Attorney At Work recently featured Sensei’s Sharon Nelson and John Simek’s article entitled “Lessons for Law Firms from the SolarWinds Breach”.
Classified as perhaps the worst data breach ever, the compromise of the SolarWinds Orion platform has impacted approximately 18,000 public- and private-sector customers, according to the Cyber Unified Coordination Group (UCG). The UCG also said that the Russian-backed Advanced Persistent Threat (APT) group is most likely responsible for the SolarWinds hack. As the investigation continues, we are learning more and more details about the attack and those affected.
So what is SolarWinds Orion, and what is it used for? Essentially, SolarWinds Orion is a network monitoring and management tool. It is used by IT personnel to provide a single dashboard for administering various parts of the network to include the infrastructure and applications.
In early December, cybersecurity firm FireEye discovered that its own systems were compromised and attackers made off with FireEye’s tools for investigating breaches. While FireEye was investigating how its systems were pierced, it learned there was a backdoor, known as Sunburst, within SolarWinds. We now know that the backdoor has existed for months and provided undetected access to thousands of systems.
So what led FireEye to even think they were compromised? Nobody called FireEye and said, “Knock, knock. I’m in your network.” FireEye CEO Kevin Mandia said the first clue to the massive attack was what is called a severity-zero alert. “In this particular case, the event that got briefed to me and got us to escalate and declare this a full-blown incident was somebody was accessing our network just like we do, but they were doing it with a second registered device.” They contacted the employee associated with the account and confirmed that they did not register a second phone. This is certainly a clear indication that the attacker already knew the employee’s username and password. As Mandie further stated, “We had somebody bypassing our two-factor authentication by registering a new device and accessing our network just like our employees do, but it actually wasn’t our employee.”
How many of us have systems in place to issue an alert for a second device being registered? Make that lesson one.