By:
Derek B. Johnson

, SolarWinds spurs investment in threat hunting, supplier vetting
Organizations that boosted security budgets in response to the SolarWinds hack invested the most in threat hunting. (“SolarWinds letters” by sfoskett is licensed under CC BY-NC-SA 2.0)

Organizations that boosted security budgets in response to the SolarWinds hack invested the most in threat hunting, according to a new survey from DomainTools.

News that first broke late last year of a massive hack leveraging SolarWinds’ Orion IT management software served as a wake-up call for many organizations, spurring renewed interest in software supply chain security.

Now, a new survey from security company DomainTools fleshes out how businesses are reacting to the campaign from a security perspective. The impact on budgets has been modest: just 20% of respondents say their organizations are boosting cybersecurity funding in response to the attack. Of the money spent, the top investment made in response to the hack has been new threat hunting capabilities, followed by incident response/forensic tools and more security staff to mitigate threats. Organizations also looked to move towards zero trust security processes and access policies.

The findings reflect how, in the wake of the SolarWinds breach, proactive threat hunting continues to gain relevance as organizations search ways to track and discover similar software supply chain compromises. This is a shift from a practice deemed relatively niche and obscure previously.

Tim Helming, a security evangelist at DomainTools, believes threat hunting represents one of the best tools in a defender’s box for discovering novel attacks, as long as they have some idea where to look.

“There’s not much under the sun that you couldn’t suss out with good threat hunting techniques,” said Helming, adding that security researchers remain divided over whether better threat hunting could have caught the campaign before FireEye discovered it post-compromise.

“Not every team is going to be doing that and for the ones that are, they’re not necessarily going to know what to hunt for, but what we’ve learned is that whenever there’s an incursion, there are some sort of breadcrumbs left behind,” Helming continued. “So the question becomes: are there other methodologies we can adopt, or changes we can make that will help us get out ahead of these things and catch some of these events” sooner?

About one in five respondents said their organization was directly affected by the campaign. Of that group, only a small minority 20% have been able to confirm that their organization was compromised, while more than 60% are still investigating whether that’s the case. While research and incident response activities were often involved, the most common activity cited was putting together status reports for managers, underscoring how the fallout from the hack has risen to the top of many boardroom agendas.  

There will likely also be a lasting impact on the way enterprises work with third-party vendors or contractors who introduce risk to their network. For instance, nearly half of respondents said the SolarWinds hack pushed their company to require vendors to legally attest that they are following agreed-upon security standards.

Nearly 40% say they are working to isolate and segment vendor software from the rest of their corporate network and about a quarter plan to implement static or dynamic application security testing on outside software before use in their own IT environment. Smaller numbers said they planned to ask current vendors for more detailed security standards as part of their renewal process or make reevaluate their selection due to security concerns.

In addition to addressing security and liability questions, that work can sometimes feed directly into an organization’s threat hunting process.

“You’re going to see third party software under more scrutiny than it’s been before and so if you’ve got your ear to the ground for potential flaws, vulnerabilities or artifacts to hunt on, then that’s going to give you some focus for your hunting that’s a little different perhaps than you might have had before,” said Helming.  

However, threat hunting can be highly specific to an organization’s size, industrial sector, geographic location, business goals and other circumstance. It often can’t be purchased out of the box, and tools often requires a certain level of internal security maturity at an organization to be correctly leveraged.

David Etue, CEO of managed threat intelligence provider Nisos, told SC Media in an interview last month that some organizations neglect more fundamental security goals — like complete or near complete visibility of endpoint data, a grasp of baseline internal network activity and hiring the right personnel – that are foundational for any good threat hunting program.

“At a simple level, the goal of a [Security Operations Center] is to take activity and understand whether it’s benign, suspicious or malicious,” said Etue. “If you don’t have those capabilities already ironed out, threat hunting is likely not adding a ton of value, because if you already have suspicious activity on your network that you don’t have a good process to react if it’s benign or malicious, I would probably focus your resources there first.”