- Though 65% of security practitioners were not directly impacted by the SolarWinds compromise, 63% are "highly concerned" by the incident, according to a DomainTools report released Tuesday. The data was pulled from a survey of 200 global security professionals and C-suite executives in finance, government, healthcare, retail, technology and other industries with 10,000 or more employees.
- Of the 19% of respondents who were directly impacted, more than 60% are still investigating if they were also breached, according to the report. Twenty-one percent of the impacted respondents said they were breached or other organizations in their ecosystem were breached.
- Half of respondents are "fairly confident" in their network visibility and ability to assess their defensive capabilities. Just over one-fourth of respondents said they are either "slightly confident" or "not confident at all" in their network visibility.
Between SolarWinds and Microsoft Exchange, companies are re-evaluating the software supply chain and the build process. To address shortcomings in assessing third-party technologies, the White House is drafting an executive order.
The malicious actors designed unique malware for SolarWinds' build process, allowing them to download and delete their tracks without a trace. Software-makers have time stamped forensic logs found in Security Information and Event Management (SIEM) software, among others. So if an attacker tries to erase their footprints, the logged artifacts could guide developers back to before manipulation took place, and stop before deploying corrupted code.
"SolarWinds is a classic 'exception that proves the rule' for patching," said Tim Helming, security evangelist at DomainTools. Patching will remain a top security priority. "This is not the first, nor the last, instance where a down-rev version of software turned out to be safer than a newer one," he said.
Before companies overhaul how software is built and secured, security operations centers (SOCs) have to figure out if they became a collateral victim of a software supply chain hack. Even though the majority of respondents were spared from a direct SolarWinds impact, the ripple effect is felt throughout information security.
One-fifth of respondents said they will get "real, tangible resources" as a result of the SolarWinds hack for future defense from their companies, according to the report. At least 16% increased their threat hunting headcount as supply chain threat hunting techniques will evolve.
"Even those shops that weren't directly impacted this time have to be of the mindset that they have no guarantee they couldn’t be hit by a similarly well-executed attack in the future," said Helming.
Microsoft on Thursday attributed the SolarWinds compromise to the threat group Nobelium, which likely has Russian origins. About 45% of respondents said knowing the SolarWinds attribution plays a "very important" role in responding to the hack and 61% said knowing the actor provides data for tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs).
But attribution isn't limited to "laying responsibility at the feet of a specific actor or group," said Helming. "Another form of attribution relies more on associating things like infrastructure and TTPs with the perpetrator of an attack, independent of who or what that perpetrator might be," which is more digestible for SOCs.