As I noted in a prior post, the recent state-sponsored cyber incident carried out through an attack on SolarWinds has a number of important implications. As noted in the following guest post from Paul Ferrillo, the incident could also have important implications for the cyber insurance marketplace. Paul is a partner in the McDermott, Will & Emery law firm. I would like to thank Paul for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
******************************
Not since Petya/NotPetya have we seen the press so active when it comes to reporting on the alleged Russian hack involved network management software company, Solarwinds. There are new revelations every day regarding new companies or government agencies that were hacked or breached as a result of the attack. Hardly a day also goes by when cyber commentators, reflecting on the cybersecurity postures of public companies, “what else should they be considering to protect their networks and their data?” Finally, others in the ecosystem wonder how will cybersecurity insurers, who tend to be on the front lines of any existential cybersecurity crisis (like ransomware), be reacting to the potential of even more claims (especially given the Solarwinds’ nine-month attack timeline from start to finish ) as a result of the Solarwinds breach. We answer these questions, and more, below.
The events of Solarwinds — The Impact on Government
In speaking with various market participants, it is clear that Solarwinds has stuck the “fear” chord among many. Indeed, one commentator recently wrote:
In March of 2020, Americans began to realize that the coronavirus was deadly and going to be a real problem. What no Americans knew then was that at about the same time, the Russian government’s hack of SolarWinds‘s proprietary software Orion network monitoring program was destroying the security of top American government agencies and tech companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT. Russia, we now know, used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents. The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office[i].
Though the list of “known” companies that have been hacked is presently small, the list of government agencies that have been hacked grows daily. This list includes the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; the Department of Justice; the Federal court system; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration. Id.
Here is a question worth asking: Why wasn’t the Solarwinds breach found sooner by the Cybersecurity and Infrastructure Agency (“CISA”), the agency responsible to watch over the cybersecurity of government agencies? The Washington Post said it best:
The hackers also shrewdly used novel bits of malicious code that apparently evaded the U.S. government’s multibillion-dollar detection system, Einstein, which focuses on finding new uses of known malware and also detecting connections to parts of the Internet used in previous hacks.
But Einstein, operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), was not equipped to find novel malware or Internet connections, despite a 2018 report from the Government Accountability Office suggesting that building such capability might be a wise investment.
CISA spokeswoman Sara Sendek said the breaches stretch back to March and were not caught by any intrusion detection or prevention system. As soon as CISA received indicators of the activity it loaded them into Einstein to help identify breaches on agency networks.[ii]
Said differently, Einstein acts more like a firewall and reacts only to known “known digital signatures” (e.g. known malware) that its system is primed and educated to detect. Einstein does not work like a machine learning anomaly detection device. But maybe it should ultimately. One commentator noted about Einstein,
The system is signature-based and can detect malicious behaviors, or signatures, but only previously known patterns of malicious traffic. While it does scan email for potentially malicious activity, the system is “limited” and cannot detect “threats embedded in certain types of network traffic” – not malicious content in the cloud or web traffic. It is also limited in regards to detecting advanced persistent threats (APTs) by nation-state cyber-espionage hackers, although “the overall intent of the system was to protect against nation-state level threat actors.”[iii]
Machine Learning Anomaly Detection Solutions — and the Supply Chain
Obviously conventional wisdom, when it comes to nation-state attacks, dictates that this type of attack is probably more sophisticated than an ordinary cyber criminal attack using known digital signatures. Therefore Einstein, acting more like a firewall, is vulnerable to being lulled to sleep while the Bear ravages a government or a private network. But aren’t there more sophisticated intrusion detection devices or solutions that act on the mere “suspicion” of wrongdoing. Yes, indeed, there are such devices, and companies should be thinking about them today.
There are something called machine learning anomaly detection devices. “Anomaly detection is simply the mode of detecting and identifying anomalous data in any data-based event or observation that differs majorly from the rest of the data. Anomalous data can be critical in detecting a rare data pattern or potential problem in the form of financial frauds, medical conditions, or even malfunctioning equipment.”[iv]. In cybersecurity, “machine learning uses algorithms born of previous datasets and statistical analysis to make assumptions about a computer’s behavior. The computer can then adjust its actions — and even perform functions for which it hasn’t been explicitly programmed. …With its ability to sort through millions of files and identify potentially hazardous ones, machine learning is increasingly being used to uncover threats and automatically squash them before they can wreak havoc. See “Machine Learning Cybersecurity: how it works,” available at https://builtin.com/artificial-intelligence/machine-learning-cybersecurity.”
Said in non-tech speak, machine learning looks for the needle in the haystack. It looks for something “weird”, something anomalous. For instance, there might be activity at random times during the day that indicate data downloads. There might be activity at the same time each day that indicate data downloads BUT by people who are not in your office or any office location.
Machine learning looks for “something different,” that might indicate a problem that should be checked out. Not everything will be a problem. But something could be, and would merit a follow up investigation. Data tells can tell a story. A lot of data tells lots of stories depending upon how it is looked at. Machine learning can help determine whether those stories are fiction or fact; they could indicate a sleeping Labrador at your feet sleeping peacefully, or a sleeping bear rising from his slumber very hungry for your data. There are many machine learning solutions in existence today that can potentially act as protection from the next nation-state attack. They should be considered as we rethink cybersecurity after Solarwinds.
Solarwinds was a “Supply Chain” Attack
Finally, insureds need to be thinking MORE about their supply chain — i.e. who their most important vendors and suppliers are, and what sort of access they have to their network. Some sorts of access might be considered trivial. Some sorts of access, like admin access (when third parties don’t need that sort of access to do their job) could be highly detrimental if misused.
Indeed, Solarwinds was a supply chain attack that dealt with updates to the software management tools that Solarwinds was known to deliver automatically. As noted in a recent SANS article:
The malware was deployed as part of an update from SolarWinds’ own servers and was digitally signed by a valid digital certificate bearing their name. This strongly points to a supply chain attack. The certificate was issued by Symantec with serial number 0fe973752022a606adf2a36e345dc0ed. In this case, they were actually deploying it through SolarWinds own distribution channels. While the certificate needs to be revoked at some point, revoking the certificate now is unlikely to do a whole lot. That’s what makes it difficult to investigate, but this isn’t the first time we’ve seen a state-backed APT targeting software vendors or masquerading as an update to deploy their malware payloads.[v]
What makes the Solarwinds attack difficult is that (1) for the most part entities allowed the updates as part of their normal processes, and (2) the update did not cause a catastrophic network failure or collapse which would have immediately rang bells and whistles (like e.g. a ransomware attack). The updates apparently slept dormant on the networks for weeks before rearing its ugly head with a Trojan horse package waiting to inflict damage on the network. Indeed, FireEye reported, “After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol …. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.” [vi]
Supply Chain risk management really was not much of an issue prior to Petya/NotPetya attacks in 2017, which involved a malicious payload injected into a Ukrainian software package. In 2018 the NIST Cybersecurity Framework was amended into version 1.1 to account for supply chain risk management concerns and how to observe the cybersecurity of company vendors and suppliers. Unfortunately neither NIST Ver. 1.1 nor supply chain risk management has been uniformly adopted by many US Companies.
What are cybersecurity insurers thinking about SolarWinds?
With rates increasing in a very hard market for cybersecurity insurance, this indeed could be the $64,000 question (or more). For cyber insurers, supply chain risk management was already an identified issue. Timely patching and updating were issues too. Now these issues are joined at the hip with Solarwinds. Which issue becomes more “at issue” may depend upon the facts Solarwinds as they develop.
Certainly there will be more claims as a result of Solarwinds. We are told this already by certain industry followers already. Will they be severe claims, given the potential for data exfiltration as seen in some of the government breaches? Maybe. Will the increased claims continue to put upwards pressure on premiums charged by the insurers? Undoubtedly the answer will be YES, most certainly. As with most things in cybersecurity, Solarwinds presents a complex set of facts and questions for the entire cyber ecosystem to think about. And rethink. Only time will tell how Solarwinds will shakes out. Stay tuned.
______________________
[i] See SolarWinds: The more we learn, the worse it looks, available at https://www.zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it-looks/.
[ii] See “The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it.,” available at https://www.washingtonpost.com/national-security/ruusian-hackers-outsmarted-us-defenses/2020/12/15/3deed840-3f11-11eb-9453-fc36ba051781_story.html
[iii] See “DHS EINSTEIN firewall fails to detect 94% of threats, doesn’t monitor web traffic”, available at https://www.csoonline.com/article/3030028/dhs-einstein-firewall-fails-to-detect-94-of-threats-doesnt-monitor-web-traffic.html (Also stating, “the Department of Homeland Security’s $6 billion EINSTEIN intrusion detection system is closer to dumb than smart, as the firewall fails to scan for 94% of common security vulnerabilities; it doesn’t even monitor web traffic for malicious content! That is supposed to be coming in 2016, with wireless network protection coming in 2018.”).
[iv] See “How Machine Learning can enable anomaly detection,” available at https://medium.com/datadriveninvestor/how-machine-learning-can-enable-anomaly-detection-eed9286c5306
[v] See What you need to know about the SolarWinds Supply Chain attack, available at https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ (Emphasis Supplied).
[vi] See “Highly Evasive Attacker Leverages Social Winds Supply Chain”, available at https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html