Newsletter Article
Newsletter #5: SolarWinds Hacked, CISA Issues Emergency Directive

Newsletter #5: SolarWinds Hacked, CISA Issues Emergency Directive

So what I WAS going to talk about was the FireEye hack last week and threat modeling, but as I sat down to write this, my Twitter and Slack were blowing up about the SolarWinds hack.

Let me bring you up to speed. FireEye’s Red Team tools were stolen last week by an advanced adversary. This means that some group out there has a whole bunch of very sophisticated and advanced hacking tools, similar to when the NSA got hacked several years ago. They did a good one, though, and published signatures and countermeasures for their tools.

Now, it turns out the SolarWinds’s Orion product got hacked as early as March. How did it happen? They got into their software updates, so when everyone updated, they got the software’s infected versions.

SolarWinds is used by major networks and enterprises all over the world. AWs and even FWIU use it. It seems to mean that an adversary out there had a foothold into tons of networks globally. 🙁 

The details are still coming out, but it is so bad that the CISA issued an Emergency Directive. If you are using this product, shut it down and activate your IR plans.

What does this mean? Well, this is a good lesson for proper Threat Modeling and Defense in Depth. It also goes back to the assumption: assume your network is compromised already. These are huge terms, and I apologize for not explaining them here, but I will in the future. Or, see my articles on ZeroTrust and Reflection from the Twitter Hack.

Looks like I need a long article on Threat Modeling.

That’s it for now. Stay safe.


PS. Regarding last week’s recommendation for setting up a catch-all email, I just want to note it’s YMMV. If you are a large enterprise, it might not be worth it for you and may even cause more spam/noise for you and your teams. Thanks to the reader for the reminder!

This article was previously posted in the Newsletter.

If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.

Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.

Leave a Reply

Your email address will not be published. Required fields are marked *