Insights Mar 04, 2021

Solarwinds: Part Three

Read the Full Story

Continuation of Solarwinds Series: The Story of Espionage and Exfiltration and Breaking Down the Hack

What Does This Mean?

Offensive cyber weapons, including APTs and E2s like Sunburst, are harbingers for the current age of cyber warfare. Cyber warfare itself is fast becoming the preferred domain for projecting state power in the 21st Century. As David Sanger3 states, cyber-attack tools offer the “most inexpensive, highly destructive, highly deniable weapons” in a modern arsenal. Like insurgent tactics and terrorism, the asymmetric nature of cyber warfare favors the least networked society attacking the most networked society. Thus, open societies such as the United States, will always have more attack surfaces to defend. Or as Dr. Michael Sulmeyer4 states, “We live in the glassiest of the glass houses.”

The United States government is in the early stages of updating policies and operations that enable more fluid collaboration between the federal government, the commercial technology sector, and traditional national security and industrial base. Sunburst and the growing list of ransomware attacks pose a fundamentally different problem vs. traditional cyberattacks. Instead of attacking US Government Agencies directly, hackers attacked a company that provides software to US government agencies. State actors have the luxury of being patient with long-term exploitation operations like Sunburst. And where one vulnerability is found to exist, organizations must assume others exist— aggressive defenses are paramount. Locating and disinfecting long-term state-sponsored APTs should become a specialized investigative skillset among America’s elite cybersecurity professionals.

Beyond defensive tools to counter cyber-attacks, CISA (in concert with DHS Intelligence & Analysis, the Department of Defense US Cyber Command, and the commercial and academic cybersecurity research communities) should invest in a strategic forecasting capability to proactively identify malicious actors, emerging technical capabilities, and future attack surfaces. We understand that as with intelligence collection and analysis in any other domain, cyber domain intelligence is drowning in data….”the problem is not getting more data, but in understanding and making sense of the data” for cybersecurity operations staff, CIOs, CTOs, CDOs, and policymakers. Data science and analytics tools ranging from data visualization and business intelligence tools to more sophisticated process automation or AI/ML-based decision support models can help to greatly multiply the efficacy and reach of cybersecurity research and intelligence analysts to understand and anticipate threats before they happen. It was FireEye (FEYE) that discovered the hack in December 2020, not SolarWinds and not the government agencies that had been compromised. This is clear evidence that neither government nor the private sector can defend our networks alone.

We can only do that together—trust is essential.

Lessons Learned
  1. The Sunburst malware is a sign of how cyberwarfare will be fought—Advanced Persistent Threats (APTs), Exfiltration and Espionage (E2)
  2. The cyber domain will be states’ preferred channel to project state power.
  3. Modern cyber attacks are targeting SaaS vendors serving US government agencies, rather than directly targeting the agencies’ networks.
  4. If one cyber security vulnerability is found, assume others exist…hyper-vigilance is key.
  5. Public-private cooperation, and trust, is critical.
  6. Machines can help analysts sift through threat data more efficiently.


About Ardent Insights

Ardent Insights is a monthly blog series, showcasing ‘actionable intelligence’ on technology- and data-related risks and opportunities facing governments and the constituents they serve, especially in the realms of public safety, disaster management, national security, law enforcement, public health, and smart/resilient infrastructure and systems.

Ardents Insights is a collective effort of the Ardent Data Science and Analytics Practice at ArdentMC, LLC. The team is led by Tino Dinh, ArdentMC Principal. This article was written by Andrew Terrell, Sr. Policy Consultant, and Erin Pineda, Business Consultant.

Continue reading the Solarwinds series to discover how this attack happened and what can be learned.