SolarWinds Breach – Gray Rhino or Black Swan?

Candan Bolukbas, CTO & Co-Founder; Chris Bush, Chief Customer Officer; Bob Maley, CSO, Black Kite

Defined as a “slowly emerging, obvious threat that is ignored or minimized by decision makers,”^[1] a gray rhino is recognized, while the potential impact of the event itself is dismissed.

A black swan, on the other hand, describes an event that comes as a surprise, has large-scale impact, and may be rationalized after the fact as being predictable because data signals were available but unaccounted for in risk mitigation programs.^[2]

In most cases, it’s clear whether an event should be classified as a gray rhino or a black swan. Instances such as the recent attack on SolarWinds, however, blurs the line.

The SolarWinds Breach: Gray Rhino or Black Swan?

The answer isn’t so black and white. At the center of the attack was SolarWinds’ Orion Network Management platform, which had a backdoor code inserted into its library. Once inside the Orion, hackers were able to counterfeit tokens, allowing them to impersonate organizations’ existing users. To make matters worse, accounts and directory settings were altered to facilitate long-term persistence.^[3]

Far more sophisticated than traditional attacks, the SolarWinds breach was built on the predominant method hackers leverage to infiltrate larger organizations—targeting the weakest links in supply chains.^[4]

By attacking the “weakest link”, a hacker can gain access to an entire company without targeting it directly. This method makes understanding the difference between a score and a signal necessary.

Scores Versus Signals

When potential impact factors are neglected or ignored, a cyber risk score can quickly become noise rather than a useful signal. A poor cyber hygiene score, for example, is not an indicator that a company has been hacked—resulting in deceiving, sometimes misleading, data.

It’s safe to assume that companies that utilize this kind of high-end, enterprise-wide software have a large number of additional third parties. Oftentimes, very few of their vendors have high hygiene scores, adding to the complexities associated with monitoring third-party risk.

Critical vendors vary in level of impact, which makes quantitative methodologies essential for determining the full picture. Without a quantitative understanding of probable financial impact, more noise remains in the ratio.

As a result, SolarWinds gets lumped in with the rest of an organization’s “critical” vendors and signals go undetected. The opportunity to pay special attention to signals from such a critical third party were missed because resources were likely allocated elsewhere. If SolarWinds had been identified as a third party with greater financial impact, organizations could have paid special attention to reduce the signal-to-noise ratio and pick up on the key signals.

Once a target relevant to a hacker’s criteria is located, they then gather host information and as much identity-based data as they can to facilitate social engineering attacks through active and/ or passing scanning. Unpatched software, SSL/TLS strength, open domain leverage, and websites owned by the potential target are also at risk. Signals are key to knowing when hackers are in the process of malicious activity.

In the case of SolarWinds, there were multiple signals amidst the noise that should have set off alarms. Some of which dated all the way back to 2018, including:

• SDLC Hacker Share Results show multiple exploits, including SQL injection.
• Credential Management reported as deficient.
• Related domains purchased by hackers were registered mostly by China.

Although none of the above signals clearly indicated when, how, or even if the attack would happen, they did suggest the company’s cyber hygiene was inadequate. For a vendor with access to as much information as SolarWinds, these red flags should have been enough to scale back and examine that network connection.

Compliance Does Not Equal Security

Yet, from the risk manager’s perspective, SolarWinds had all the right compliance documentation. The audits, certifications and statements were all there— why dig deeper?

Organizations relied on the ‘gold standard’ for cybersecurity, which resulted in pluralistic ignorance. Despite what their data was telling them, they depended on each other to confirm what was happening.

“At some point most organizations, particularly larger ones, commit a sin that brings forth a swift and painful outcome. That sin is complacency, which reflects a high level of self-satisfaction with the status quo, often with an unawareness of actual dangers or deficiencies. A lack of urgency leads these organizations to ignore the subject until it is far too late.”^[5]

Going through compliance mechanisms does not mean you are procedurally or technically secure. Instead, it only shows a validation of a control at a point in time. Not only do people make the mistake of relying on external validation, they also assume compliance equals security.

The Verdict

The SolarWinds event isn’t the first time this has happened, and likely won’t be the last. Take Target, for example. Although the attack itself was much simpler and less impactful, the fundamentals of its were eerily similar, whereas:

• Adversaries, the strongest platform for an attack, were one-too-many.
• The attack touched all three CIA factors (Confidentiality, Integrity, Availability)—resulting in potential data theft, code integrity issues and problems with data availability.
• A compliance-based risk management assessment was used, neglecting to consider the potential impact of a breach at the real-world level.

In both cases, while we’re doubtful they could have been prevented, they could have been detected much sooner. Red flags were missed because the vendors were not given the extraordinary attention required by the network exposure accessible to hackers through the platform.

These missed signals return to the basics of management. We have so much sophistication in our products, we tend to cut out the human element and neglect to see things holistically. It’s  time to shift the conversation around what we look at and how we see, and that starts with adding relevancy through understanding your vendor relationships.

Discover more about the SolarWinds attack from a hacker’s point of view.

Additional Resources

• Read: The SolarWinds Attack From a Hacker’s Point of View
• Watch: Gray Rhinos and Today’s Third-Party Risk
• Learn More: Black Kite’s Methodology

References