Many people are familiar with the SolarWinds attack, which impacted a slew of high-level government agencies and major corporations across North America, Europe, Asia, and the Middle East. Malicious code was embedded in a SolarWinds software update, designed to give the threat actor backdoor access into its systems. This sophisticated attack enabled the threat actors to penetrate the networks of even the most sophisticated cybersecurity organizations, leaving 18,000 customers worldwide potentially exposed.
The techniques used to execute the SolarWinds attack have been revealed in detail in the media. However, less attention has been given to the type of risk this attack represents: concentration risk. This is what happens when a single technology vendor has a large concentration of customers dependent on them: a single hack can impact thousands of companies.
This type of risk exists with many cloud-based technology providers, whose solutions and services, ranging from endpoint detection and response tools, to cloud infrastructure and managed security, are built to serve tens of thousands of customers, spanning industries and geographies. Many of these vendors are likely to have privileged access into networks, and they tend to become inherently trusted as part of the fabric of their customers’ operations.
This also makes these vendors particularly tempting targets to sophisticated threat actors. Breaches of these organizations happen more often than people imagine. Cybercriminals and advanced persistent threat (APT) groups consistently target even the most secure environments. Even though the threshold for hacking into these environments is extremely high, the payoff is considerable. One successful hack can give threat actors access to an entire geography, industry or more.
Factoring in concentration risks
Typically, when Chief Information Security Officers (CISOs) and their cybersecurity teams prioritize risks, the highest priority is given to high-probability events, such as ransomware attacks or data breaches. High-frequency direct attacks are often given the highest priority. However, as the SolarWinds attack indicates, concentration risks should be part of the greater “third-party risk” discussion, particularly as security teams build their incident response plans.
Unfortunately, these third-party concentration risks tend to fall lower on the priority list. But any sound cyber program should consider both direct and indirect targeting through third parties. Companies today exist as part of a broader digital ecosystem. Understanding how members of that ecosystem could become threat vectors enables cyber teams to plan for an appropriate response. It is also important to identify the concentration risks within that ecosystem, such as partners with thousands of customers, and recognize that they are most likely to be subject to attack from sophisticated threat actors. As those vendors tend to be trusted, the potential damage caused by a breach can be far greater than with other types of attacks.
Similarly, it is critical for the incident response planning to address the specific characteristics of this class of adversary. For example, once a compromise is detected, it may be necessary to resist the temptation to begin containment efforts. Sophisticated adversaries are likely to have moved laterally through the network and may have installed additional malware to enable ongoing incursions. It may be more prudent to first understand the full extent of the incursion before beginning remediation efforts.
Understanding potential concentration risks may involve delving into third-party liabilities and obligations, or categorizing vendors and understanding the scope of the larger supplier ecosystem. By defining potential sources of this risk, it becomes possible to build mitigation strategies into incident response plans. Therefore, the next time a SolarWinds-class attack occurs, the steps toward a successful response are already defined. Planning in this way is an important part of becoming a resilient enterprise.
Amir Belkhelladi leads our Canadian Cyber Risk Practice and has nearly 20 years of experience in cyber security, focusing on strategic advice and leadership of significant global cyber security transformation programs. Prior to joining Deloitte, Amir served as Accenture France’s security practice leader after working at Lloyds Bank as group chief security architect and group operations chief technology officer.
Nicolas serves as Deloitte’s Global Financial Crime Risk leader and is a Partner at Deloitte Continental Europe based in France. Before joining Deloitte Nicolas has spent 15 years at French FSI supervisory authorities. With more than 25 years’ experience in regulation and compliance, Nicolas has supported a wide range of clients and industries assisting them in running global compliance and remediation programs and transforming their operational processes. This includes design and delivery of financial crime operating models and the implementation or optimization of processes and innovative solutions, in areas such as risk assessment, KYC, transactions monitoring and filtering, screening, systems and controls, alerts optimization, and shared services. Nicolas has also worked closely with regulators and counsels and he coordinates a global and multidisciplinary team which assists our clients in FSI or other industries in navigating financial crime challenges.
Loucif Kharouni is the Senior Manager of Service Delivery for Global Threat Intelligence services and advisory at Deloitte. He leads multiple remote teams of highly skilled intelligence analysts and advisory professionals across the US, Europe, and Asia Pacific. Loucif has a background in cyber-criminal methodology and behavior and has extensive expertise in threat intelligence methodologies and programs. He has written, discussed, and presented on topics that include targeted attacks, financial threats, bulletproof providers, and cybercrime economy. Prior to Deloitte, Loucif worked for the Trend Micro FTR research team and led investigations on threat actors which led to multiple arrests in collaboration with various Law Enforcement Agencies. Loucif has participated as a speaker in various professional cybercrime conferences over the years such as Cert EE, Virus Bulletin, M3AAWG, APWG, SERENE-RISC, and RISE.