Share this article on:
Health-ISAC, in conjunction with the American Hospital Association (AHA), has published guidance for healthcare information security teams to help them improve resilience against supply chain cyberattacks such as the recent SolarWinds Orion incident.
The white paper – Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event – provides insights into the cyberattack and explores the characteristics that made such an attack possible. The document provides technical recommendations for senior business leaders, C-suite executives, and IT and information security teams to help them prevent and mitigate similar attacks.
Solutions such as SolarWinds Orion have privileged access to the assets they are used to manage, and those supply chain dependencies and inherent trust models were exploited in the SolarWinds Orion attack. The attackers exploited a software update mechanism to inject a backdoor into the network monitoring platform. The update was downloaded and applied by around 18,000 customers and selected companies were then targeted in more in-depth compromises, including several government agencies and cybersecurity firms. The U.S. government recently formally attributed cyberattack to the Russian Foreign Intelligence Service (SVR).
Platforms such as SolarWinds Orion are an attractive target for threat actors. They are used by many attractive targets such as large enterprises and government agencies, they have a centralized system that controls multiple subsystems, networks, and products, and they require little interaction, if any, from the controlled system. The system has an undisclosed, unpatched, or unknown opening that attackers can exploit for a degree of administrative control and, if that opening is exploited, the attackers can gain limited or total control of the subsystems it controls.
All of those factors were exploited in the SolarWinds attack and a further four incidents are described in the white paper where similar characteristics were exploited – – The 2003 HP OpenView vulnerability, WannaCry, NotPetya, and the 2021 SAP Solution Manager incident.
Similar cybersecurity incidents are likely to happen time and time again, so it is important for steps to be taken to minimise risk and limit the damage that can be caused. The white paper details the risks involved with enterprise IT systems such as SolarWinds Orion and provides recommendations that can be applied to allow organizations to predict, and hopefully prevent, similar incidents in the future.
Recommendations include signing up with an ISAC to receive timely and actionable threat intelligence, conducting vulnerability scans to identify vulnerabilities, patching promptly, adhering to the principle of least privilege, and implementing a program of continuous verification to ensure that security controls are still effective at blocking threats.
“What is truly needed is close cooperation between governments, the healthcare sector and all critical infrastructure globally via a formal exchange of cyber threat information and combined cyber defenses – to create a truly global approach,” explained Health-ISAC in the white paper. “We urge organizations to use the strategic and tactical issues discussed in this paper as considerations for all trusted systems used, or planning to be used, in your environment.