Trending:Amazon sends letter to President Biden, says it is ‘ready to assist’ with U.S. vaccination efforts
(BigStock Photo)

“Microsoft, FireEye, and the U.S. Treasury department have been hacked in the SolarWinds attacks.”

This statement is true but doesn’t tell the whole story accurately.

It’s true because by most people’s understanding, these organizations have been hacked. But it doesn’t tell the whole story accurately because each of these organizations has had different impacts with different levels of severity from “the hack.”

A good example of why this matters is how we talk about cancer. Years ago “having cancer” was a binary thing, too. Either you “had cancer” and were going to die or you didn’t. And cancer was often talked about in hushed tones with euphemistic terms — “the C word.”


The same is true now about being hacked. Some hacking is catastrophic, but some is survivable. We see this reality in the different reports coming out about “SolarWinds hacks.” Some organizations are severely affected while others less so. But these crucial nuances are lost when we say they’ve all been “hacked.”

There is no “hacked scale” that is used by professionals, let alone that can be used by laypeople. This is one reason why we continue to just hear about “hacked.”

If we’re going to understand the nuances in the SolarWinds cases better, we need to define a规模. Since the most important thing in hacks is the spread and severity, thecancer staging system给出一个良好的模型,因为它追踪五个阶段的癌症的传播和严重程度。我们可以用黑客做同样的事情。

  • Stage 0: The attackers have found or made an entry point to systems or the network but haven’t used it or took no action.
  • Stage I: Attackers have control of a system but haven’t moved beyond the system to the broader network.
  • Stage II: Attackers have moved to the broader network and are in “read-only” mode meaning they can read and steal data but not alter it.
  • Stage III: Attackers have moved to the broader network and have “write” access to the network meaning they can alter data as well as read and steal it.
  • Stage IV: Attackers have administrative control of the broader network meaning they can create accounts and new means of entry to the network as well as alter, read and steal data.

The key factors in these levels are the attacker’s access and control: less of each is better, more is worse.

例如,Solarwinds有说过that 18,000 customers were impacted. But this doesn’t mean that 18,000 customers’ networks experienced Stage IV and are fully and totally controlled by the attackers.

The information SolarWinds provides only tells us that those customers experienced Stage 0: the attackers may have had a way to get further into the network. To know if attackers did go further and customers were more severely affected requires more investigation.

12月17日,微软说过“可以确认我们发现发作icious Solar Winds binaries in our environment, which we isolated and removed … we have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” Taking the information at face value, that would seem to indicate that Microsoft experienced Stage 0 or Stage I.


Details of the U.S. Treasury’s attack aren’t as clear in part because we only have the information second and third-hand. The information in theNew York Timesreport clearly indicates that the attackers at least had “read” access on the network, which is consistent with Stage II. However, some of the details that have emerged abouthow the attackers may have gained access to cloud propertiesimply the possibility that the attackers had achieved Stage IV on the network.

任何规模的目标是使事情简单但不简单。但没有规模是完美的;总是有尺度可以模糊批评细节的方法。具有这样的尺度的重要事项是使我们能够轻松而简洁地了解情况的相对比较严重程度。我们所知道的表明,国库局势比微软或FireeEye情况更糟糕 - 在这方面,这种规模是准确和有用的。

The key point for everyone now is to understand that “hacked” isn’t a simple binary state: there are different degrees of it. By understanding this we can better assess how serious a situation is and what we need to do in response.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs onGeekwork.. Employers,post a job here.