Thanks for starting this topic. It raises the question of whether we really have the tools, context and contacts to respond quickly when it comes to specific risks and our third parties.
Still, the most important question remains (knowing where your nonpublic information is as well as who has access to it):
Whether you have the relationship where you can easily (electronically, phone, email, community) make them aware that you want to know if they use this software and can get a response much sooner than the previous SLA's your cybersecurity onboarding might have communicated.
Key questions: do you need to reach out to all third parties to see whether they use Orion? How to your update your onboarding and potentially contracts to be sure you can?
Most recent response today - Regulators getting ahead of risk
========================================================
RAISING THE BAR:
I was very happy to see regulators were responding to get a clear picture of the risk to covered entities and their affiliates so soon:
Today at 1pm, our regulator asked for immediately notice (as opposed to the normal 72 hour window to notify) if anyone was affected.
"You should notify the Department if your institution was directly impacted by the affected SolarWinds Orion products or if your institution has been notified of an impact by any affiliate who has access to your network or your nonpublic information. ... Given the sophistication and persistence of the malware and the adversary, we ask any affected institution to file a notice immediately. Instructions on how to file notice of a Cybersecurity Event and specific information requested as part of this incident are detailed below."
So ask yourself? How do those those covered by the regulator know if a third party (fourth party) that matched the regulator's definition of AFFILIATE would have used SolarWindws? How to you carry out that questioning or interview? Does your existing onboarding capture or event consider product specific risks?
Another point, reading the highlighted text above, if you haven't been notified, do you need to reach out to all third parties to see whether they use Orion?
Monitoring of this Event
===============================
For instance, Dec 14th was date that I got alert from this community as well as read alerts from four threat intelligence sources.
A day later we sent out confirmation that we did not have the product (we had used some legacy SolarWinds products for years up to 2018, so I knew we had a hit that we have/had that vendor relationship.)
Each day, I received updates from this community and approximately 12 other sources
Earlier today, one vendor, that DOES NOT USE SOLARWINDS ORION SENT THE FOLLOWING "FAQ".
Q1) Does {this third party vendor} use SOLARWINDS?
[A. No. {Vendor} does not have SolarWinds deployed as part of their infrastructure]
Q2) What has [this third party vendor] done in response to this threat?
[A. They engaged their own SOC and threat hunting teams to find any signs of the threat using 'specially crafted analytics' and (a) ensured any network intrusion detection was updated; and (b) updated vulnerability tools and conducted scans anyway wherever potential vulnerable assets or nonpublic information was; and (c) active monitor for any new signatures while following this threat to be placed into the processes that goven (a) and (b). ]
Q3) Where should we go for more information?
[A. They responded with a common knowledge base article any customer who knows how to search can find].
Plus ample information including phone numbers and way to open a ticket if anyone had questions or needed guidance.
TAKE AWAY:
==================
1. While our Cybersecurity Questionnaire identifies name and contact information, could they get us a focused answer (do you use SolarWinds Orion) across all their entities that provide us services?
2. Do we need to expand our questionnaire to require means to question if vendor has product or feature that has high cybersecurity risk? How can this be done confidentially?
3. Regulators are clearly taking advantage of the 72 hour notice requirements -- which is good to see tax payer money at work.
Original Message:
Sent: 12-18-2020 01:59 PM
From: Kate Wakefield
Subject: SolarWinds Hack - List of impacted customers
Dave -
I would not expect Solarwinds to release a list of affected customers. If you were one of their customers, you would not want your vulnerability advertised all over the Internet for bad actors to see.
It is possible to pull some high-profile logo lists from the Internet Archive / Wayback Machine, for instance from this URL (which has been pulled since Mon) https://www.solarwinds.com/fr/company/customers
However, I would caution you that the list of customers is over 330,000 many of which did not use the Orion network management software. Solarwinds stated that 18,000 of the 33,000 Orion customers had downloaded the infected versions of the software. So you can't be sure from any public list who may have been actually infected.
I think the only thing you can do is reach out to your most critical vendors and ask them whether they were impacted and if so, what remediation they have put in place. If they are software developers, you can ask them about their code handling and code signing practices to ensure they have good hygiene in place.
Original Message:
Sent: 12-18-2020 11:00 AM
From: Dave Pendroy
Subject: SolarWinds Hack - List of impacted customers
Following up on Carlos' email to see if a list of impacted suppliers was published yet. We don't think we were directly impacted either but want to do more due diligence on our third/fourth party suppliers. At the very least, we may contact our critical suppliers to see if they were impacted. Is anyone taking a similar approach? Appreciate any insight. Happy holidays!
Original Message:
Sent: 12-14-2020 11:34 PM
From: Carlos Victoria
Subject: SolarWinds Hack - List of impacted customers
Hi,
The SolarWinds hack has impacted approximately 18,000 of its customers (those using the vulnerable versions of the Orion product). Does anyone know if the list of 18,000 potentially impacted customers has been made public? Although my company has not been directly impacted, I would like to know if any of our third parties has.
More info here: SEC filings: SolarWinds says 18,000 customers were impacted by recent hack | ZDNet