{"id":24400,"date":"2020-12-28T17:40:52","date_gmt":"2020-12-28T09:40:52","guid":{"rendered":"https:\/\/version-2.com\/?p=24400"},"modified":"2022-03-07T14:40:07","modified_gmt":"2022-03-07T06:40:07","slug":"solarwinds-sunburst-should-enterprises-adopt-supply-chain-certification","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2020\/12\/solarwinds-sunburst-should-enterprises-adopt-supply-chain-certification\/","title":{"rendered":"SolarWinds \/ SunBurst \u2013 Should Enterprises Adopt Supply Chain Certification?"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

SunBurst \u2013 The Cyber Attack on SolarWinds<\/strong><\/p>\n

\nSunBurst is a cyber espionage campaign that leveraged a supply chain attack<\/strong> on SolarWinds, a leading supplier of network management software. Between March and May 2020, the attackers gained access to SolarWinds\u2019 build system, added a malicious DLL (library) file, and distributed it to 18,000 SolarWinds Orion customers.\n<\/p>

\nThe malicious file allowed remote control of the target host, while leveraging advanced evasive tactics. Using this access point, the attackers were able to hack into organizations with well-established security practices such as Cisco<\/a> and Microsoft<\/a>. These organizations failed to detect the attack before FireEye (who was also attacked) made it public<\/a>.\n<\/p>

\nA targeted attack at this scale doesn\u2019t happen very often. It\u2019s a rare event that should shake both enterprises and the security community. The fact that this campaign went undetected for such a long period of time (6+ months), proves that something is fundamentally wrong with the way that computer networks are protected.\n<\/p>

\nThe success of this attack campaign, versus other campaigns, is built upon two factors:<\/p>\n

    \n \t
  1. First and foremost, this is not a coincidence. This is a team of highly skilled attackers who made all of it possible. The campaign shows world-class planning, knowledge, experience and attention to detail.<\/li>\n \t
  2. SolarWinds Orion is a network management product. Due to its role, it has a number of advantages as an attack source, vs. other types of attack sources:\n
      \n \t
    1. It\u2019s whitelisted to perform reconnaissance (network monitoring) in many security tools \u2013 This tool is designed to perform reconnaissance, so no one will suspect when the tool does what it was designed to do.<\/li>\n \t
    2. From SolarWindows Orion\u2019s perspective in the network, the network is usually flat. Regardless of how many network segments are there, the component in Orion that scans the network requires direct network access to the target devices, so enterprises allow this traffic through their firewalls. This allows unique network access from the initial access point.<\/li>\n \t
    3. SolarWinds Orion commonly has access to certain admin credentials that make it possible to move laterally.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n

      The Supply Chain Risk<\/p>\n

      \nThe supply chain risk to both enterprises and government organizations has been discussed in the last few years. The attack on SolarWinds is one of the most powerful examples of the supply chain risk. It joins a list of similar events such as the attack on Target in 2013<\/a>. Supply chain attacks exploit trusted third-parties to enable access to a large number of attack targets in parallel. By using that trust, such as the trust organizations put on SolarWinds software updates, it\u2019s easier to obtain access rather than attacking each target separately and directly.<\/p>\n

      Supply Chain Certification<\/p>\n

      \nThe United States DoD<\/a> (Department of Defense) is one of the government organizations that took far-reaching steps to reduce the supply chain risk. In October 2016, the DoD first issued a supplement to the DFARS regulation, that introduced cyber security requirements for DoD suppliers. In November 2020, only a month before the supply chain attack on SolarWinds, the DoD made another major addition to DFARS. This addition is called CMMC <\/a>or the Cybersecurity Maturity Model Certification<\/a>.\n<\/p>

      \nThe CMMC includes a few non-linear improvements vs. the original DFARS supplement, in multiple categories:<\/p>\n

        \n \t
      1. Third-party certification of suppliers by approved parties (C3PAOs) instead of self-certification.<\/li>\n \t
      2. Certification is mandatory to be able to participate in RFIs and RFPs, meaning that it can affect the supplier\u2019s revenue.<\/li>\n \t
      3. CMMC has a 5-levels maturity model.<\/li>\n \t
      4. There are 154 new requirements out of 171 in CMMC (vs. the original DFARS supplement), and they\u2019re spread across the 5 levels of maturity.<\/li>\n \t
      5. Reporting of compliance status in an online portal. This means that the DoD can monitor compliance of the entire DIB (Defense Industrial Base \u2013 the regulated organizations).<\/li>\n<\/ol>\n

        \nBy introducing CMMC, the DoD conveys a clear message to DoD suppliers: We want you to be secure. And if you\u2019re not secure enough, you cannot work on defense projects. Find another niche that\u2019s less critical. If you want to work with the DoD, these are our requirements.\n<\/p>

        \nThe question is: Should enterprises follow a similar path? Should a supply chain certification model be the standard in enterprise RFIs and RFPs?<\/strong>\n<\/p>\n

        The Pros and Cons of Supply Chain Certification<\/p>\n

        \nThere are a few pros and cons to consider when discussing supply chain certification.<\/p>

        \n\nPros<\/strong>:<\/p>\n