Vor aller Augen versteckt: Warum der SolarWinds-Angriff mehr als nur ein bösartiges Cyberrisiko aufgedeckt hat
A version of this article appeared in Dark Reading. It has been updated and syndicated here.
If ever there was something to ruin Christmas in the cybersecurity industry, it’s a devastating data breach that is on track to becoming the largest cyberespionage event affecting the US government on record.
The SolarWinds attack is far-reaching, with threat actors having initially breached the software as early as mid-2019. This months-long heist was discovered in December 2020 after it was used to infiltrate prominent cybersecurity firm, FireEye, and the nightmare unraveled from there. The full scope of the breach is still being investigated, but key areas of infiltration include US Departments of State, Homeland Security, Commerce, and the Treasury, in addition to the National Institute of Health.
This incident is going to have ongoing aftershocks, but the sheer sophistication of it is fascinating. At a technical level, it is a multi-layered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies we so often see exploiting more obvious errors.
Code laundering at its worst
CrowdStrike has done more of their genius work in reverse-engineering the exploit, and detailing the findings for all to see. It has now come to light that SolarWinds was the victim of an infrastructure breach, allowing malicious code injection into system updates, resulting in at least four separate malware tools opening up unprecedented access for the threat actors.
The method was covert, allowing for a strategic precision that seems straight out of a Jason Bourne novel. It bought time to sniff around, plan, and strike victims outside of the SolarWinds network exactly when they wanted, in a comprehensive supply chain attack. And it was all carried out with code that looked completely benign.
Cyberattacks are often the result of simple, yet costly, errors. And once discovered, the mistakes are fairly obvious; think a poorly configured network, passwords stored in plaintext, or unpatched software that sits vulnerable to known exploits. In this case, the code didn’t stand out at all, and not just to developers and security engineers. A wide myriad of expensive, complex security technology failed to detect it too.
Security monitoring and penetration testing tools were rendered virtually useless
Security professionals tend to be as rare as rocking horse excrement, so they are aided in their quest to secure enormous amounts of company data, software, and infrastructure, by a technology stack that is customized to the security needs of the business. This usually takes the form of components like network firewalls, automated penetration testing, monitoring and scanning tools, with the latter soaking up a lot of time in the software development process. This tooling can quickly spiral and become unruly to manage and execute, with many companies using upwards of 300 different products and services.
SolarWinds would have an eye-watering array of tools to find and highlight security bugs in code, attempted unauthorized network access, potential compromise in any part of the infrastructure, and even pick up on signs of detection evasion. It is unprecedented that these threat actors were able to inject malicious code that went undiscovered even by the most advanced security stack.
Infrastructure hardening - especially access control - are fundamental components of general cybersecurity best practice, but if an attacker can quietly exploit a tiny window of opportunity, then a network can be compromised just the same as a vulnerability in standalone software.
This breach is a reminder that, in general, any company that relies heavily on tools alone to secure its network infrastructure and software is taking an enormous risk. It’s not always enough to protect code; everything storing, running, and compiling it must be equally as fortified. The ideal state is a balance of tools and people, executing a robust strategy that goes deep in assessing and reducing the potential attack surface.
Cross-team security awareness makes for better threat modeling
The SolarWinds breach has already started to make a significant impact on security operations, especially at a government level. Experts are touting that this could reshape cybersecurity practices forever.
An increasingly digital infrastructure powers our lives, and while it can be vulnerable to attack if not meticulously managed, our general strategy is flawed. We are wildly understaffed when it comes to security expertise, yet we’re not doing a whole lot to close the gap. Human-driven security awareness is an underutilized element of cybersecurity, as is making prevention - rather than reaction - a priority.
Infrastructure security is a complex undertaking with many moving parts, but, similar to how they are positioned in software creation, developers can be an asset in reducing structural risk if properly trained and security-aware.
Threat modeling rarely accounts for supply-chain attacks, despite this type of attack being highlighted as early as 2012 as a key risk that is difficult to prevent with current techniques, and it leaves many companies under-prepared. Software developers could absolutely play a role in prevention, and it starts with ensuring they are upskilled and able to assess their code integrity from the inside out. Have they built the update mechanism securely? Is the software running with unnecessary connectivity that could allow for easier malicious compromise?
When security is synonymous with software quality, it is easy to see the immense value a security-aware engineer can bring to the table.
Wenn es jemals etwas gab, das Weihnachten in der Cybersicherheitsbranche ruinieren könnte, dann ist es eine verheerende Datenschutzverletzung, die auf dem besten Weg ist, das größte Cyberspionageereignis zu werden, von dem die US-Regierung je betroffen ist.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Eine Demo buchen
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in Dark Reading. It has been updated and syndicated here.
If ever there was something to ruin Christmas in the cybersecurity industry, it’s a devastating data breach that is on track to becoming the largest cyberespionage event affecting the US government on record.
The SolarWinds attack is far-reaching, with threat actors having initially breached the software as early as mid-2019. This months-long heist was discovered in December 2020 after it was used to infiltrate prominent cybersecurity firm, FireEye, and the nightmare unraveled from there. The full scope of the breach is still being investigated, but key areas of infiltration include US Departments of State, Homeland Security, Commerce, and the Treasury, in addition to the National Institute of Health.
This incident is going to have ongoing aftershocks, but the sheer sophistication of it is fascinating. At a technical level, it is a multi-layered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies we so often see exploiting more obvious errors.
Code laundering at its worst
CrowdStrike has done more of their genius work in reverse-engineering the exploit, and detailing the findings for all to see. It has now come to light that SolarWinds was the victim of an infrastructure breach, allowing malicious code injection into system updates, resulting in at least four separate malware tools opening up unprecedented access for the threat actors.
The method was covert, allowing for a strategic precision that seems straight out of a Jason Bourne novel. It bought time to sniff around, plan, and strike victims outside of the SolarWinds network exactly when they wanted, in a comprehensive supply chain attack. And it was all carried out with code that looked completely benign.
Cyberattacks are often the result of simple, yet costly, errors. And once discovered, the mistakes are fairly obvious; think a poorly configured network, passwords stored in plaintext, or unpatched software that sits vulnerable to known exploits. In this case, the code didn’t stand out at all, and not just to developers and security engineers. A wide myriad of expensive, complex security technology failed to detect it too.
Security monitoring and penetration testing tools were rendered virtually useless
Security professionals tend to be as rare as rocking horse excrement, so they are aided in their quest to secure enormous amounts of company data, software, and infrastructure, by a technology stack that is customized to the security needs of the business. This usually takes the form of components like network firewalls, automated penetration testing, monitoring and scanning tools, with the latter soaking up a lot of time in the software development process. This tooling can quickly spiral and become unruly to manage and execute, with many companies using upwards of 300 different products and services.
SolarWinds would have an eye-watering array of tools to find and highlight security bugs in code, attempted unauthorized network access, potential compromise in any part of the infrastructure, and even pick up on signs of detection evasion. It is unprecedented that these threat actors were able to inject malicious code that went undiscovered even by the most advanced security stack.
Infrastructure hardening - especially access control - are fundamental components of general cybersecurity best practice, but if an attacker can quietly exploit a tiny window of opportunity, then a network can be compromised just the same as a vulnerability in standalone software.
This breach is a reminder that, in general, any company that relies heavily on tools alone to secure its network infrastructure and software is taking an enormous risk. It’s not always enough to protect code; everything storing, running, and compiling it must be equally as fortified. The ideal state is a balance of tools and people, executing a robust strategy that goes deep in assessing and reducing the potential attack surface.
Cross-team security awareness makes for better threat modeling
The SolarWinds breach has already started to make a significant impact on security operations, especially at a government level. Experts are touting that this could reshape cybersecurity practices forever.
An increasingly digital infrastructure powers our lives, and while it can be vulnerable to attack if not meticulously managed, our general strategy is flawed. We are wildly understaffed when it comes to security expertise, yet we’re not doing a whole lot to close the gap. Human-driven security awareness is an underutilized element of cybersecurity, as is making prevention - rather than reaction - a priority.
Infrastructure security is a complex undertaking with many moving parts, but, similar to how they are positioned in software creation, developers can be an asset in reducing structural risk if properly trained and security-aware.
Threat modeling rarely accounts for supply-chain attacks, despite this type of attack being highlighted as early as 2012 as a key risk that is difficult to prevent with current techniques, and it leaves many companies under-prepared. Software developers could absolutely play a role in prevention, and it starts with ensuring they are upskilled and able to assess their code integrity from the inside out. Have they built the update mechanism securely? Is the software running with unnecessary connectivity that could allow for easier malicious compromise?
When security is synonymous with software quality, it is easy to see the immense value a security-aware engineer can bring to the table.
A version of this article appeared in Dark Reading. It has been updated and syndicated here.
If ever there was something to ruin Christmas in the cybersecurity industry, it’s a devastating data breach that is on track to becoming the largest cyberespionage event affecting the US government on record.
The SolarWinds attack is far-reaching, with threat actors having initially breached the software as early as mid-2019. This months-long heist was discovered in December 2020 after it was used to infiltrate prominent cybersecurity firm, FireEye, and the nightmare unraveled from there. The full scope of the breach is still being investigated, but key areas of infiltration include US Departments of State, Homeland Security, Commerce, and the Treasury, in addition to the National Institute of Health.
This incident is going to have ongoing aftershocks, but the sheer sophistication of it is fascinating. At a technical level, it is a multi-layered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies we so often see exploiting more obvious errors.
Code laundering at its worst
CrowdStrike has done more of their genius work in reverse-engineering the exploit, and detailing the findings for all to see. It has now come to light that SolarWinds was the victim of an infrastructure breach, allowing malicious code injection into system updates, resulting in at least four separate malware tools opening up unprecedented access for the threat actors.
The method was covert, allowing for a strategic precision that seems straight out of a Jason Bourne novel. It bought time to sniff around, plan, and strike victims outside of the SolarWinds network exactly when they wanted, in a comprehensive supply chain attack. And it was all carried out with code that looked completely benign.
Cyberattacks are often the result of simple, yet costly, errors. And once discovered, the mistakes are fairly obvious; think a poorly configured network, passwords stored in plaintext, or unpatched software that sits vulnerable to known exploits. In this case, the code didn’t stand out at all, and not just to developers and security engineers. A wide myriad of expensive, complex security technology failed to detect it too.
Security monitoring and penetration testing tools were rendered virtually useless
Security professionals tend to be as rare as rocking horse excrement, so they are aided in their quest to secure enormous amounts of company data, software, and infrastructure, by a technology stack that is customized to the security needs of the business. This usually takes the form of components like network firewalls, automated penetration testing, monitoring and scanning tools, with the latter soaking up a lot of time in the software development process. This tooling can quickly spiral and become unruly to manage and execute, with many companies using upwards of 300 different products and services.
SolarWinds would have an eye-watering array of tools to find and highlight security bugs in code, attempted unauthorized network access, potential compromise in any part of the infrastructure, and even pick up on signs of detection evasion. It is unprecedented that these threat actors were able to inject malicious code that went undiscovered even by the most advanced security stack.
Infrastructure hardening - especially access control - are fundamental components of general cybersecurity best practice, but if an attacker can quietly exploit a tiny window of opportunity, then a network can be compromised just the same as a vulnerability in standalone software.
This breach is a reminder that, in general, any company that relies heavily on tools alone to secure its network infrastructure and software is taking an enormous risk. It’s not always enough to protect code; everything storing, running, and compiling it must be equally as fortified. The ideal state is a balance of tools and people, executing a robust strategy that goes deep in assessing and reducing the potential attack surface.
Cross-team security awareness makes for better threat modeling
The SolarWinds breach has already started to make a significant impact on security operations, especially at a government level. Experts are touting that this could reshape cybersecurity practices forever.
An increasingly digital infrastructure powers our lives, and while it can be vulnerable to attack if not meticulously managed, our general strategy is flawed. We are wildly understaffed when it comes to security expertise, yet we’re not doing a whole lot to close the gap. Human-driven security awareness is an underutilized element of cybersecurity, as is making prevention - rather than reaction - a priority.
Infrastructure security is a complex undertaking with many moving parts, but, similar to how they are positioned in software creation, developers can be an asset in reducing structural risk if properly trained and security-aware.
Threat modeling rarely accounts for supply-chain attacks, despite this type of attack being highlighted as early as 2012 as a key risk that is difficult to prevent with current techniques, and it leaves many companies under-prepared. Software developers could absolutely play a role in prevention, and it starts with ensuring they are upskilled and able to assess their code integrity from the inside out. Have they built the update mechanism securely? Is the software running with unnecessary connectivity that could allow for easier malicious compromise?
When security is synonymous with software quality, it is easy to see the immense value a security-aware engineer can bring to the table.
Klicken Sie auf den Link unten und laden Sie das PDF dieser Ressource herunter.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Bericht ansehenEine Demo buchen
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
A version of this article appeared in Dark Reading. It has been updated and syndicated here.
If ever there was something to ruin Christmas in the cybersecurity industry, it’s a devastating data breach that is on track to becoming the largest cyberespionage event affecting the US government on record.
The SolarWinds attack is far-reaching, with threat actors having initially breached the software as early as mid-2019. This months-long heist was discovered in December 2020 after it was used to infiltrate prominent cybersecurity firm, FireEye, and the nightmare unraveled from there. The full scope of the breach is still being investigated, but key areas of infiltration include US Departments of State, Homeland Security, Commerce, and the Treasury, in addition to the National Institute of Health.
This incident is going to have ongoing aftershocks, but the sheer sophistication of it is fascinating. At a technical level, it is a multi-layered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies we so often see exploiting more obvious errors.
Code laundering at its worst
CrowdStrike has done more of their genius work in reverse-engineering the exploit, and detailing the findings for all to see. It has now come to light that SolarWinds was the victim of an infrastructure breach, allowing malicious code injection into system updates, resulting in at least four separate malware tools opening up unprecedented access for the threat actors.
The method was covert, allowing for a strategic precision that seems straight out of a Jason Bourne novel. It bought time to sniff around, plan, and strike victims outside of the SolarWinds network exactly when they wanted, in a comprehensive supply chain attack. And it was all carried out with code that looked completely benign.
Cyberattacks are often the result of simple, yet costly, errors. And once discovered, the mistakes are fairly obvious; think a poorly configured network, passwords stored in plaintext, or unpatched software that sits vulnerable to known exploits. In this case, the code didn’t stand out at all, and not just to developers and security engineers. A wide myriad of expensive, complex security technology failed to detect it too.
Security monitoring and penetration testing tools were rendered virtually useless
Security professionals tend to be as rare as rocking horse excrement, so they are aided in their quest to secure enormous amounts of company data, software, and infrastructure, by a technology stack that is customized to the security needs of the business. This usually takes the form of components like network firewalls, automated penetration testing, monitoring and scanning tools, with the latter soaking up a lot of time in the software development process. This tooling can quickly spiral and become unruly to manage and execute, with many companies using upwards of 300 different products and services.
SolarWinds would have an eye-watering array of tools to find and highlight security bugs in code, attempted unauthorized network access, potential compromise in any part of the infrastructure, and even pick up on signs of detection evasion. It is unprecedented that these threat actors were able to inject malicious code that went undiscovered even by the most advanced security stack.
Infrastructure hardening - especially access control - are fundamental components of general cybersecurity best practice, but if an attacker can quietly exploit a tiny window of opportunity, then a network can be compromised just the same as a vulnerability in standalone software.
This breach is a reminder that, in general, any company that relies heavily on tools alone to secure its network infrastructure and software is taking an enormous risk. It’s not always enough to protect code; everything storing, running, and compiling it must be equally as fortified. The ideal state is a balance of tools and people, executing a robust strategy that goes deep in assessing and reducing the potential attack surface.
Cross-team security awareness makes for better threat modeling
The SolarWinds breach has already started to make a significant impact on security operations, especially at a government level. Experts are touting that this could reshape cybersecurity practices forever.
An increasingly digital infrastructure powers our lives, and while it can be vulnerable to attack if not meticulously managed, our general strategy is flawed. We are wildly understaffed when it comes to security expertise, yet we’re not doing a whole lot to close the gap. Human-driven security awareness is an underutilized element of cybersecurity, as is making prevention - rather than reaction - a priority.
Infrastructure security is a complex undertaking with many moving parts, but, similar to how they are positioned in software creation, developers can be an asset in reducing structural risk if properly trained and security-aware.
Threat modeling rarely accounts for supply-chain attacks, despite this type of attack being highlighted as early as 2012 as a key risk that is difficult to prevent with current techniques, and it leaves many companies under-prepared. Software developers could absolutely play a role in prevention, and it starts with ensuring they are upskilled and able to assess their code integrity from the inside out. Have they built the update mechanism securely? Is the software running with unnecessary connectivity that could allow for easier malicious compromise?
When security is synonymous with software quality, it is easy to see the immense value a security-aware engineer can bring to the table.
Inhaltsverzeichniss
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Eine Demo buchenHerunterladenRessourcen für den Einstieg
Themen und Inhalte der Securecode-Schulung
Unsere branchenführenden Inhalte werden ständig weiterentwickelt, um der sich ständig ändernden Softwareentwicklungslandschaft unter Berücksichtigung Ihrer Rolle gerecht zu werden. Themen, die alles von KI bis XQuery Injection abdecken und für eine Vielzahl von Rollen angeboten werden, von Architekten und Ingenieuren bis hin zu Produktmanagern und QA. Verschaffen Sie sich einen kleinen Einblick in das Angebot unseres Inhaltskatalogs nach Themen und Rollen.
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
Ressourcen für den Einstieg
Cybermon is back: Beat the Boss KI-Missionen jetzt auf Abruf verfügbar
Cybermon 2025 Beat the Boss ist jetzt das ganze Jahr über in SCW verfügbar. Setzt fortschrittliche KI/LLM-Sicherheitsanforderungen ein, um die sichere KI-Entwicklung in einem großen Maßstab zu stärken.
Cyber-Resilienz-Gesetz erklärt: Was das für die Entwicklung von Secure by Design-Software bedeutet
Erfahren Sie, was der EU Cyber Resilience Act (CRA) verlangt, für wen er gilt und wie sich Entwicklungsteams mit sicheren Methoden, der Vorbeugung von Sicherheitslücken und dem Aufbau von Fähigkeiten für Entwickler darauf vorbereiten können.
