SolarWinds, NHS and Education
CyberUK 2021, the annual event that brings together cybersecurity experts from across government and industry has recently wrapped up. As with many events this year, it had moved online but the content remained very high quality. Recordings of all the presentations and panels are available on a dedicated YouTube channel.
I managed to catch many of the sessions both live and on-demand and I thought I'd summarise a few of the highlights.
SolarWinds - Security by Design
Part of the opening plenary (Opening Plenary) included Sudhakar Ramakrishna, SolarWinds President and CEO. He joined the company in January 2021 at the height of the well publicised attack that, in turn, could affect a vast array of potential customers and partners around the world.
The attacker, thought to be based in Russia, used a very sophisticated attack that planted malware in their software build systems. The attack infected the built product which became a potential backdoor into SolarWinds' customers' systems. Their tracks very well covered and SolarWinds say that any company that builds software could have been attacked in a similar way.
The SolarWinds response has been wide-ranging, but the most significant is the adoption of "Secure by Design." This approach includes three main parts:
- Infrastructure Security including Least Privilege access, better threat hunting, giving CISO more autonomy on how they test/attack their own systems.
- Build products in 3 different environments in parallel to prove the integrity of build outputs.
- Continually evolve software development lifecycle and "shift-left" security. Every designer and development embed security in everything they do.
That infrastructure element is perhaps foundational to almost everything else. Ensuring all users and systems only have the absolutely least privileged access needed to do a job is critical. After all, it is that access that grants permissions to DevOps engineers and others to update the build and test systems and configurations.
A main theme of the event was "resilience." There were two drivers for the theme: coping with COVID-19 and protecting against the rising wave of ransomware attacks.
"The NCSC also handled more than three times as many incidents as last year" - NCSC Annual Review 2020.
Bringing the two themes together, attacks have largely moved to exposed remote access (e.g., via RDP), especially during the pandemic work-at-home, rather than phishing emails and spreadsheets carrying dangerous embedded scripts.
One session included an excellent walkthrough of how ransomware typically strikes. It highlighted the growing trend for ransomware to be a two-part attack: encrypt data and extract data to be held for sale or later ransom. As if to prove the threat, it's just happened to the Irish Health Service. There seems to be some good news in that the attackers have offered to remove the encryption of data, but (at the time of writing), they are still holding out the threat to publish or sell the data they've already stolen.
The overview also shows how attacks move laterally around organizations looking for user accounts that can escalate their privilege levels and keep searching until it finds a "golden key" - the Domain Admin account. Once the attackers have access to the Domain Controller, the network "is effectively lost". The attack goes on to install backdoors to exfiltrate data, delete the backups and file servers, which might have been used for recovery, well before going live.
Because the attack is running as an administrator, it can use standard tools like SCCM to deploy and install the malware on all the organization's devices without causing alarm. Osirium CTO, Andy Harris wrote about this recently and how to mitigate against the threat. Ransomware: Understanding the threat and blocking lateral movement.
Again, least privileged access is critical to prevent attackers elevating account privilege and getting access to valuable IT systems and backups. On the subject of backups, it's critical that a level of backups is always maintained offline to prevent the malware infecting the recovery data, and those backups to be kept very fresh to minimize loss when restored.
Education and Healthcare
Particular attention was drawn to the Education and Healthcare sectors. Healthcare was the victim of the first major ransomware attack with WannaCry in2017 and the NHS has done remarkable work in becoming more resilient before the next attack.
Education is starting to see more attacks and is rapidly learning from the NHS. And the solutions are much the same: keep systems up to date, manage backups, and manage privileged access.
Increasingly both sectors are also focusing attention on the lessons learned at SolarWinds - the supply chain is a major source of vulnerability. Vendors, third-party partners and remote workers all have similar challenges and risks (also discussed in another recent blog: Supply Chain Threats, Buffalo Jumps And The Simple Things That Count For MSPs.
If you’d like to discuss any of the topics raised at CyberUK 2021, please get in touch.