SolarWinds Supply Chain Attack: The Argument to Delay Patching

The SolarWinds Attack

SolarWinds was attacked by a sophisticated team of attackers likely supported by a nation-state. The attackers gained access to the SolarWinds network and published their own custom malicious SolarWinds updates. The malicious updates then stealthily penetrated the critical infrastructure of SolarWinds customers.

The malware which is found within a malicious update is often a Cobalt Strike Agent Derivative built as a .NET binary and is all in all not very sophisticated nor obfuscated. However, the malicious binary was plenty unique enough to evade signature-based technologies, and the communication used by the malware was obfuscated for EDR and MDR evasion. The update which was delivered was digitally signed by Symantec giving further confidence to all customers that the update was trustworthy.

The SolarWinds attack is currently the poster child for the definition of a Supply Chain attack and carries major ramifications to organizations trusting updates from their vendors in the future.


Not the first or last Supply Chain Attack

One tool called Evilgrade has made it almost trivial to create new packaged updates that are combined with a man in the middle attack of the update protocol, where an attacker can easily deploy malicious backdoors within a trusted application through the trusted application update process.  This tool has been around for 8 years, but the concept of malicious patches has been around and used as an attack vector for far longer. Tools such as Evilgrade make the attack simpler and more mainstream.

The malicious update delivered through SolarWinds however did not leverage a tool such as Evilgrade, although it looked very similar, the attackers did not have to send a malicious update through the interception of the update protocol. The attackers instead gained long term access to SolarWinds Servers and compromised the build process for the updates, so the updates which were delivered to all SolarWinds customers who download them were compromised.

As a generally good practice, all companies should be implementing frameworks including Vendor Management that are designed to ensure the security of vendors before doing business with them and before continuing business with them. The purpose of Vendor Management in light of cyber risk is to prevent Supply Chain attacks through vendors, contractors, or business partners.

The list of attacks that have targeted vendors, contractors, and business partners continues to grow despite Vendor Management being utilized by most companies. The future holds more Supply Chain attacks, not less.


Thinking differently about patching 

There is currently no completely secure way to validate patches from what is thought to be a trusted source in an automated fashion. The SolarWinds supply chain attack has placed a spotlight on the question of whether patching with urgency is warranted.

There are problems with patching beyond the risk imposed by Supply Chain attacks. Patches can and do cause issues within production systems during and after their installation. These issues cause delays and disruptions in environments causing significant financial loss even when the updates are planned and tested.

Digital Immunity protects against the vulnerabilities both known and unknown to systems while allowing for a healthy and safe delay before applying released patches from vendors. The delay provides the cyber community time to vet patches through manual intervention to ensure patches are non-malicious, giving confidence to the organizations of the applications who need the patches to ensure they can be trusted.

It is good hygiene to apply patches but delaying them to an infrequent and scheduled update pattern may not only be more cost-effective for organizations but also prudent from a security posture perspective given the high risk of Supply Chains attacks and their likely continuation.


The Future  

Applying patches in a timely manner has long been considered best practice and is required by most IT compliance frameworks. Considering that most patches are security-related, this makes sense.

The events unraveled by the SolarWinds Supply Chain attack argue that it may not be best to apply patches as quickly as possible. The time is now where delaying patches makes strategic sense and applying alternative mitigation technologies and strategies such as Digital Immunity will ensure the security of your operating systems and related applications while you delay the implementation of the patches.

Additionally, all organizations who create software and produce patches should be looking at ensuring a secure build process environment protected from intrusion while applying a much more rigorous process to vet builds before they are published as patches to customers.   Stay tuned for our next blog on this topic.