Are we living through a cyber Cold War? Peter Coroneos, International Vice President for the Cybersecurity Advisors Network, dives deep into the recent SolarWinds attack and examines how organisations need to protect themselves against digital warfare.
What is the SolarWinds attack and how was it different from other types of attacks we’ve seen recently?
Where to begin? I’ll answer the second question first. I think the compelling topic that we’ve chosen for today really is around the uniqueness of this attack and also the far-reaching consequences it’s likely to bring with it. So qualitatively and probably quantitatively, this would have to go down as one of the most serious attacks that we’ve seen.
In a nutshell, SolarWinds markets and sells network-monitoring services to something like 300,000 customers globally, including many Australian companies. Of the Fortune 500 companies, I think they service about 425 of those. So they are a very significant player in the market with a great degree of penetration.
But what was unique about this attack was that it was one of the most brilliantly planned and executed attacks we’ve seen. What they used as the way in was actually a security patch that had supposedly come from the company itself. So the companies that were affected were the ones that were following the advice that’s generally given: to patch regularly, frequently and soon as patches are released. But the irony is that the companies that didn’t patch were the ones that didn’t become compromised by this breach.
So it runs completely counter to the usual method of attack, and that is through unpatched systems.
How, as an organisation, do you actually figure out what systems are compromised? This one was so widespread. How do you actually start to unwind how widespread this penetration and exploitation goes?
I don’t know that we can ever know that, and the truth is that those organisations that are being compromised may never know if they’ve completely eradicated the malware from their systems. They may do all the standard things, but we’re up against nation-state attackers who obfuscate and cover their tracks on the way through and on the way out. They are installing backdoors where they can go in again at any time using encrypted methods, and there are small packet sizes or things without payloads that are not going to be picked up by conventional scanning technologies.
So really, it’s the classic arms race all over again, except it’s now just been ratcheted up five or 10 times higher. Why would I put that multiple in there? Because we’re talking about all five branches of the US military that have been compromised now. We may never know the extent of the compromise, and I can’t speak for Australia, but if they’ve attacked the US military, you can be sure that other militaries around the world are being attacked, other strategic defence organisations and defence suppliers.
Elsewhere, this attack was characterised using the term ‘battleground preparation’. So essentially, what the thinking is here is that the foreign nation-state attacker is basically seeding networks all over the world in preparation for an escalation scenario. You could call that a fully fledged cyber war or maybe you want to avoid that rhetoric. But whatever you want to call it, it’s a seeding exercise. Yes, there’s an immediate compromise and you can try to root that out as best you can. But what has been left behind that you haven’t picked up, and what later use can that be put to? That is what is keeping a lot of CISOs awake at night.
If we assume that the bad guys are already in our systems and that they are laying the foundation of this ‘battleground preparation’ that you’re referring to, is it then a requirement for our government to do the same? Should there be an Australian-based cyber effort to infiltrate the technology players on the other side?
So you’re saying we adopt a cyber offensive capability as a deterrent?
Yes. Is that something that is either ongoing or that needs to be considered if we start to talk about this being a war?
It is. I mean, it’s been part of Australian military doctrine since the Turnbull prime ministership. I remember him saying, “We’re not publicly disclosing the fact that we have developed within Australia a cyber offensive capability and we’re prepared to use it.” Every government in the world, or at least every major player, will have cyber offensive capabilities. We hear about Russia and China and Iran and North Korea, but the truth of the matter is this is ongoing. Everyone is attacking everyone else right now.
I think we have to just assume that there’s a cyber war going on. Without debating the finer points of it, let’s just take that as a given now. It’s a Cold War, it’s a Cyber War. I explained to a CEO a couple of years ago: “Imagine that there’s a war going on. You can’t see the bullets flying, but it’s still very real. It’s happening right now.” So that is the situation.
You only have to open the paper every day or look online at the news. We’re almost getting to the point of hacking fatigue.
We always try to finish our conversations on more of an upbeat note, because none of this stuff sounds particularly good. So could you please do the honours of trying to pick out the good news in the current situation?
I think the truth of the matter is that in any arms race, the defences are getting better. Yes, it’s going to be an ongoing thing, but we’re going to have artificial intelligence to help us. We’ve got the advanced identity security management tools that you guys are developing at Daltrey. We’ve got the whole Zero Trust paradigm, which is now really coming to the fore. And I think a lot of companies are now evaluating if not investing in that.
So the necessary mind shifts are occurring – maybe not quite as fast as we would like to see, but they are moving in the right direction.
Australia may never be able to say that we’re 100% cyber-secure, but we may be able to say that in the event of a serious cyberattack, we believe we’re able to carry on core operations. This idea of the change in behaviour, combined with new technology, combined with better process management around Zero Trust models will be the early lessons of this decade.
Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.