Could the SolarWinds attack have been avoided?

Tom Badders
January 6, 2021 • 5 min read

SolarWinds is a billion-dollar company with over 2,700 employees providing IT solutions including application software, enterprise software, and software as a service. Its customers include large companies such as Cisco, Microsoft, VMware, and FireEye as well as government agencies such as the U.S. Department of Energy, the U.S. Commerce Department, and the U.S. Treasury, among others.

Largely unknown beyond IT circles, the company was suddenly thrust into public view near the end of 2020 when it was discovered that a persistent cyber intrusion had weaponized patch updates, affecting about 18,000 of these companies and government agencies.

While national cybersecurity experts and the White House debate who actually committed this crime, SolarWinds has yet to assign blame, stating in an SEC filing that, “While security professionals and other experts have attributed the attack to an outside nation-state, we have not independently verified the identity of the attackers.”

Just as important as the question of “who” is the question of how this attack was perpetrated.

SolarWinds’ Orion software product monitors the health of IT systems and lets IT professionals see what’s happening on their networks.  Hackers got into the system that SolarWinds uses to build and send out patches and updates, and weaponized these updates with malware.  When 18,000 companies and agencies installed the updates distributed in March and June of 2020, the malware infected their networks and all computers tied to them.

These organizations have capabilities intended to ensure malware does not get into their networks, such as the federal government’s EINSTEIN automated intrusion detection system. However, a sophisticated supply chain attack such as this infects software as it is being assembled. The unique approach this adversary used embedded malware into “approved” software, so it got through.

With this background, the next question is, could such a breach have been avoided?

Focusing on edge and endpoint security isn’t enough.

New network security technologies are being developed and deployed in attempts to eliminate, or at least lessen the impact of, cyber attacks.  Many of these technologies focus on securing the network edges and the endpoints.

However, the world is connected through the internet and security products that focus only on the edge and endpoints are no longer enough.  Emerging network security capabilities are focusing on the internet itself, actually hiding critical network resources so that cyber adversaries don’t even know they exist – they can’t see them.

With this new type of network security capability in mind, let’s replay the scenario.  Software companies continually enhance the security, reliability, and performance of their products and enhance capabilities through updates that they develop and push out to their customers on a regular basis.  If patch development and update systems were hidden from the public internet, cyber adversaries could not get to them in order to infect them.  Further, if the patch issuance system were hidden and customers were part of a hidden private enclave, cyber adversaries wouldn’t even see the patch update activity, protecting it from attack.

You can’t exploit what you can’t see.

Fiction?  Not so.  Virtual obfuscation networks are providing such capabilities today. A virtual obfuscation network enables internet communications in total privacy, hiding the source and destination of the data, as well as encrypting data in transit.  Some virtual obfuscation networks offer a managed service that cloaks network resources such as servers and applications, which completely hides the resources from being seen on the public internet.

Suppose a software company used this virtual obfuscation network.  How would it work?

Say for example that a software product development team, located in various remote locations, performed their work on a centralized development server, or that they worked on their individual systems and uploaded changes to a centralized server.  A virtual obfuscation network would allow connection through the public internet to this central server to be totally isolated through a number of virtual network nodes, varying pathways and eliminating source and destination IP addresses, making their communications and presence on the internet invisible. This would protect the developers as well as the central repository from attack, as cyber adversaries would not even be able to see the activity or that the developers and the server even exist.

When it came time to push the updates to their customers, the company could include with their service a private exit from the obfuscation network.  This would provide a virtually obfuscated path between the update server and the customer’s system, eliminating attack surfaces on the public internet.

It’s impossible to prevent all breaches and cyber attacks, especially when novel techniques are used as was the case in the SolarWinds breach.  But the ability to hide critical software assets from cyber adversaries is a significant advantage when dealing with advanced persistent threats. Telos Ghost® is a virtual obfuscation network that hides network resources, eliminates source and destination IP addresses from the user device to the exit of the network, provides multiple layers of data encryption in transit, and eliminates attack surfaces while using the internet.

You can learn more about how Telos Ghost can protect the software supply chain and other vital enterprise assets in the digital realm by visiting our website.  You can also contact us for a demonstration of its remarkable capabilities and a confidential conversation about how Telos Ghost can protect your organization’s people, information, and communications.

Tom Badders
Senior Product Manager
Tom Badders is a Senior Product Manager at Telos Corporation.
Read full bio