Every day I hope there’s less to talk about with SolarWinds, and each day I’m a bit disappointed.
The National Security Council has launched an investigation into what happened with a task force to coordinate and remediate the attack, which combines FBI, CISA, and the Office of the Director of National Intelligence and the NSA.
The CISA has discovered evidence of SAML authentication token abuse in the hack, and if attackers gained access to these tokens used for identity validation, each affected network is likely required to be fully rebuilt.
The US court has indicated that with the compromise of its systems, sealed court documents on file with the US Federal Court system may have been exposed, and the branch has indicated it will be deploying more stringent controls going forward, including moving more sensitive documents offline.
SolarWinds itself has hired former CISA leader Chris Krebs and Facebook Chief Security Officer Alex Stamos to assist with the investigation, cleanup, and best security practices. The company has also announced their three security priorities – securing their internal environment, enchancing the product development environment, and ensuring the security and integrity of the products the company delivers.
Why do we care?
Working backwards, bringing in high profile security advisors is encouraging, and in particular, Stamos is known for speaking his mind and giving a clear perspective, so he will indicate if the company is not overcorrecting as I hope they will. That’s the path forward if they are to survive.
It’s pretty clear that any compromised network should just rebuild. Sure, it’s big opportunity, but a highly regrettable one for sure.