Since approximately last March, SolarWinds software updates have included an unwanted bit of extra code. Attackers - thought to be Russian state actors - injected malware into signed software updates, giving them what's been described as a "toehold into the network," and creating opportunities for privilege escalation attacks.
SolarWinds: What To Do
Organizations running SolarWinds should assume they’ve been targeted. Compromised privileged accounts, unfortunately, create a distressing array of consequences. Exposure to the breach itself may be just the tip of the iceberg. Breaking reports indicate many federal agencies use the software, and in the past few days CISA recommended all agencies disconnect SolarWinds from the network.
CISA's next bit of advice was chilling: “assume that further persistence mechanisms have been deployed.” Analysis and remediation will take significant cross-discipline expertise. Get expert help. You'll need to look at everything from your multi-factor authentication solutions (Microsoft suggests SAML tokens could be spoofed) to your data access governance practices. DHS's directive to federal agencies has a good set of specific actions you can take if you have the expertise.
Data Security Standards and Next Steps
Take steps immediately to limit the damage from a potential breach, especially as it relates to data loss. Least-privileges access practices counter privilege escalation attacks by limiting the data compromised accounts can access. Apply least privileges to everything from files to API interfaces to network resources. Do this now, even before your forensics team finishes their analysis of your SolarWinds exposure.
Data Access Governance Tools
Concentric can help. Semantic Intelligence can autonomously spot data that's being overshared. If your organization - like many others - has tens of millions of files with possibly critical data, there's really no other way to get a handle on your exposure. Knowing what you have is a critical step towards more comprehensive least-privileges controls.
Here's how it works. We use sophisticated deep-learning techniques to scan and place your files into thematically similar categories - regardless of who owns the file or where it's stored. Our patent-pending Risk Distance™ analysis determines which specific files have elevated risk by looking at the security practices followed by peer files in the category. That means you can get an accurate and comprehensive picture of risk without having to write rules and policies to find them.
Least Privilege Principle
Even if you're not a target of the SolarWinds exploit, least-privileges data access governance practices are the best way to limit the scope of attacks like these. It's a security approach tailored to the moment.