SolarWinds exposes cyber risk assessment gap
QOMPLX president and general manager of insurance Alastair Speare-Cole says that regardless of the size of insured losses, the hack of US network management software firm SolarWinds is a wake-up call to the industry and insureds.
The skies are dark from the wings of chickens coming home to roost, but does anyone care?
There has been a major cyber event, among the largest and most significant ever, and yet coverage of it in the insurance press can only be described as slight. I’m speaking, of course, of the hack of US network management software firm SolarWinds, which has shaken the US federal government, intelligence community and private sector to its foundations. While the losses associated with this incident have yet to be counted, this incident should change everything.
The US Cybersecurity and Infrastructure Agency (CISA) is a very serious body not prone to hyperbole. But when it issues the sort of warnings it gave in its Emergency Directive on 13 December, we should be all worried.
Describing the attackers behind the intrusion into SolarWinds, which began as early as March 2020, CISA noted that “taken together, [the] observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence”.
I am not going to spend time repeating the details of what has happened. The story should now be familiar and if you are not familiar you owe it to yourself to spend a little time catching up.
“For all the money spent on perimeter defences, including multi-factor authentication, a determined attacker will find a way in. The US government departments were some of the most secure on the planet. But hackers got in and remained undetected for months”
It is a feature of most insurance losses that we can forensically analyse when and where a major event happened and to whom. This event was going on for literally months before discovery.
It is still going on now as 18,000 companies and government departments must consider rebuilding their networks. And until the stolen identities and privileges are tracked down, the attackers may still be able to re-enter their targets.
What should be the response of our industry to this incident? Here are a few facts that anyone writing insurance should clearly understand.
1. For all the money spent on perimeter defences, including multi-factor authentication, a determined attacker will find a way in. The US government departments were some of the most secure on the planet. But hackers got in and remained undetected for months; cutting off their access and removing them from compromised environments after such a long residence is a difficult task.
2. Whilst the name “SolarWinds” is in the headlines, it would be a huge mistake to think that this form of attack is limited to one firm or is only a US-centric problem. The approach used by the hackers – believed to be affiliated with the Russian intelligence services – was to compromise a trusted software supply chain. It isn’t the first time that Russian hackers have used that approach and other software vendors are equally susceptible to compromise. Alas, not being a US entity or a SolarWinds client is irrelevant from the standpoint of risk management. Few companies currently devote resources to monitoring the integrity of their software supply chains, even as they become longer and more complex. And, as we know, detection needs to be accomplished in minutes, not months to be of real use!
3. There is a fundamental problem embedded deep in all our systems. For those that want to learn more they can read up around Kerberos, Active Directory, SAML tokens and Gold- and Silver-Ticket attacks. But for the purposes of this article let me try to explain where the problem lies. All our systems work on the assumption that electronic identities and systems privileges are valid.
Once stolen by an intruder, credentials allow them to work their way deeper into systems and disappear: posing as legitimate users or even creating new accounts and giving themselves administration rights. So the systems holding digital identities are the crown jewels of any IT environment. Unfortunately, the vast majority of companies today store these identities on aging and insecure technology such as Microsoft’s Active Directory, a more than 20-year old platform designed for a different era of computing, and the Kerberos authentication protocol.
Alas, while the limitations of Active Directory and Kerberos are well demonstrated and documented, switching out such a fundamental component of IT environments is difficult and disruptive. As a result, this problem is not going to go away. Nor can it simply be patched away. Insecure identity is not just part of the architecture; it is embedded in the very foundations of the systems we all use.
And for all the assurance given to you by your IT department that it could not happen to you, if it can happen to some of the most secure organisations, you too may become a victim. There is even a chance you already are a victim but just don’t know it yet. If you are the CUO or the CEO of an insurer, and your cyber underwriter cannot give you a clear and concise explanation of why this problem is difficult to solve, then you may have found another thing to worry about at night!
4. What is the impact on insurers? Well in pure loss terms, at this stage, it is difficult to tell. CISA as well as US firms such as FireEye and Microsoft that are familiar with the SolarWinds breach have already indicated that it is bigger than has been disclosed. Still, much cyber risk still goes uninsured. Some of the impact on US government departments will remain classified. Some of the stolen intellectual property may take years to reveal itself.
The principal lesson is that this form of attack (the exploitation of identity and privilege escalation) is equally applicable to those seeking to steal data for dark web auctions, or to ransom their targets.
So the pricing, selection and mitigation of risk that should be at the core of an insurers’ thinking depends upon an appreciation of the degree to which a company is likely to be exploited in this way. And much of the current tooling on which the industry relies to assess such risks (OSINT, external scanning and questionnaires), whilst useful, if far from sufficient.
“The principal lesson is that this form of attack (the exploitation of identity and privilege escalation) is equally applicable to those seeking to steal data for dark web auctions, or to ransom their targets”
Sadly, as I write today, there are a few solutions out there. QOMPLX, the company I happen to work for, has one of them. In fact, QOMPLX and our software was inspired when the founders encountered this very problem a decade ago when working within the US government security community. There are one, maybe two other companies who you can go to. But there is also a lot of snake oil out there. My advice is do your own research and don’t be satisfied by those internally or externally that tell you there are easy solutions. It has taken five years and the best part of $80mn to create ours.