Solarwind Orion attack thinkings

Here I wanted to react to the Solarwinds Orion attack. I won’t talk about the past errors like antivirus exclusion, the supply chain attack,… All this is done extensively.

What I don’t see as extensively discussed are 2 points :

-         Sharing of related information’s

-         If it’s really a state sponsored impact : we should definitely think about a “non proliferation pact of cyber weapons”

So let’s start with information sharing : A lot is now done, but I will more focus on industrialization of information sharing.

In fact to get the IOCs and a description of what is happening we rely on articles, more or less factual and complete, and mainly standard exchanges in communities via STIIX, TAXI, MISP platforms,…

And then it raises an interesting point, should we integrate in our SIEMs/SOARs all IOCs we can find, despite being completely irrelevant with the specific risks of the company, or should we filter ?

For cost, performance and quality management we should choose to use only IOCs which are relevant to the specific risks we can face in our companies. Yes adding IOCs as a cost on storage, memory, CPU, validation of specific rule creation and continuous improvement management (including at one point in time taking decision to suppress the rule when not relevant anymore). I still don’t know (and I may be wrong of course, I don’t know everything) a common standard to allow a company to choose the right IOCs.

To make this choice we need to be bale to map the specific IOCs to relevant risks for the company. So we should have some “meta data” available to help do the choices and then cope with volume and speed of new IOCs we can find in the wild. But then, what kind of meta data should we exchange. I would just propose a few here, as it needs to be discuss by many people :

-         Associated software to be able to link to CMDB

-         Verticals of it targets a specific one

-         A mapping with the Att&ck FrameWork

-         Targeted Geo if it makes sense

-         Source of the attack (if we are able to do attribution)

-         …

And as my last proposal is related to attribution, it allows me to jump to the next subject : nonproliferation of cyber weapons.

It seems that the Orion attack is state sponsored, I’m not qualified to say if it’s true or not, but it reminds me some very long nights helping customers getting out of terrible mess in the past due to the lack of control of state sponsored tools. So let’s do a bit of a step back on weapons :

-         Close contact weapons : well of course it can have impact, but it’s a local impact by design, and definitely not massive

-         Remote weapons : here I will include guns, bombs, …. Where basically once the ammunition (ie the payload to talk cyber) has been used it can’t be used anymore as is. And also it’s pretty hard to rebuild once it has detonated.

But with those remote weapon, the world as decided to control bacteriological, chemicals and nuclear ones because of the lack of control and possible huge dispersion.

When you look at cyber weapons, we can classify them in those categories because :

-         We know that all major countries now have a cyber army

-         We have the proof that it’s completely impossible to control the spread of the weapon (yes I think Stuxnet)

-         We also know that with the “fragments” of the weapon after detonation we can rebuild it, or build a variant

-         We also know that our vital systems (water and energy distribution, health system, ….) heavily rely on IT

So if we just take those 3 points we end up with an uncontrollable weapon, and also uncontrollable dispersion, even broader than ever has geography is not a limit anymore.

I don’t know anyone going to Davos, G20, EU or other kind of event where we have all our world leaders discussing, but to me it really worth having some Cyber representative explaining that risk.