Pandas, Bears, and the Supply Chain Risk

We have entered a new age of cybercrime and data breaches, and to say we are dealing with a complicated environment would be a tremendous understatement. As we look at the current state of information security, we confront threat actors that are patient and extremely strategic, whether from choosing their TTPs or the targeting of organizations. We have also seen the nation-state threat actor come into focus with geopolitical motivations and state-sponsored resources. Key among these nation-state actors include China, seeking global economic competitive advantage, or Russia, who is driven by financially-motivated espionage operations. Others, including Iran and North Korea, continue to target U.S. critical infrastructure as well as government and commercial entities. Very interesting to highlight the different approaches to internet anonymity from different nation-states and how that drives cyber behavior by their respective populations. For example, Russia seemingly does nothing to de-anonymize internet activity within their borders and the result is a high volume of criminal activity originating from their domains. China, on the other hand, goes to great lengths to de-anonymize and the result is less criminal activity and MORE government sponsored behavior.

 

One area that enterprise executives should and need to be thinking about is ransomware. Criminal enterprises utilizing ransomware as a weapon are hyper-skilled at reconnaissance. They know your cyber insurance thresholds and are price setting the ransomware market as a result. They use old vulnerabilities because they know patching SLAs are basically stretch goals. Even more so, they are increasing ransom demands to Hollywood-level figures with some starting between $50 million and $100 million. To cause more stress, we are now having to deal with Office of Foreign Asset (OFAC) considerations. Did you know that if you engage in a financial transaction with anyone on the Department of Treasury’s Office of Foreign Assets Control list, you are subject to criminal penalties under US Law? An example of one well-known Russian ransomware enterprise is Evil Corp, and they have now been added to the list. This may seem daunting to navigate, but you can leverage your partnerships, including your local FBI office, and arm yourself with as much data as necessary to make strategic decisions with eyes wide open. Preparedness has never been more important.

 

Let’s switch to another issue that warrants attention, supply chain threats. The US has grown its reliance on the global supply chain to dangerous levels, and it can be argued that there has been too much toothpaste squeezed from the tube to shove it back in. China has launched a program, “Made in China 2025,” with their motivation being to attain complete independence from the global supply chain. In response, what is our “Made in the USA 2025” strategy? The threat exists. Interruptions in the supply chain and nefarious uses of common vendors and platforms is a material risk. Cybersecurity professionals and risk management departments are focused on third party risk management, vendor management, and adhering to security frameworks. Currently, silo’d and independent solution sets rule the day against these supply chain threats and we need to align and move uniformly as an industry to truly affect change and embolden our defenses.

 

This brings us to SolarWinds breach. A Russian hacker group, likely state-sponsored, compromised the SolarWinds’ Orion platform to infect a software update push that was downloaded no less than 18,000 times, impacting organizations globally. As a widely used network management tool that provides a gateway into company networks, the Orion breach led to a victim list that includes the US Government, industry, and companies worldwide. FireEye, a globally recognized security firm, discovered the breach in December 2020 when one of their employees used 2FA for account access and FireEye analysts noticed two phone numbers tied to his account. Subsequent analysis revealed the breach and from there, we learned that the breach had been ongoing since March 2020 with a massive scope. They had leveraged a SolarWinds DNS server to build a ‘target list’ and used a delayed-execution timer to avoid quality assurance checks. Russian actors built backdoor access across impacted organizations that will likely take months to even years to fully identify and remediate. What was particularly novel about this massive breach is that they stayed away from source code, instead focusing on update code (effectively the ubiquitous software patch). They even setup a controlled environment to run detection tests in late 2019. This was a sophisticated, nation-state attack and not just the work of a script kiddie in their mom’s basement. If there was ever a doubt on this being a nation-state at work, that doubt would be easily removed based on these factors alone.

 

The obvious question now becomes “What can and should executives do in response to these threats?” This question goes out to CIOs, CISOs, Directors, Managers, and all leaders and teams. How are you talking to one another up and down the organization to identify cyber risks? As leaders, you have an ultimate responsibility to protect the organization. With so many breaches being discussed in the media, we don’t have any plausible deniability that cyber risks are enterprise risks.