Cybersecurity News

H-ISAC Supply-Chain Insights Aim to Prevent Next SolarWinds Cyberattack

Designed in cooperation with AHA, the H-ISAC unveiled new supply-chain cyberattack insights meant to support healthcare providers in preventing another SolarWinds incident.

H-ISAC AHA SOlarWinds Orion platform supply-chain cyberattack compromise guidance

By Jessica Davis

- The Health-ISAC recently published supply-chain cyberattack insights in collaboration with the American Hospital Association, meant to support healthcare provider organizations prevent and respond to enterprise network compromise, in the wake of the SolarWinds Orion incident.

The guidance provides both technical and non-technical strategies and decision-making elements for senior leaders and the C-Suite. The insights shed light on the risks involved with enterprise IT systems within the network environment.

The massive SolarWinds incident signaled a significant shift in the methods threat actors leverage in their attacks: not just an immediate payout, but to proliferate across as many devices and networks as possible and impacting multiple victims with a single attack.

The advanced persistent threat (APT) actors trojanized the Orion software update last year. In turn, a range of entities unknowingly updated the platform with malware, which gave the attackers access to their systems.

The actors use a number of sophisticated techniques to hide their operations on victims’ networks, while stealthily moving laterally across all connected devices. What’s worse, the actors stored reconnaissance results within legitimate plugin configuration files and hiding within legitimate SolarWinds activities.

In February, the White House reported that at least nine federal agencies and 100 private sector entities were affected by the initial attack. But, having seen the success of the initial APT attack, other hacking groups began targeting the vulnerable systems with various malware variants.

The new H-ISAC Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event report takes aim at the attack methods leveraged by the attackers to support providers in prevention efforts.

The report includes intelligence around the event, including a technical analysis and recommendations for both IT and information security teams. H-ISAC also provided a detailed analysis of the characteristics that enabled the SolarWinds incident to have such a large impact on victims from a range of sectors.

“The SolarWinds incident… is yet another reminder of the ongoing risks lurking in network enterprise networks,” officials wrote. “It’s these supply-chain dependencies and inherent trust models that must be carefully reviewed before, during, and after any implementation to ensure unwanted risks are not introduced into the enterprise network.”

“The ability to extract the characteristics and features of SolarWinds could allow organizations to predict and hopefully prevent the next SolarWinds-like event in their enterprise environments,” H-ISAC officials explained.

Those tasked with risk management within the healthcare enterprise should ask IT vendors and other technical experts about any broad access new and existing technologies provide within the enterprise, particularly around access to sensitive information and business data.

Further, healthcare enterprises need to employ principles of least privilege, network segmentation, and ongoing monitoring to minimize risk during implementation and production of enterprise management systems. Adequate controls, dynamic inventory, and audit and control processes are also necessary to bolstering overall security controls around third-party tech.

Administrators can leverage the insights to better understand the circumstances and elements that made the attack possible, which can help leaders determine the tools and processes needed within the enterprise to prevent a similar attack on the network.

The insights also shed light on past events with similar rippling effects, including the HP OpenView incident of 2009 and 2017’s WannaCry and NotPetya.

H-ISAC provided details into the recent SAP Solution Manager incident, first reported earlier this month. Threat actors are targeting and successfully exploiting SAP vulnerabilities to steal sensitive data or disrupt business operations.

The guidance also provides in-depth information on necessary preventative measures to reduce the risk caused by vulnerability exploits. Administrators will find technical, AHA, and H-ISCA recommendations, as well as available resources to better strengthen cybersecurity processes.

Healthcare entities should also review guidance from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency for direct SolarWinds insights on remediation, the risks, and post-threat compromise.

"As demonstrated by several examples, the SolarWinds incident was not the first interconnected software failure that affects the devices it controls or has access to," officials wrote. "Centralized administrative software and unknown vulnerabilities have, and always will be, a potential central point of compromise for system and security administrators."

"Administrators should consider their critical data dependencies, business functions, and business relationships with these third-party firms, as their past history of central failure and data compromise will likely continue in the future and will directly and negatively impact an organization if an incident were to occur," they added.