Strong Crypto Innovations. The Federal government and commercial organizations that SCI serves have some very real challenges in this new era of ransomware and our solution is designed to help them keep pace with these and to protect what is often seen as the ‘soft’ target by cyber criminals: their endpoints.”