Focal Point Blog

Five DevSecOps Lessons from the SolarWinds Orion Attack

Written by Kyle McNulty | Dec 15, 2020 3:30:00 PM

Another cyberattack has made the news. But this one is a little different, as most cyberattacks do not cause the U.S. Department of Homeland Security (DHS) to issue an emergency directive. The latest attack, with a backdoor dubbed SUNBURST, has taken the security world by storm due to its global impact.

The attack stemmed from SolarWinds Orion, an IT management platform used by 425 of the Fortune 500 and several U.S. government agencies. The attackers managed to inject malicious code in an Orion application library, which was then shared into customer instances through software updates. Attackers were then able to forge access tokens that allowed them to impersonate existing users on the network, including privileged accounts. The DHS Cybersecurity and Infrastructure Security Agency (CISA) advised, “Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed. The sophistication and operational security of the attack have led threat researchers to credit Russia’s nation-state cyber group APT29, otherwise known as Cozy Bear, with the attack. FireEye, a cybersecurity firm and victim of the this attack, has claimed the hack is “some of the best operational security that [it] has observed in a cyberattack.”

The malicious updates were first distributed back in March, which means the list of companies and agencies impacted by this attack will undoubtedly grow. The reputation damage and financial impact still to come from this event will likely be extensive. Over the next few months, many organizations will be dissecting this incident in an effort to protect their own businesses from similar attacks. One key lesson? The importance of DevSecOps. Let’s take a look at how this could have been avoided with more sophisticated DevSecOps practices:

Developer Access Reviews

To implement this backdoor within the software, a developer’s account was likely compromised. Access to this account enabled the attacker to commit code to the product, which was then distributed globally. If a keen team had been in place to review access, they could have very likely detected when the attacker first logged in to the account. Signs such as an anomalous location, strange timestamp, or new IP address should have warranted a closer look. Even with the remote workforce challenges of the COVID-19 pandemic, there is no excuse for a lapse on developer access reviews and follow-ups in response to suspicious behavior.

Peer Reviews of Pull Requests

The intense focus on speed of delivery can often impact application security. DevSecOps principles seek to preserve this speed, but there are still low-effort, high-impact security measures that need to be in place within development processes, like peer reviews of pull requests. When the backdoor was introduced by the attacker, it was likely in a file that was not often touched by developers, or else it would have been caught when a developer was making a later change to the file. Had other developers been reviewing pull requests, they should have noticed a change to a generally static file and performed a brief review of the changes. A quick review of the modifications should have made it blatantly obvious the HTTP connections to a Command-and-Control server were malicious.

Commit Size

While it is unlikely there was a robust pull-request review process in place, it is possible the process was in place but ineffective due to large batch changes in each pull request. Keeping code changes small and committing often are key DevOps principles, so changes can be easily reviewed and analyzed. If this methodology were employed, it would have been much easier for developers to detect the addition of the malicious backdoor than if 1,000 lines of code were modified in each commit.

Developer Awareness and Security Champions Programs

It is possible that the code was noticed by a developer, but did not raise any suspicions. While this is mind-blowing for a security professional, it is important to recognize that in many organizations, developers still do not have the full training and awareness needed to detect security vulnerabilities in application code. I have advocated for security champions programs for years now, and organizations who have not yet done so should seriously consider starting their own program. They are an efficient and effective mechanism to help inform developers of security considerations and build the partnership between teams.

Effective Use of Static Application Security Testing (SAST)

While it is unlikely SolarWinds completely neglected to use SAST tools given their popularity, it is worth mentioning that SAST tools are designed to detect backdoor code and may have sounded the alarm on the vulnerability. While backdoor detection with SAST is difficult, detection using dynamic application security testing (DAST) is largely impossible due to the front-end driven nature of dynamic testing. It is possible SolarWinds ineffectively used their SAST tool due to an unmaintained backlog of SAST vulnerabilities, which could have led to a notification about a potential backdoor that was never reviewed. It is also possible that the SAST results were not prioritized by developers, and there may be a JIRA ticket about the backdoor from March still in the queue. It is important to leverage SAST capabilities, but the tool is rendered useless if proper processes are not followed.

For companies impacted by the SolarWinds breach, it is undoubtedly frustrating to see how they could have potentially detected this vulnerability in the past nine months. Implementing the above processes in your own organization can prevent an application attack that impacts your own data or customers.

For immediate risk remediation for affected organizations, please update your SolarWinds Orion software to the latest version and review the threat research post from FireEye, which outlines various mechanisms for detecting and preventing the attack.

If you are concerned about the maturity of your organization’s DevSecOps programs or need assistance implementing any of the above measures, Focal Point can help.

 

Want more security updates in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.