As the SolarWinds cyber exploitation continues to unfold, it has become apparent that organizations are in the midst of an unprecedented cyber intrusion and it will take months before the extent of this adversary’s access and intent is ultimately known. Organizations will experience different impacts to their mission and operations depending on the value of that mission data to the adversary. Since this intrusion is highly sophisticated, stealthy, and extensive, there is much discussion of rebuilding compromised assets to eradicate this adversary. The initial intrusion occurred through a software supply chain compromise of the SolarWinds Orion product line, and due to the pervasive nature of that cyber tool on networks, the scale of the compromise of data and systems is not yet known - but the potential impact could be consequential to your organization. It is important to note, that given the widespread use of this product your organization is most likely impacted in some way.
As a leader, you will need to clearly understand the risks your organization may face in the months ahead and the actions you should consider taking. Below we have outlined two high level actions to consider, with the first action identifying possible impact, while next laying the necessary groundwork for successfully rebuilding a robust and cyber resilient environment. It is important to note that simply replicating legacy architectures and approaches will only recreate the risk that has been exploited, so this approach considers both recovery and rebuild.
Action – Evaluate Your Cyber Hygiene Practices
Even if this incident has not impacted you directly because you do not use SolarWinds, it is crucial to determine if your partners and vendors are impacted. Understanding your external interconnections and who you have allowed to access your systems (including both Information Technology and Operational Technology) or whose technology you are using will help you understand the risk to your organization and how it is being addressed.
Ensure you know what data and systems are most critical to maintaining your organization’s mission, business, and operations. You should have a thorough and complete inventory of your most critical assets and know where your data resides in your environment.
Assess your current cyber practices against the appropriate standards for your organization – including NIST, CIS, ISO, or others; for Vulnerability/Patch Management, Identity and Access, Least Privilege, and Configuration Management. Weak cyber practices will allow the adversary to continue to maneuver in your network, only compounding the current risk.
Know what data you share with your third-party business partners and vendors. Know how it is shared, how it is protected, and how you validate it is secure.
Prepare to operate your critical operations in a disconnected environment. Investigate if that is possible and develop a plan to implement.
Action – Plan Your New Environment
Regardless of whether your organization has been impacted by this exploit, this is an opportunity to assess whether current practices are adequately protecting the data and systems most valuable to your mission, business, and operations. If exploited though, rebuilding should be strongly considered. When doing so it is paramount that the approach is well thought through to manage the investment being made to protect those valuable assets and data.
Cyber Resilience – Develop a strategy to build an environment to ensure your most valued data, operations, and missions are the focus of the rebuild. Consider network segmentation and restricting both internet exposure and third-party access. When you rebuild, create a baseline of your environment and consider tools that help you monitor for anomalies during and after the rebuild.
IT Strategy – Develop and assess courses of action and strategies that define the future, build capabilities, enable transformation and modernization, increase performance, and improve services for customers.
Supply Chain Risk Management – Engage your organization to develop a Supply Chain Risk Management Program to illuminate and identify risks in products, tools, and vendors.
Enterprise Risk Management (ERM) – Apply a risk-based approach to managing your recovery effort. Risk associated with the breach should be evaluated against enterprise objectives and the approach to remediation should consider enterprise strategies and risks. Include your Chief Risk Officer and engage support to help you prioritize your resources towards your most critical business/mission risks.
Cybersecurity – Develop a comprehensive cybersecurity program to address gaps identified during the evaluation of your current practices. Ensure best practices are implemented and a sufficient governance structure is in place. This should also include on-going security awareness and training program focused on creating a cyber conscious culture.
Regulatory Compliance Review – Work with your legal department to ensure your reporting obligations are identified and up to date.
Response Training – Invest in training and security incident planning to ensure that you can quickly respond to and recover from a cyber incident, to include such things as a supply chain exploit.
Program and Change Management – Effective program and change management will be necessary to facilitate the integration and effectiveness of projects that remediate as well as build new networks or rearchitect their environment.
This is not simply an IT or security challenge, but will require a broad set of stakeholders, including:
Chief Financial Officer
Chief Risk Officer
Beyond the aforementioned actions, ensure you are aware of the latest information, reference the Alert and Current Activity websites.
Your organization can also participate in the appropriate industry Information Sharing and Analysis Center (ISAC).