“Microsoft, FireEye, and the U.S. Treasury department have been hacked in the SolarWinds attacks.”
This statement is true but doesn’t tell the whole story accurately.
It’s true because by most people’s understanding, these organizations have been hacked. But it doesn’t tell the whole story accurately because each of these organizations has had different impacts with different levels of severity from “the hack.”
A good example of why this matters is how we talk about cancer. Years ago “having cancer” was a binary thing, too. Either you “had cancer” and were going to die or you didn’t. And cancer was often talked about in hushed tones with euphemistic terms — “the C word.”
Because of advances in medicine, this is no longer the case: people can and do survive cancer. So now we talk about cancer more openly in a way that reflects that reality in terms of types of cancer and stages. That helps us understand if it’s a kind of cancer that could be treatable and survivable or one that is untreatable and terminal.
The same is true now about being hacked. Some hacking is catastrophic, but some is survivable. We see this reality in the different reports coming out about “SolarWinds hacks.” Some organizations are severely affected while others less so. But these crucial nuances are lost when we say they’ve all been “hacked.”
There is no “hacked scale” that is used by professionals, let alone that can be used by laypeople. This is one reason why we continue to just hear about “hacked.”
If we’re going to understand the nuances in the SolarWinds cases better, we need to define a scale. Since the most important thing in hacks is the spread and severity, the cancer staging system gives a good model to adapt because it tracks the spread and severity of cancer in five stages. We can do the same with hacks.
- Stage 0: The attackers have found or made an entry point to systems or the network but haven’t used it or took no action.
- Stage I: Attackers have control of a system but haven’t moved beyond the system to the broader network.
- Stage II: Attackers have moved to the broader network and are in “read-only” mode meaning they can read and steal data but not alter it.
- Stage III: Attackers have moved to the broader network and have “write” access to the network meaning they can alter data as well as read and steal it.
- Stage IV: Attackers have administrative control of the broader network meaning they can create accounts and new means of entry to the network as well as alter, read and steal data.
The key factors in these levels are the attacker’s access and control: less of each is better, more is worse.
For instance, SolarWinds has said that 18,000 customers were impacted. But this doesn’t mean that 18,000 customers’ networks experienced Stage IV and are fully and totally controlled by the attackers.
The information SolarWinds provides only tells us that those customers experienced Stage 0: the attackers may have had a way to get further into the network. To know if attackers did go further and customers were more severely affected requires more investigation.
On Dec. 17, Microsoft said it “can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed … we have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” Taking the information at face value, that would seem to indicate that Microsoft experienced Stage 0 or Stage I.
FireEye made a disclosure on Dec. 8 of its own compromise that would turn out to be part of the SolarWinds attacks. It seems to indicate that the attacker was able to steal information but gave no indication that the attackers were able to alter data or gain administrative control of the network, likely making what the company experienced a Stage II.
Details of the U.S. Treasury’s attack aren’t as clear in part because we only have the information second and third-hand. The information in the New York Times report clearly indicates that the attackers at least had “read” access on the network, which is consistent with Stage II. However, some of the details that have emerged about how the attackers may have gained access to cloud properties imply the possibility that the attackers had achieved Stage IV on the network.
The goal with any scale is to make things simple but not simplistic. But no scale is ever perfect; there are always going to be ways that scales can obscure critical details. The important thing with scales like this is to enable us to easily and succinctly understand the relative comparative severity of the situation. What we know does indicate the Treasury situation is worse than the Microsoft of FireEye situations — in this regard, this scale is accurate and useful.
The key point for everyone now is to understand that “hacked” isn’t a simple binary state: there are different degrees of it. By understanding this we can better assess how serious a situation is and what we need to do in response.