The Key Lessons from the SolarWinds Orion Breach

The Key Lessons from the SolarWinds Orion Breach

What are the key lessons from the SolarWinds Orion Breach currently dominating cybersecurity conversations? 

We speak with no hyperbole when we say the SolarWinds Orion Breach might prove the definite cyber-attack of 2020. In fact, it may become the definitive breach since the Equifax hack in terms of impact and notoriety. But what exactly happened? And why does it matter to your cybersecurity posture in the coming year? 

What is the SolarWinds Orion Breach? 

SolarWinds Orion offers centralized monitoring over organizational networks, enabling it to manage threat detection. It boasted about 33,000 customers at the time of the breach disclosure. 

According to multiple cybersecurity sources, including FireEye and Microsoft, it appears a hacking group infiltrated the SolarWinds Orion software through malware and then conducted a privilege escalation attack. With these privileges, the hackers established a backdoor into the Orion system, allowing them to create a malicious update that granted them visibility and mobility over victims. 

At time of writing, at least 18,000 organizations likely downloaded the malicious update, and thus suffered in the SolarWinds Orion Breach. Given that the breach appears to have begun in March, hackers enjoyed plenty of time to steal data via compromised emails, databases, and more. 

In addition to multiple corporations, cybersecurity providers such as FireEye and multiple U.S. government departments suffered from the attack. As a result, the SolarWinds breach might end up becoming the largest cyber-breach conducted on the U.S. government in years. 

What Does This Breach Mean? 

Research indicates this breach likely resulted from a nation-state sponsored group, with affiliations with the Russian government suspected. The United States government has not made any definitive statements about suspected perpetrators, but this kind of “supply chain” attack is a signature of multiple Russian hacking groups. 

However, in a practical sense, it actually doesn’t matter to your business who conducted the breach. Instead, you need to think about the practical implications of the breach. 

First, you absolutely need a secure SIEM solution that remains current with the threat landscape. While you may feel reluctant to trust central monitoring solutions in the wake of the breach your organization still needs cybersecurity. The alternative can leave your business even more vulnerable. 

Additionally, if you are seeking a new provider, look for providers which specialize in defending against nation-states attacks. The breach indicates that nation-states will start transferring their military resources into the cyber-realm, which has fewer rules of engagement. Civilians, including you, may end up in the future crossfire. 

Second, keep an eye out for potential updates from your current cybersecurity provider, if you use one. Most likely, the SolarWinds Orion Breach will motivate other providers to look harder for their own vulnerabilities and backdoors, closing them before hackers find them.

Yet you should also ensure that all such communications do legitimately come from your providers. Phishing attacks often build off chaos (as evidenced by the scores of COVID-19 related attacks) and this attack meets that definition. Always verify the authenticity of messages before following instructions. 

You can learn more in our SIEM Buyer’s Guide

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner