They are some of the biggest names in technology and cybersecurity.
And this week, they testified in front of the U.S. Senate Intelligence Committee about the SolarWinds supply chain attack and the state of cybersecurity.
The hearings, like most in Congress, lasted hours. However, SecureWorld has picked off 10 quotes that speak to the state of information security and the mindset of these leaders from corporate America.
Every top 10 list has to start somewhere. In this case, let's begin with FireEye CEO Kevin Mandia. He told the Senate Intelligence Committee that as he sat testifying, his employees were in the middle of incident response for more than 150 computer intrusions at large organizations around the globe.
Now, to a few of his quotes.
1. On why the cyberattack against SolarWinds is different:
"Based on the knowledge gained through our years of experience responding to cyber incidents, we concluded that we were witnessing an attack by a nation with top-tier offensive capabilities.
This attack was different from the multitude of incidents to which we have responded throughout the years.
The attackers tailored their capabilities specifically to target and attack our company (and their other victims). They operated clandestinely, using methods that counter security tools and forensic examination. They also operated with both constraint and focus, targeting specific information and specific people, as if following collection requirement.
They did not perform actions that were indiscriminate, and they did not appear to go on 'fishing expeditions.' Such focused targeting, combined with the novel combination of techniques not witnessed by us or our partners in the past, contributed to our conclusion that this was a foreign intelligence actor."
2. On how the SolarWinds attacker tools, techniques, and procedures were disabled. Collectively, these have been labeled SUNBURST:
"As part of FireEye's continued analysis of SUNBURST, we identified a feature in the code that prevented SUNBURST from continuing to operate. Such features are sometimes referred to as 'kill switches.' FireEye collaborated with GoDaddy and Microsoft to enact this kill switch.
Although this did not remove the intruders from victim networks that they had already infiltrated, it made it much more difficult, if not impossible, for the intruders to leverage SUNBURST."
3. On creating a confidential and non-punitive information sharing framework, like the FAA operates regarding aircraft safety:
"Speed is critical to the effective disruption or mitigation of an attack by an advanced threat actor. However, challenges today prevent entities from sharing cyber threat intelligence. For example,
organizations are concerned about public disclosure and the liabilities that stem from a breach.
Fears over class action lawsuits, reduction to shareholder value, and public negative sentiment create an environment in which organizations are reluctant to voluntarily or rapidly share
information.
A confidential information sharing solution should ensure a consistent flow of two-way information sharing between the public and private sectors to help maximize the ability to resolve and consider attribution."
In an interesting twist, Microsoft President Brad Smith started his testimony by praising FireEye and explaining the need for transparency. It is our #4 quote in this top 10 list.
4. Thanks to FireEye for uncovering the SolarWinds attack:
"The fact that we are here today, discussing this attack, dissecting what went wrong, and identifying ways to mitigate future risk, is occurring only because my fellow witness, Kevin Mandia, and his colleagues at FireEye, chose to be open and transparent about what they found in their own systems, and to invite us at Microsoft to work with them to investigate the attack.
Without this transparency, we would likely still be unaware of this campaign. In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity."
5. On the attack vectors used beyond the SolarWinds Orion updates, and the bad actor's motivation:
"The Russians did not just want to get inside the houses of the victims. They wanted to find the most interesting valuables, which to them meant reading, examining, and in some cases taking data
and information. Just as they used many ways to initially attack their victims and open a back door, they also used a variety of ways to compromise identity.
It is important to understand this aspect of the attack: unlike some attacks that take advantage of vulnerabilities in software, this attack was based on finding and stealing the privileges, certificates, tokens
or other keys within on-premises networks (which together is referred to as 'identity') that would provide access to information in the same way the owner would access it. This approach was made much easier in networks where basic cybersecurity hygiene was not being observed—that is, where the keys to the safe and the car were left out in the open."
6. On the fact that many SolarWinds attack victims have not revealed they were hit in the cyberattack, and some may not even know:
"We know that what lies on the surface is only part of this attack's story, and we all should remain focused on what is not yet known. The victims that have been revealed to the public represent an important portion of the problem, but they are like the tip of the iceberg, and we do not know what lies beneath the surface.
This is especially pertinent in this case because all of the attacks we've identified started 'on premise,' meaning on a server physically within an organization's presence. And yet we only have direct
visibility to the attack when it then moved to the cloud. As a result, customers that haven't yet migrated to the cloud are more likely to be continued and undiscovered victims.
We do know that there are other companies whose customers have been compromised but who have not revealed victim information publicly."
7. Some things never change. Many organizations hard hit by the attack failed at cyber hygiene:
"What we found in several cases was troubling. Basic cyber hygiene and security best practices were not in place with the regularity and discipline we would expect of federal customers with the agencies’ security profiles.
In most cases, multi-factor authentication, least privileged access, and the other requirements to establish a 'zero trust' environment were not in place. Our experience and data strongly suggest that had
these steps been in place, the attacker would have had only limited success in compromising valuable data even after gaining access to agency environments."
SolarWinds CEO Sudhakar Ramakrishna also pushed for increased cybersecurity collaboration between government and the private sector.
However, his most interesting quote, in our opinion, makes the #8 spot on our top 10 cybersecurity quote list.
8. SolarWinds CEO on why you should stop calling it the 'SolarWinds cyberattack':
"As testimony from cybersecurity expert Dmitri Alperovitch to the House Homeland Security Committee last week demonstrates, facts now reveal that the description of this issue as the 'SolarWinds attack' is a misnomer.
CISA's Acting Director Brandon Wales echoed this sentiment
in an interview with the Wall Street Journal.
Our nation faces a persistent, determined effort by adversarial nation states to attack, compromise, and exploit the software supply chain and labeling as the SolarWinds attack improperly narrows the scope of the threat."
9. On information sharing, and just a reminder, this goes beyond SolarWinds:
"We believe that the entire software industry should be concerned about the nation state attack as the methodologies and approaches that the threat actor(s) used can be replicated to impact software and
hardware products from any company, and these are not SolarWinds specific vulnerabilities.
To this end, we are sharing our findings with the broader community of vendors, partners, and users so that together, we ensure the safety of our environments."
And let's round out our top 10 cybersecurity quote list with testimony from CrowdStrike CEO and President George Kurtz. He listed a number of specific actions by the threat actor in the SolarWinds attack.
And he spent a good deal of his presentation on how we should go forward, all the way to his final words to the Senate Intelligence Committee:
"I'll close by encouraging the Committee to view cybersecurity holistically. Employing qualified personnel, conducting specialized training, implementing valid methodologies, strategically leveraging
third-party capabilities and expertise, and having informed and involved leadership are all critical factors in a successful overarching cybersecurity risk management program."
Risk management is on the agenda at SecureWorld conferences in 2021. Also, check out these related podcasts:
And if you want to read the opening statement from the U.S. Senate testimony relating to the SolarWinds attack, you can do so below:
[Kevin Mandia of FireEye, 2021 Senate testimony]
[Brad Smith of Microsoft, 2021 Senate testimony]
[Sudhakar Ramakrishna of SolarWinds, 2021 Senate testimony]
[George Kurtz of CrowdStrike, 2021 Senate testimony]