Who's to Blame for Downstream Ransomware?
The president of Microsoft, Brad Smith, in response to the SolarWinds breach said, "I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen" on a 60 Minutes interview. SolarWinds' Orion network monitoring software was poisoned by hackers before it hit distribution, allowing unfettered access to a bounty of networks. The software travelled downstream to business and government shores, delivering payloads that allowed the hacking group codenamed APT29 (Advanced Persistent Threat), aka Cozy Bear, to gain access to tens of thousands of end-users, exposing a clear security deficiency in the High tech vertical. When Microsoft, the Department of Energy Nuclear Research Labs, the NIH, DHS, the Pentagon, the Treasury, etc, are among those on the victim list, it generates the impetus for renewed and careful consideration of how best to harden network security through regulation and compliance models. For too long has software been the exposed underbelly with which hackers at large gain access to sensitive networks.
Taking a step back, historically, hackers have targeted end-users to gain access, using a variety of methods like phishing, malware, social engineering, etc. But as customer tastes force them to digitalize, many businesses have turned to the specialization of vendors and MSPs; private sector offensive actors (PSOAs) have evolved more sophisticated methods of taking down bigger game at a larger watering hole. Hackers are able to gain access to thousands, if not millions of users at once by focusing on critical points in supply chains.
If avoiding cyberthreats is paramount, which should be given the trends, sensitive networks will have to be securely segmented to mitigate damage while maintaining connectivity of non business-critical networks. However, the solution might not be so obvious, since it requires sensitive networks to disconnect from the internet entirely and revert to LAN infrastructure. But, there's a twist, those networks are going to bring the cloud from out of the sky and into their datacenters. The NetThunder private cloud platform offers an alternative to organizations who want the automation and collaboration offered by a CSP, but have not been able to abandon the security of the air gap, or are unable to deploy one in the first place. This comes with a variety of benefits, namely provable security, but it also lowers TCO by improving the cost:performance of hardware and software with on premises self-hosting.
The implicit trust of downstream users was exploited and highlighted by the supply-chain attack, exposing security failures and bad data responsibility of these organizations. Attention on upstream vendors and service companies, in particular those with broad access like Kaseya and SolarWinds, through the lens of compliance would dictate that the supply chain must be overhauled – the damage is too widespread to tolerate. These two companies were in "good faith compliance," yet they were still able to pass along compromised software. So ultimately, it is the responsibility of the State to protect the economy by hardening compliance regulations and audits, and the responsibility of the High tech industry to simplify compliance with innovative tech.
As the world grows increasingly interconnected, interdependent, and interoperable, and as more business-critical networks are exposed, the possibility of those networks being accessed never goes away in any reliable or provable way. Deploying NetThunder's autonomous private cloud will ensure valuable production and compute cycles are protected with provable security of the air gap.