a16z had a great podcast ep. on the SolarWinds hack (props to @smc90)

https://a16z.com/2021/01/31/16mins-solarwinds-hack-teardown-supply-chain-compromise-cloud-security/

Quick thoughts on it:

1) It's worth noting that the SolarWinds build environment was compromised months before the effects of it were discovered. (This is painfully consistent)

1/12
2) Instead of the attackers modifying the SolarWinds source code, they modified the build environment to insert their back door. This may be a nod to the classic "Reflections on Trusting Trust" paper¹, but is more likely because it's stealthier.

2/12
__
¹ https://dl.acm.org/doi/pdf/10.1145/358198.358210
3) @smc90 mentioned goosebumps a few times at the parallels between the attackers activity and modern dev practices. This is perfectly par. Software -cough- is eating the world and this is just a professional remote software project.

3/12
4) The backdoored software, once deployed, would wait for periods before beaconing to avoid detection. It's worth noting how just slowing down has been used for ages to confound detection (its why nmap -T sneaky and -T paranoid existed forever)

4/12
5) @Volexity tied the attacks together because the attackers used attack-0 & pulled mails to a period, then used attack-1 to pull mails to the new period, then attack-2 to pull mails to current.

Aside from them creating pop3-over-ownage, this has an interesting lesson

5/12
5b) Attackers have a near unlimited number of entry vectors. These are easy to miss.
They have a near unlimited number of places to hide. These are hard to find.
They have to touch the gold they came for. This is where you are best positioned to observe and detect!

6/12
5c) You often see people scramble in the aftermath of breaches to close down the toe-holds used in incident-1 only to be breached with different toe-holds in incident-2.
Whats consistent is the actions on objectives. Thats a place to focus/win

7/12
6) Joel compares the attack to playing chess where you only discover moves later. We have often mentioned the problem of only seeing half the chessboard. This can also be a defender advantage. It's where Canaries shine..

8/12
7) @stevenadair cautions companies to do security right from early on, to protect their AWS root keys.
A corollary:
- Use free https://canarytokens.org 
- create 100 AWS keys and strew them around
- get a message when they are used

9/12
8) Joel (rightly) questions the value of 3rd party risk surveys. This is infosecs contribution to Goodhart's Law (When a measure becomes a target, it ceases to be a good measure). Figuring out how measure the risk introduced by vendors is an open problem.

10/12
9) My biggest gripe with reporting on this is that we discuss the fall-out & ripples in terms of the networks & infrastructure that SolarWinds touched.

This is scary, but actually understates the problem.

The problem is that every enterprise has hundreds of SolarWinds

11/12
10) All of this, of course, is why we build and run @ThinkstCanary - No matter what the entry vector is, attackers gonna attack.. You drop Canaries in minutes, and then KNOW when your coffee-pot (or Orion-Server) is touching assets it shouldn't.

12/12
You can follow @haroonmeer.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.