Advice for Combating the 'Next' SolarWinds AttackAHA, H-ISAC Offer Recommendations
The Health Information Sharing and Analysis Center and the American Hospital Association have released a new report providing guidance for combating the next supply chain attack along the lines of the SolarWinds incident.
The white paper, Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event, provides technical recommendations for IT and information security teams to address immediate concerns by providing tactical mitigations. It also offers an analysis to help senior business leaders and C-suite executives better understand the risks involved with certain enterprise IT systems.
Healthcare organizations should use "actionable threat intelligence" and remain alert to potential vulnerabilities to help minimize the impact of a "SolarWinds-type" event, the paper states.
The report also recommends regular vulnerability scanning, testing and implementing patches across systems, and "continuing to verify that security controls remain effective against potential attackers."
"For our technical audience, this paper presents a detailed analysis of characteristics that allowed the SolarWinds incident to affect multiple industries, organizations and systems," the paper notes. "The ability to extract the characteristics and features of the SolarWinds [attack] could allow organizations to predict - and hopefully prevent - the next SolarWinds-like event in their enterprise environments."
Errol Weiss, H-ISAC chief security officer, says the paper is designed to give organizations' leaders, as well as IT and infosec professionals, "a clear picture of what enterprise management and other trusted systems lurk in their environments."
In the SolarWinds incident, attackers installed a backdoor in an update of the SolarWinds' Orion network monitoring platform, and some 18,000 customers downloaded the Trojanized software. Then, nine government agencies and about 100 companies were targeted for follow-on attacks, federal investigators say.
On Thursday, a group of U.S. intelligence agencies formally accused the Russian Foreign Intelligence Service, or SVR, of carrying out the SolarWinds attack. The Biden administration formally sanctioned Russia over the attack, as well as the disinformation campaign tied to the 2020 U.S. elections (see: U.S. Sanctions Russia Over SolarWinds Attack, Election Meddling).
Enterprise Software Risks
Three characteristics that make SolarWinds' network monitoring system - and similar enterprise software systems - appealing targets to attackers, according to the guidance, are:
- The centralized systems easily control multiple subsystems, networks or products, requiring little interaction or no activation from the controlled system.
- The systems possess an undisclosed, unpatched or unknown opening that attackers can exploit for a degree of administrative control.
- The exploited opening of the centralized product can affect the subsystem it controls.
"The SolarWinds attackers exploited all of the above characteristics to achieve their attack goals," the report says.
Attackers have also previously exploited these same factors in several other cyber incidents, including the exploit of an HP OpenView vulnerability in 2009, the WannaCry and Petya/NotPetya malware attacks in 2017, and the SAP Solution Manager flaw exploit this year, the paper notes.
"These security challenges are not limited to the healthcare sector; they apply to every network," Weiss notes.
Enterprise management systems have trusted access across the network, Weiss says. "If a vulnerability in the enterprise management tool is exploited, then an attacker could move laterally through the network leveraging that trust model."
Commenting on the report, former healthcare CISO Mark Johnson, who is now with the consulting firm LBMC Information Security, says: "Are we going to continue to see similar problems like [SolarWinds] in the future? Yes. Should we be doing the things the guidance says? Yes. But more importantly, what do we do when the next one happens? Bottom line: Healthcare CISOs have to understand what their critical third-party software and solutions are and what to do if they go away or you have to take them away for a period of time."
Phil Curran, CISO at Cooper University Health Care in Camden, New Jersey, says the guidance could help CISOs make the case to top decision-makers for investments in cybersecurity.
"Many organizations know what to do, but do not have the resources to do what is necessary. Telling senior execs that the H-ISAC and AHA are recommending taking certain actions may induce the executives to open the purse strings," he says.
"Senior execs listen to their cybersecurity experts, but when outside organizations are saying what their staff is saying, it adds credence."