From a cyber breach perspective 2020 went out with a bang with the announcement in December that the SolarWinds Orion product had been compromised.
A textbook example of a supply chain attack
We wrote about it here at the time. Attackers, potentially for a Nation State, hacked and modified a software update for the SolarWinds product. Software updates are trusted and an essential security measure, so this malicious modification quickly found its way across SolarWinds’ customer base. That customer base is huge and highly influential. The software involved is used by the vast majority of global big businesses as well as the most critical parts of Governments. This gave the attackers, and therefore their sponsors, access to the victims’ networks and the sensitive data that runs over them.
This was a textbook supply chain attack. Sometimes a supplier will be attacked because it presents an easier route to get at the ultimate target. Only time will tell in this case whether this was a factor, but the sophistication of the attack suggests this was not an easy target; a lot of very valuable resources would have been applied by the attacker to achieve their aim. Key suppliers can also open up a huge network of potential secondary targets; succeed once and you have access to many thousands of organisations. This undoubtedly was a driving factor in this case.
So why does this matter?
It is hard to overestimate the importance of this attack. Supply chains rely on trust – using such a method to undermine such a key supplier has a disproportionate impact on trust. If a business has little visibility or understanding of risk in their supply chain, then a story like this will cause them to worry that every one of the suppliers might bring them down.
“How do I prevent this happening again?”
The simple answer to this question is that although you can reduce the chances of it happening again, eliminating the risk is very difficult. Nation States, and organized crime groups, can access huge capabilities if they are confident that they will get a decent return on their investment. And in the case of headline grabbing incidents like this one we frequently see the boundaries between Nation State sponsorship and Organised Crime execution being blurred.
However, now that the dust is settling, there are important lessons we can learn:
Risk is not binary
An attack like this is rare and for the majority of us these most formidable adversaries have much larger and loftier goals in mind than finding out what our cash holdings were at the end of last month. If you look across the continuum of risk you will see its nature change from one extreme to the other. At the most sophisticated end (as is apparent in the SolarWinds attack) you have rare events that can be minimized but probably not completely avoided. At the other end of the spectrum you have the continuous, very real threats that are better understood, less sophisticated, and will impact regularly if steps are not taken to avoid them.
Beware focusing on the exciting but unlikely
This can create a fatalistic sense of inevitability. Some people may feel that they might as well give up on security in the face of adversaries who can just roll in and do as they please. Others might expend disproportionate levels of resource trying to prevent a recurrence of this type of attack, at the expense of the basics. Or alternatively it may create such a crushing sense of fear about the worst case scenarios that it will be difficult to maintain objectivity when developing plans and managing risks.
Prevent what you can
A degree of pragmatic realism and the application of an 80/20 approach is useful. The vast majority of third-party risks can be effectively managed – not eliminated but managed. By having a broad programme in place to efficiently understand the risks, and remediate the issues that are aggravating them, it is possible to bring risk down to a tolerable level. This addresses the majority. But there are is still the minority – the most sophisticated and unpredictable where the cost to remediate will be too great. This cost may be in business disruption, the expense of the controls, or the inefficiency of bringing multiple services in house that would be better remaining outsourced.
Prepare for what you cannot prevent
This brings me to the final point. For those things you can’t prevent, you had better prepare! Well prepared contingency plans and play books, rehearsed and practised, with well understood triggers to prompt their execution, can significantly reduce the impact when they arrive. How quickly can you decouple, isolate or switch off a particular technology if it is found to have been compromised? Is there a way of building some level of redundancy in to reduce critical dependencies? These sorts of questions can help you to understand and then implement a reduced business risk exposure.
So how can we use the SolarWinds breach to strengthen our approach to vendor risk?
I think there are a number of ways that the SolarWinds breach can be used to help:
- Increasing awareness of third party risk across the business; illustrating that these risks are real.
- Recognising that the first step towards managing the risks is understanding their nature, and the difference between those that can be materially remediated versus those that can only be mitigated with contingency plans.
- Focus the VRM programme on the 80%; getting them to a tolerable level where the management burden trends down.
- Use the increased business understanding of the residual extreme risks to develop the processes, plans and resilience building capabilities that can be executed in the event that any of the risks impact.