SolarWinds security chief: ‘We ran a pretty good shop’

SolarWinds’ chief information security officer defended the company’s practices and technology on Wednesday, saying the attack it experienced at the hands of Russia’s foreign intelligence agency last year wasn’t one that most companies would be prepared for.

“We ran a pretty good shop, we had pretty good technology,” Tim Brown, the company’s CISO and vice president of security, said during a webcast hosted by the insurance firm Marsh. “We've had four months of inspections and we found things to fix, but it wasn't like we were super dirty—there wasn't sloppiness, there wasn't malware all over our environment.”

Brown’s comments come one week after the Biden administration took its biggest step yet at retaliating for the SolarWinds supply chain attack and subsequent compromise of federal and private sector networks. In addition to formally naming Russia’s SVR as the perpetrator of the attack, the White House expelled ten diplomats and imposed a range of sanctions on Russian companies and individuals.

According to government officials and cybersecurity experts, the SVR was able to gain access to SolarWinds’ internal network and insert malware into a version of its Orion IT monitoring application. Customers then downloaded the compromised update, giving the hackers access to potentially thousands of additional targets. The operatives deployed additional malware to compromise high-value networks and steal sensitive information from tens of U.S. government agencies, including the Department of Justice and Department of Energy, as well as six EU agencies.

“A nation-state attack of this level and sophistication [meant it was] very patient, deliberate, targeted,” said Brown, who has been with the company since July 2017, according to LinkedIn. “That type of campaign isn't your general attack that you prepare for. Now what we have to do is prepare for more of those as a community.”

Brown added that the company has learned lessons from the attack and subsequent four-month investigation carried out by CrowdStrike and KPMG, including limiting employee access and not trusting anyone by default.

“In general, we give developer communities more leeway—more freedom in what machines they can use, what software they can install in their environments,” said Brown. “A major [step] we’ve implemented and suggest others implement is taking away some of that control from the developers and putting it under the guise of [IT security].”

Alex Stamos, the director of the Stanford Internet Observatory and the former CSO of Facebook, echoed Brown’s comments during the webcast and added that there were additional takeaways for the federal government that could help prevent similar attacks from spreading in the future.

“We over-provision IT resources to so many people,” Stamos said. “The truth is the vast majority of people don't need administrative access, and can probably get away with a much more limited set of options.” 

Stamos also highlighted discussions taking place in Congress around creating an investigative agency similar to the National Transportation Safety Board to examine cyberattacks. “Right now, in July or August there won’t be a report that’s going to come out about SolarWinds that other companies can learn from,” he said.

‘They were patient and coordinated’

Brown cautioned that there are still several unknowns with the SolarWinds attack, but mapped out what investigators have uncovered so far.

For example, investigators are still unsure what the source of the initial exposure was—a fact that was highlighted in recent weeks by SolarWinds’ chief executive during Congressional hearings. Brown said they started with more than two dozen possibilities that led to an account being compromised, which they’ve since narrowed down to three scenarios: a network vulnerability that gave hackers access to the account, a “very sophisticated” spearphishing attack, or a large spray campaign for passwords.

Brown emphasized that the attackers also were able to compromise the company’s email system, allowing them to gather information and learn about the company’s environment, and covered their tracks well. 

“The threat actor left and cleaned up all their activities so they were not detected. They took down their command and control server in October, and knew that as soon as they activated they would start having noise and start getting discovered,” Brown said. “They were patient and coordinated—they were looking for information and not to disrupt [us].”