How the open source community helped firms investigate their network activity following SolarWinds

The open source community delivered vital help to companies affected by the SolarWinds attack.

OPEN SOURCE CONCEPT

Image: Getty Images/iStockphoto

The ramifications of the SolarWinds attack are still unfolding more than four months since the breaches were revealed to the public. One underappreciated facet of the wide-ranging scandal that has engulfed much of the U.S. government and hundreds of major companies involves the powerful role the open source community played in helping enterprises respond to the crisis, according to Greg Bell, co-founder and CSO of cybersecurity company Corelight.

"What happened with the Sunburst malware is that when FireEye/Mandiant discovered the attack and made this sort of amazingly detailed disclosure, they released information about the attack—so called indicators of compromise—in open formats on GitHub, the platform where open source tools are built and where information is shared," Bell said.  

"Companies that participate in that ecosystem were able to take those indicators and rapidly commercialize them and get them out to their customers. And so you saw this global community of defenders acting as one. Mandiant sounds the alarm, puts the indicators out and other companies are able to build on them and deliver them really quickly."

SEE: Open source champion Munich heads back to Windows (free PDF) (TechRepublic Premium)

Bell said the crisis revealed to many cybersecurity firms that the community is stronger together using open source interfaces and standards to improve everyone's defensive capabilities. 

He noted that FireEye even called out Corelight specifically for how their network analysis tools helped their team investigate the attack and figure out what went wrong. 

It's difficult, and probably impossible, to detect highly-trained attacks like this in advance, but using high-quality data from open source tools, FireEye was able to reconstruct what happened forensically.

FireEye later released almost everything they knew about the attack and put it on GitHub, relying on a number of open formats to describe the attack, according to Bell. The company transformed the pieces of information they gleaned from examining the attack to create indicators that were open and written in standard formats.  

"Almost instantly after the blog post went out, the indicators went out and companies consumed that data and it led to kind of this global rush to see what we could do quickly. Some companies were mature enough that they could take those indicators directly. But many organizations aren't that sophisticated so they needed some other company, a vendor, to take those indicators and deliver them on products. That ecosystem of open standards, open data and a platform like GitHub for open sharing, had a big impact," Bell said. 

"If we didn't have that ecosystem, I think the global response would have been slower because FireEye wouldn't have been able to share in such great detail so easily and propagate that information."

Bell said this most recent instance of cooperation is just the most notable of many examples of security and cloud companies joining forces to address vulnerabilities and develop indicators to detect an attack. 

SEE: Git guide for IT pros (free PDF) (TechRepublic)

Bell added that open source is "a very helpful ingredient" in the process because it provides neutral platforms and standards, removing any concerns that attack indicators would theoretically come in "FireEye format" or something else unreadable for others. 

"There's a neutral lingua franca that we can all agree on. No language is perfect, but it's expressive enough that we can communicate what the indicators of the attack are and take action independently," Bell said. 

"Most companies don't have the resources of a nation-state and this is one way we can combat that asymmetry, by bringing defenders together into a community. That's one of the great powers of open source." 

The goal, Bell reiterated, is not to prevent the next attack of this kind, but do a better job of gathering real-time data and creating a sort of alarm system so that when something suspicious happens, people can share their concern. 

"The right solution is communal and collective structures of defense, which is in the spirit of open source," Bell said. 

Roy Horev, co-founder and CTO at vulnerability remediation orchestration provider Vulcan Cyber, echoed Bell's remarks, saying in an interview that the SolarWinds hack was much bigger and way more nuanced than just a single vulnerability that needed to be patched or a supply chain back door that needed to be secured.

In this case, flaws were exploited in both proprietary and open source code, Horev explained. 

"To get SunBurst fixed requires a coordinated effort between a massive and willing open source community and the closed-source software vendors," Horev said. "Open source software development practices have been and will be a great help, but there has been no better time for the commercial and open source software development camps to join forces and get fix done."

In an interview, RiskRecon CEO Kelly White added that open source intelligence is becoming more important because enterprises have become so complex, with complicated webs of departments, companies, vendors and partners that are operating systems and services on their behalf. 

White said that in order to understand the risk associated with something like SolarWinds, it "really does take open source intelligence to stay on top of, understand and manage your risk exposure."

RiskRecon assists organizations in managing the risk reality of increasingly interconnected IT ecosystems by delivering actionable security performance measurements, according to White, putting them right at the nexus of what happened with SolarWinds. 

"In the case of SolarWinds, there's many ways open source intelligence has helped organizations. It helped identify the compromise or exposure of an enterprise's own network and helped understand their exposure as it relates to the broader ecosystem of vendors and partners that they depend on," White said.  

"RiskRecon monitors the DNS traffic of the internet, and so through our analysis of about 150,000 command and control server communications, we were able to pinpoint a 129 companies that were actively signaled out for remote control to the SolarWinds command and control infrastructure."

White said the company developed the list of 129 companies and in some cases shared the information directly with the company if they knew someone there. For the companies where they did not have a contact, they sent the entire list to a non-profit organization that could notify and help the companies that had been compromised.  

White noted that their list included a division of the United Nations, a major electric car manufacturer, a U.S. defense contractor and other enterprises. They even provided the list to their own customers so that if they are doing business with any of the affected companies, they would be aware and could reach out themselves. 

Using open source intelligence, RiskRecon was also able to continuously port scan the entire internet and identify some of the applications and technology being used by certain companies, giving them clues to know who was operating the SolarWinds Orion technology. That allowed them to notify other companies that had been breached. 

"All this body of information comes together to help organizations understand this key question: what is my exposure to SolarWinds? What should I do about it? Because of the speed and complexity of enterprises and their interconnected ecosystems of hundreds and sometimes thousands of partners, that open source intelligence is really becoming a primary way for understanding your risk," White said. 

"Companies operate in this really big, complex ecosystem and to manage their risk, they need to do so for their own company, but also for those vendors and partners they depend on. The open source intelligence enables companies to understand that larger risk and to collaborate together to share this information, this intelligence with each other and to improve the overall security posture of all organizations."

Also see