At a glance.
- Cyber Unified Coordination Group statement on Solorigate.
- Reactions from industry to the Joint Statement on Solorigate by CISA, NSA, FBI, and ODNI.
- CMMC and small businesses.
- Proposed FDIC rule on reporting disruptive cyber incidents.
Cyber Unified Coordination Group statement on Solorigate.
Yesterday the FBI, CISA, ODNI, and NSA, member organizations of the Cyber Unified Coordination Group (UCG) activated in response to Solorigate, issued a joint statement on the progress of their efforts. Here are the main takeaways:
- A Russian APT was named as the “likely” perpetrator of “most or all of the” activity.
- The breach was described as an ongoing “intelligence gathering effort.”
- Seemingly few affected SolarWinds’ Orion customers experienced “follow-on activity,” including seemingly “fewer than ten” Government offices.
- The UCG continued remediation and evidence preservation work over the holiday.
Reactions from industry to the Joint Statement on Solorigate by CISA, NSA, FBI, and ODNI.
Gurucul's CEO Saryu Nayyar sees Solorigate as a continuation of the Cold War:
“The cold war isn't over. It just moved to the internet. And the SolarWinds attack is a perfect example of a State or State Sponsored actor turning their resources to cyberattack. Unlike typical cybercriminals, these threats at this level have almost unlimited resources and will target virtually anything that may forward their agenda.
“It is likely the damage from this attack will run much deeper than is revealed to the public, but it may serve as a wakeup call that organizations and vendors at all levels need to up their cybersecurity game. They need to assess their current security posture and make sure they have the best possible components in place, including security analytics. The benefit is that designing defenses to blunt State level attackers should be more than enough to thwart common cybercriminals.”
Piyush Pandey, Appsian's CEO, reminds the private sector that espionage isn't confined to government targets:
"The SolarWinds attack is a reminder that state-sponsored attacks against critical systems are just as relevant to the private sector as they are to the public sector. To combat this, all organizations should have visibility solutions in place that emphasize where (geographically) their enterprise applications are being accessed - especially those with sensitive business, financial and HCM data. Ideally, they also have controls that authorize or restrict access in real-time if that access is coming from an adversarial region"
Daniel Markuson, Digital Privacy Expert at NordVPN, wrote about the incident at one level of abstraction. It's a backdoor propagated through a software supply chain:
“The attack we are witnessing right now is targeted exploitation of a backdoor. We can expect to see the outcomes of this hack in the years to come, as the full extent and the actual purpose of the hack is still being investigated. Usually, bad actors are exploiting the vulnerabilities that have already been fixed with update patches, but users fail to install them. This time, it’s the other way around. Hackers used the backdoor that was a result of a compromised supply chain. The lesson of what happened will probably be the emergence of more zero trust initiatives targeting 3rd party software. We can be definite, from now on conversations will focus on cybersecurity supply chains instead of cybersecurity overall, as the aforementioned has been overlooked and over-relied upon.”
CMMC and small businesses.
Now is the time for companies planning to contract with the Defense Department in any capacity from gardening to guarding to get their cyber house in order, according to Federal News Network. As we’ve seen, new Cybersecurity Maturity Model Certification (CMMC) rules mean an outside body will now assess whether Government data is safe in vendors’ hands. Small businesses looking for affordable support through the certification process should price shop, opting for services that stay on top of CMMC developments and charge a fixed rate.
Proposed FDIC rule on reporting disruptive cyber incidents.
JD Supra says the US Treasury Department, Federal Reserve, and Federal Deposit Insurance Corporation’s December Notice of Proposed Rulemaking would start a thirty-six-hour clock for banking organizations to alert regulators following discovery of a disruptive cybersecurity event. Immediate notification of impacted client organizations would also be required. “Notification incidents” would include wide-ranging events like major system failures or disabling ransomware assaults, not manageable occurrences like modest DDoS attacks. Some state regulators have already imposed comparable guidelines, and banks under Federal oversight are subject to additional reporting rules covering breaches impacting “sensitive customer information.”