SolarWinds: The Nation-State Hack That Changed Cybersecurity Forever
- Jeremy Ladner
- Mar 17
- 23 min read
Updated: Mar 23
00:00:00:20 - 00:00:18:20
Alberto (Deto) Hassan | VP CISO at ICL Group
In the time of attack. Every second is important, and you have to decide things without all the information and to have the ability to lead the situation while there is an enemy on the other side against you. So it's a kind of mind war. You have to win.
00:00:18:22 - 00:00:55:15
Jeremy Ladner | The CISO Signal
Welcome to The CISO Signal, a true cyber crime podcast. I'm Jeremy Ladner. On this episode, we step inside the breach that shattered illusions of security at the highest levels. A routine software update to 18,000 organizations became a Trojan horse for a nation state campaign that infiltrated the US Treasury, the Department of Justice, Microsoft and dozens more. The cost billions of dollars and clean up years of investigation and the hard won wisdom that solutions we trust to protect us could be turned against us.
00:00:55:17 - 00:01:22:14
Jeremy Ladner | The CISO Signal
This is the story of SolarWinds. And joining us for the investigation is a cybersecurity titan with decades of experience at the highest levels. Alberto Deto Hassan is VP and CISO at ICL Group and formerly headed Israel's National CERT. He brings deep experience across IT, OT and critical infrastructure security. Alberto, welcome to The CISO Signal. Can you tell us a bit more about your background?
00:01:22:16 - 00:01:48:13
Alberto (Deto) Hassan | VP CISO at ICL Group
Okay. I'm married to Ruth, she is my wife. That's the most important. I have two kids. I came from the ISA, Israeli Security Agency. And then after the Israeli Security Agency, I created and opened the national CERT. And afterwards I came back to the CISO, to ICL. So in the last six years, I'm VP of Cyber Security Defense in ICL.
00:01:48:15 - 00:02:19:12
Jeremy Ladner | The CISO Signal
Alberto, it's great to have you with us. Now let's begin the investigation. We are in the midst of a ceaseless war, not of bombs or bullets, but of breaches, firewalls and silent incursions. The targets, our borders, our banks, our commerce and the critical infrastructure that underpins a free civilization. The enemy is cloaked in code, fueled by greed, glory, and a desire for chaos.
00:02:19:14 - 00:02:45:18
Jeremy Ladner | The CISO Signal
This is the story of the unseen protectors, the nameless generals, the CISOs chief information security officers. They are the guardians at the gate, watchers on the wall. Ever vigilant and always listening for The CISO Signal.
00:02:45:20 - 00:03:12:03
Jeremy Ladner | The CISO Signal
How we perceive the passage of time as a strange thing. Seconds can stretch on endlessly, each moment dragging like an eternity. And yet years can seemingly pass in the blink of an eye. Looking back, they feel like echoes from a parallel world. A lifetime that almost doesn't feel like our own. The early spring of 2020 feels recent enough to touch and yet impossibly far away.
00:03:12:05 - 00:03:41:20
Jeremy Ladner | The CISO Signal
Back then, the world had come to a standstill. Covid 19 had forced much of the world to work from home. Office towers stood hollow. Rush hours evaporated and dining tables were hurriedly converted into makeshift workstations. We were all grappling with a new reality. Working remotely, living cautiously for the first time in generations, the global community began to contemplate the fragility of the systems that hold us together.
00:03:41:22 - 00:04:21:03
Jeremy Ladner | The CISO Signal
A supply chain built on people. People who could get sick. What if the virus keeps spreading? If the people who pick the food, transport the fuel, keep the lights on, can't come to work? What if the police just don't show up? If the water doesn't flow, if the grid goes dark. It was a moment of collective vulnerability. And while most of us were worrying about a biological virus slipping past our defenses, few noticed something else creeping silently through another kind of supply chain.
00:04:21:05 - 00:04:59:19
Jeremy Ladner | The CISO Signal
A virus of a different nature crafted by human hands. Intelligent. Patient. Precise. It didn't spread through the air. It traveled through trust. During that same spring of 2020, the enemy got in. It breached major government agencies, compromised Fortune 500 corporations, and it did so using a weapon no one saw coming. No. Not Covid. Something arguably far worse. That sound you hear approaching is the blazing heat of this episode's breach.
00:04:59:21 - 00:05:20:02
Jeremy Ladner | The CISO Signal
This is SolarWinds and The CISO Signal. So you mentioned your wife and kids earlier, and obviously family is very important to you. What's the one thing about a career in cybersecurity that you wish you knew way back when you started years ago?
00:05:20:04 - 00:05:41:18
Alberto (Deto) Hassan | VP CISO at ICL Group
Most of the attacks are on the weekend? ... This is statistics and on the weekend you have to be more alerted, more close to the computer, more close to the to the system. And you have to understand that this is part of your job. If you are not prepared to do it, don't do it. But if you're a CISO or like CISO, you have to be prepared to work on weekends.
00:05:41:20 - 00:05:51:12
Jeremy Ladner | The CISO Signal
So you've been at the helm of these large security organizations now for many years. Tell us a bit about the weight of that responsibility on your shoulders. What’s that like?
00:05:51:14 - 00:06:15:21
Alberto (Deto) Hassan | VP CISO at ICL Group
I can say that every event I have the responsibility on my shoulders. And I understand that I am part of the world that would like to protect the industry, that would like to keep the industry, the Western industry, to be working and not to stop because of attacks that mainly organized crime that want us to be stopped or to pay a lot of money.
00:06:16:02 - 00:06:32:03
Jeremy Ladner | The CISO Signal
So when we discuss a breach of this scale and scope, we often focus on the size of the ransom paid, the cost of damages, or the sensitive data stolen. What is the one element you think we overlook that we should be talking about?
00:06:32:05 - 00:06:57:19
Alberto (Deto) Hassan | VP CISO at ICL Group
First of all, the planning. Somebody planned this very well. Somebody made the preparation, as the impact is huge. The impact is worldwide. So you have to give respect, it was done with a very high level of professionalism. And then to realize, to analyze it, you have to call to mind what the situation is, what we should do first, what we should do in the medium term, and what we should do in the long term.
00:06:57:19 - 00:07:05:09
Alberto (Deto) Hassan | VP CISO at ICL Group
But you have to make decisions very quickly, otherwise you are doomed.
00:07:05:11 - 00:07:20:03
Jeremy Ladner | The CISO Signal
Okay, so that's sort of an interesting juxtaposition that you mentioned between the slow and careful planning of the attacker and then the incredibly fast reaction time that a CISO needs when you're faced with a breach like this. How do you handle that?
00:07:20:05 - 00:07:30:00
Alberto (Deto) Hassan | VP CISO at ICL Group
I would say that every event is unique, there is no fixed formula. You have to be ready to react, and to react fast, and to think fast, because you don't have time.
00:07:30:06 - 00:07:48:22
Jeremy Ladner | The CISO Signal
We love making this podcast, and we really hope that shows in the care and quality that we invest in it. And we would really appreciate it if you could take a moment to like and share it with your fellow security professionals, as well as dropping us a comment letting us know what stories and guests you'd like to have on the podcast in future episodes.
00:07:49:00 - 00:08:32:18
Jeremy Ladner | The CISO Signal
Now back to the story. September 2019. Before the world locked down, before the phrase supply chain attack sent shivers through boardrooms and war rooms alike. Something began quietly, deliberately, far from the fluorescent glow of the corporate world. The cybersecurity landscape in late 2019 was, by all appearances, business as usual. Security teams hunted malware, patched vulnerabilities, deployed firewalls, and slept well under the illusion that the systems they depended on were hardened, secure, and trustworthy.
00:08:32:20 - 00:09:07:06
Jeremy Ladner | The CISO Signal
But trust in this story is the first lie, because somewhere halfway around the world, a patient adversary was already watching, studying, and waiting. The group would later be known by many names: UNC2452, Dark Halo, APT29. The US government would eventually trace the operation back to Russia's foreign intelligence service, the SVR. These weren't spray-and-pray hackers looking to make a quick buck.
00:09:07:08 - 00:09:43:07
Jeremy Ladner | The CISO Signal
They were architects of espionage, disciplined, methodical and state backed. And in the fall of 2019, they picked their target, a little known I.T. company called SolarWinds. Not because of what SolarWinds did, but because of who they served. Government agencies, Fortune 500 corporations and critical infrastructure providers. The perfect Trojan horse. This wasn't just a heist. It was infiltration with intent alarm.
00:09:43:09 - 00:10:15:05
Jeremy Ladner | The CISO Signal
Can't they begin with reconnaissance, probing SolarWinds digital perimeter, mapping their internal infrastructure and identifying the cracks in the foundation? No malware, no alerts, just eyes in the dark because the plan wasn't to breach and escape. The plan was to become invisible, to live inside the trusted systems that others relied on for protection. And so, in the shadows of September 2019, the groundwork was laid.
00:10:15:07 - 00:10:29:17
Jeremy Ladner | The CISO Signal
Digital casing of the joint. The beginning of one of the most devastating supply chain attacks in history. And no one saw it coming.
00:10:29:19 - 00:10:49:02
Jeremy Ladner | The CISO Signal
All right. So there's that terrifying moment of realization when it is clear you've been breached. What is the first thing you do before you assemble the team, before you alert the necessary stakeholders? Right after that first moment of realization and confirmation, what does Alberto Deto Hassan do?
00:10:49:07 - 00:11:16:06
Alberto (Deto) Hassan | VP CISO at ICL Group
To pray. It’s important. If you pray twice, it’s even better. But after that, you have to take things into consideration. Check the small things. When you get an update from any company, whether it’s Microsoft or whatever, test it in a small environment, a closed environment. Give it 24 hours to see what the outcome of this update is, and if it’s okay, then continue to a medium-sized environment and then to full scale.
00:11:16:06 - 00:11:36:23
Alberto (Deto) Hassan | VP CISO at ICL Group
But do not do it immediately, automatically, or across the entire environment. That’s the wisdom we got from this event and many events like it. Don’t be so fast in updating systems. Take into consideration that maybe somebody was monitoring you and may have inserted something into this update.
00:11:37:01 - 00:11:53:04
Jeremy Ladner | The CISO Signal
Okay, so we are living in a post-SolarWinds reality now. How do you suggest teams validate, test, and monitor security tools like SolarWinds before full deployment and organization-wide exposure?
00:11:53:06 - 00:12:11:00
Alberto (Deto) Hassan | VP CISO at ICL Group
I would say that you have to test it against real threats and see what the outcome is, especially regarding false alarms. The issue of false alarms is very important. If there are too many alerts, people stop paying attention. It’s like the story of the boy who cried wolf. So you have to do two things. First, make sure it detects what it should detect.
00:12:11:00 - 00:12:25:10
Alberto (Deto) Hassan | VP CISO at ICL Group
But it is just as important that it does not generate alerts for things that are not threats. Otherwise, it’s useless.
00:12:25:12 - 00:13:02:07
Jeremy Ladner | The CISO Signal
Act 2: The Silent Intrusion.
It didn't look like a weapon. There was no explosion, no fanfare, no ransom note flashing across a locked screen. Instead, it arrived quietly, like a whisper slipped between lines of trusted code. October 2019. Somewhere on a keyboard inside a room we may never fully identify, a line of custom malware was compiled. It's given name Sun Spot, but this wasn't the kind of malware designed to smash and destroy.
00:13:02:13 - 00:13:36:08
Jeremy Ladner | The CISO Signal
It was careful, calculated, designed to impersonate trust itself. Its job wasn't to detonate. It was to hide, to wait, to observe, and then to strike at the precise moment its target. Not a bank, not a hospital, a software company, SolarWinds. Specifically its build environment, the digital assembly line where software updates are forged, tested and blessed for distribution. That's where sunspot was placed.
00:13:36:09 - 00:14:05:13
Jeremy Ladner | The CISO Signal
Like a ghost on the production floor, it monitored for files related to SolarWinds flagship product, Orion. And when the legitimate update was being compiled, sunspots silently swapped in the infected version. No one noticed. Not the developers, not the QA testers, and not the security scanners. February 2020. The attackers take the next step. They finalize a second payload SUNBURST.
00:14:05:15 - 00:14:41:16
Jeremy Ladner | The CISO Signal
The actual espionage tool, and hide it within the Trojan-ized Orion software. It was genius. It was devastating. And it was signed digitally, authenticated by SolarWinds itself in March of 2020. While the world was focused on the chaos of Covid, while families adjusted to lockdowns, while office towers stood hollow while home routers struggled to shoulder the new weight of global commerce, SolarWinds shipped the tainted update version 2019.45.
00:14:41:17 - 00:15:10:20
Jeremy Ladner | The CISO Signal
It was deployed to thousands of customers, government agencies, intelligence networks, Fortune 500 giants from the U.S. Department of Treasury to Microsoft. All of them unwittingly opened the door and that's when the ghost entered. The brilliance of SUNBURST wasn't just in how it infiltrated, it was how it stayed hidden. The malware would lie dormant for up to two weeks.
00:15:10:20 - 00:15:53:06
Jeremy Ladner | The CISO Signal
Then, like sleeper cells obeying a silent countdown, it would activate randomized, staggered, perfectly timed to avoid suspicion. It blended in with normal traffic. It communicated using DNS, one of the oldest, most trusted parts of the internet. It watched and it learned, and then it moved. Lateral motion across networks. Privilege escalation data access each step slow surgical invisible. From spring through fall of 2020, the attackers navigated through the digital hallways of some of the most secure systems on Earth.
00:15:53:08 - 00:16:27:01
Jeremy Ladner | The CISO Signal
No one knew, or rather, some had suspicions. By August, whispers of strange behavior surfaced at a few federal agencies a discrepancy here, a misfired authentication there. But there was no smoking gun, no signature, no breach alert, just shadows where clarity used to be. And then in November 2020, the hunters became the hunted fire AI, one of the most respected cybersecurity firms in the world, discovered something unnerving.
00:16:27:03 - 00:16:57:01
Jeremy Ladner | The CISO Signal
Their own Red team tools had been accessed, not sold on the dark web, not deleted, not leaked, accessed, but how? They launched an internal investigation, turning their forensics inward, peeling back the layers. What they found would lead them unknowingly to uncover one of the most dangerous and far reaching cyber espionage campaigns in modern history. But we're not there yet.
00:16:57:03 - 00:17:24:06
Jeremy Ladner | The CISO Signal
The system had already been breached, the infection was already spreading, and the world still had no idea what was coming. Given the scale, the scope, the complexity, do you think it's realistic for large enterprises or national certs to detect tampering from a signed and verified update from a trusted vendor? Do you think we've learned the lessons from SolarWinds?
00:17:24:06 - 00:17:28:12
Jeremy Ladner | The CISO Signal
Are we doomed to repeat the same mistakes again and again?
00:17:28:14 - 00:17:54:23
Alberto (Deto) Hassan | VP CISO at ICL Group
Yes, I think we learned that we must do it in an isolated environment first, to see and to check, and then continue, not to immediately implement or update. We cannot afford the outcome of a failure. The outcome of a failure like that is huge. So let’s be more prudent, more humble, and check things before we move forward at scale.
00:17:55:01 - 00:18:15:20
Jeremy Ladner | The CISO Signal
So we all know that it’s not a question of if you’ll be breached, but when. What’s the key thing you would suggest CISOs prepare for in advance when dealing with a supply chain breach like this that leads to total system collapse, leaving you in a situation where you need to reach out to vendors, to customers, to offsite support teams, but all of your critical contact info and communications are now suddenly offline?
00:18:21:06 - 00:18:46:13
Alberto (Deto) Hassan | VP CISO at ICL Group
You have to build connectivity before disaster, so that you have contacts all over the world, names and phone numbers. In this situation, you cannot start searching for the phone number of someone in Indonesia. You have to already have two or three people in each area that you can contact, because depending on the time, they may be sleeping, they may just be waking up, or they may be at the end of their day. So you have to be able to say, I have a serious issue, I need your support. Never mind the hour, excuse me, and then begin.
00:19:00:22 - 00:19:16:19
Jeremy Ladner | The CISO Signal
So we talked about praying, certainly a very important skill for every CISO to have. Talk to us a bit about the importance of visibility and situational awareness in the moments following a breach. How do you begin creating order from chaos?
00:19:16:21 - 00:19:41:09
Alberto (Deto) Hassan | VP CISO at ICL Group
I would want to know what happened. I need to know the details: who is infected, how widespread the infection is, and what the damage looks like. If it’s in one or two locations, that’s manageable. But the moment I see that it’s in more than 20 locations, I know it has spread. Then we have to begin working first to reduce the damage.
00:19:41:11 - 00:20:10:18
Jeremy Ladner | The CISO Signal
Act 3: The Turning of the Lens.
In cybersecurity. There's an old saying everyone gets breached. Not everyone finds out. Fire! I found out it began with a flicker, a log entry that didn't add up. Then another a pattern just shy of a pattern. And for a company whose business was finding needles in haystacks, this needle was exquisitely, well hidden.
00:20:10:20 - 00:20:41:02
Jeremy Ladner | The CISO Signal
But it was there. FireEye’s red team tools. Digital lockpicks used to simulate attacks had been accessed, not destroyed, not leaked, just copied, and whoever had done it knew exactly what they were looking for. An internal task force was launched. The company turned its tools inwards, scanning its own networks, investigating its own employees, rechecking its own assumptions. The hunt was personal now, and slowly the picture came into focus.
00:20:41:06 - 00:21:17:08
Jeremy Ladner | The CISO Signal
The attacker hadn't breached fire directly. They'd come through the supply chain through SolarWinds. The realization was staggering. SolarWinds wasn't just a vendor. They were infrastructure, like plumbing or power or oxygen. Their Orion software sat at the center of its systems around the globe. And if Orion was compromised, then so was everything downstream. Thousands of customers, federal agencies, intelligence networks, the private sector, all of them unknowingly wide open.
00:21:17:08 - 00:21:45:15
Jeremy Ladner | The CISO Signal
FireEye reached out to the US government, the Department of Homeland Security, the FBI and a newly formed alliance called the Cybersecurity and Infrastructure Security Agency, or CISA, for short. Together, they began the process of unwinding what would soon be named SUNBURST. But as they trace the malware's behavior, its tactics, its traffic, its timing, something else emerged. This wasn't criminal.
00:21:45:20 - 00:22:12:01
Jeremy Ladner | The CISO Signal
It wasn't about money. It wasn't even about destruction. This was espionage. Patient strategic, state sponsored. And whoever was behind it, they were still out there. Given your experience with ICS, what made SolarWinds so dangerous for industrial and government systems? What was the biggest mistake you think leadership made here?
00:22:12:03 - 00:22:35:08
Alberto (Deto) Hassan | VP CISO at ICL Group
Nobody was thinking that it could happen. So 95% were not prepared for this kind of attack. They were sure their data was safe, that nothing would happen. And because they were doing the same thing every week, every two weeks, every three weeks, they were not thinking that maybe this time it would be a major attack. Take, for example, the event a few months ago, CrowdStrike.
00:22:35:08 - 00:23:00:14
Alberto (Deto) Hassan | VP CISO at ICL Group
So many organizations updated without checking, and everything stopped working. Flights stopped, schools, local hospitals. Because of what? Because they did not properly evaluate the update. If you plan updates carefully and give respect to the enemy, to the hackers, they are smart, they know what they are doing. Give them that respect, and then you will be able to resist.
00:23:00:16 - 00:23:20:11
Jeremy Ladner | The CISO Signal
So I heard you mention complacency, doing the same thing again and again in security and expecting different results. You also mentioned underestimating the skill and sophistication of your adversaries. What role does human nature play in future threats, do you think? Will we continue to be the weakest link in our organizations?
00:23:20:11 - 00:23:45:09
Alberto (Deto) Hassan | VP CISO at ICL Group
I think about a red light. Every day, all over the world, people cross red lights, and some of them have accidents. And we ask ourselves, how did it happen again? Why? Because it is human nature. We do not believe things will happen to us. We think it will happen to our neighbor, but not to ourselves. And this is one of the failures of the human factor.
00:23:45:10 - 00:23:47:22
Alberto (Deto) Hassan | VP CISO at ICL Group
We have to be more humble.
00:23:48:00 - 00:24:02:16
Jeremy Ladner | The CISO Signal
So SolarWinds certainly made us aware of the security exposure that blind trust in our vendor supply chain creates. What are you doing today to prevent this sort of supply chain security breach?
00:24:02:18 - 00:24:24:00
Alberto (Deto) Hassan | VP CISO at ICL Group
Nothing enters our systems immediately. We always take a cautious approach. In every case, we use a small environment first. We check everything before continuing. We also look for any unexpected connectivity to the internet, because in many attacks, the goal is to establish external communication and build up the malware.
00:24:24:03 - 00:24:40:09
Alberto (Deto) Hassan | VP CISO at ICL Group
The moment you see activity that is not supposed to be there, suspect it. Do not assume it is normal. No, suspect it, check it, verify it. If you see communication to a command-and-control server, stop immediately. You must always be ready for every possibility.
00:24:40:11 - 00:25:14:01
Jeremy Ladner | The CISO Signal
Act 4: The Dominoes.
Fall November 2020. FireEye’s revelation was just the opening move. Within days, SolarWinds confirmed what no one wanted to hear. Their software had been compromised. The scale was breathtaking. Nearly 18,000 customers had received the poisoned update. Governments, corporations, critical infrastructure, everyone. The breach had gone viral. On December 8th fire, I stepped into the spotlight.
00:25:14:06 - 00:25:41:22
Jeremy Ladner | The CISO Signal
They publicly announced their breach. Unprecedented transparency in a world often shrouded in secrecy. Days later, the name SUNBURST was born. The malware was no longer a ghost. It had a face and it had a name. The US government moved swiftly. December 13th, an emergency directive ordered all federal agencies to shut down Orion immediately. This was a declaration of crisis.
00:25:41:22 - 00:26:11:17
Jeremy Ladner | The CISO Signal
A digital red alert, the Malware's command and control servers. The puppeteers behind the scenes were seized by a coalition of Microsoft FireEye and GoDaddy. The fight had entered the public domain. The media dubbed it a cyber Pearl Harbor. Senate hearings were called the breach wasn't just a story, it was a crisis of confidence. How had the digital defenses of the most powerful institutions on earth been so thoroughly bypassed?
00:26:11:19 - 00:26:40:21
Jeremy Ladner | The CISO Signal
Then the disclosures began to roll in. Microsoft revealed that attackers had viewed parts of their source code, but assured the public that no customer data had been stolen. The Department of Justice confirmed that hackers accessed thousands of employee email accounts. SolarWinds admitted internal weaknesses, from weak passwords to delayed vulnerability disclosures behind closed doors. Fingers pointed. The breach exposed cracks in the fortress.
00:26:40:21 - 00:27:12:05
Jeremy Ladner | The CISO Signal
Lax security ignored warnings in the dangerous assumptions that software supply chains were safe. A former SolarWinds security advisor would later testify that repeated warnings and cybersecurity risks were often overlooked by executives. And in the wake of the chaos, a second, unrelated attack began exploiting SolarWinds vulnerabilities. Opportunists seeking to cash in on the disaster. By mid 2021, the fallout was undeniable.
00:27:12:08 - 00:27:41:06
Jeremy Ladner | The CISO Signal
The US government mandated zero trust architectures no longer could anyone be trusted. By default, the breach had changed everything. But even as the dust settled, many agencies and companies remained in the dark about the full extent of their exposure. The truth was sprawling in complex, a puzzle still being pieced together. The breach had become more than an incident.
00:27:41:08 - 00:28:14:07
Jeremy Ladner | The CISO Signal
It was awarded a call to reimagine cybersecurity. So after the breach is confirmed and the immediate response is underway, it's time to chat with those not so technical folks the C-suite executive management team, the board of directors, and bring them all up to speed. Enact your BCP or business continuity plan. Can you offer any advice in how to handle that sometimes challenging group of individuals?
00:28:14:09 - 00:28:34:15
Alberto (Deto) Hassan | VP CISO at ICL Group
Again, this is something you have to plan before. Management has to plan, because the issue now is how to get out of the situation once you are already under attack. You have to get out, you have to overcome it. It’s not easy. You have to prepare yourself for different situations, including those you detect and those you do not detect, because those can overwhelm you.
00:28:34:15 - 00:29:10:23
Alberto (Deto) Hassan | VP CISO at ICL Group
And then, what becomes even more important is how the infrastructure behaves in order to come back to life. Business continuity planning, how you prepare to bring the company back to operation. So everything depends on rules, on practice, and on thinking through all kinds of scenarios. If you do not practice these scenarios, think about your home as an example. If you want to protect your home against a criminal, you analyze all your windows, all your doors, all your walls, and where they may be breached.
00:29:11:02 - 00:29:26:12
Alberto (Deto) Hassan | VP CISO at ICL Group
And then you have a plan. But if one door is open or breached, you must have a plan for how to overcome that situation. So in the end, it comes down to professionalism, discipline, and preparation in cybersecurity. Anything can happen.
00:29:26:14 - 00:29:39:08
Jeremy Ladner | The CISO Signal
So a lot of CISOs are noticing these days that these long dwell-time attacks are becoming far more common. Why do you think they are so hard to spot? What would you attribute that to?
00:29:39:10 - 00:29:59:20
Alberto (Deto) Hassan | VP CISO at ICL Group
Because we have so many logs, so many events every day, and you do not believe that something will happen. The issue is in your mindset. You have to suspect anything that is abnormal. If you do not suspect it, you say, I saw nothing, I saw nothing, there is nothing, and then something happens. If you keep saying there is nothing, you will miss it.
00:29:59:22 - 00:30:18:22
Jeremy Ladner | The CISO Signal
If you look at the most common toolsets that CISOs are using today, are there any detection practices that you think are underutilized? Something we should be considering that we’re not? Maybe a method you use that would significantly strengthen defenses?
00:30:19:00 - 00:30:45:06
Alberto (Deto) Hassan | VP CISO at ICL Group
You have to multiply the systems that generate alerts. If you get an alert from only one system, the SOC will likely not react. The security operations center needs confirmation. If alerts come from two layers of defense, then they understand something is happening. So always use at least two layers of defense on each system, systems that overlap and reinforce each other.
00:30:45:08 - 00:31:22:12
Jeremy Ladner | The CISO Signal
Act 5: The Reckoning.
As 2021 dawned, the world sought answers. Who was behind the breach and how deep did the damage run. On January 11th, the US government broke its silence. The attack was attributed to a Russian state sponsored group known in the shadows as APT29, also called Cozy Bear, a well-oiled espionage machine, patient and precise. Microsoft confirmed the attackers had viewed portions of its source code, but stressed no customer data had been compromised.
00:31:22:14 - 00:31:57:12
Jeremy Ladner | The CISO Signal
Meanwhile, SolarWinds faced intense scrutiny not just from regulators but from the global community shaken by the breach, weak passwords like SolarWinds 123 became a symbol of negligence. The lead vulnerability disclosures became a cautionary tale about the costs of bureaucracy in cybersecurity. In congressional hearings and security conferences, experts dissected every misstep. Testimonies revealed that internal warnings went unheeded, that executive leadership underestimated the threat.
00:31:57:14 - 00:32:28:18
Jeremy Ladner | The CISO Signal
The breach was not merely a technological failure. It was a failure of culture, communication and accountability. As the year progressed, the breach catalyzed a seismic shift in cyber policy. The US government mandated zero trust security models, a radical departure from legacy practices. Software supply chain security became a top priority worldwide, and private industry rushed to patch the vulnerabilities that had allowed the invisible invaders to slip through.
00:32:28:19 - 00:33:02:15
Jeremy Ladner | The CISO Signal
Yet the story was far from over. By late 2021, many organizations still grappled with the fallout. The breach had become a case study in vulnerability, a stark reminder that no system, no matter how fortified, was impervious, and the world's digital landscape had forever changed in 2025 and beyond. The SolarWinds breach serves as a catalyst fueling innovation in cybersecurity, inspiring legislation, and sharpening the focus on trust in the digital age.
00:33:02:17 - 00:33:19:15
Jeremy Ladner | The CISO Signal
It's a story of stealth and shadows, but also of resilience and reckoning because in the ever evolving battle for cyberspace, the only certainty is vigilance.
00:33:19:17 - 00:33:30:00
Jeremy Ladner | The CISO Signal
What do you think the SolarWinds breach taught CISOs about how to handle relationships with supply chain vendors? Do you think it's made them a little paranoid or just cautious enough?
00:33:30:04 - 00:33:55:02
Alberto (Deto) Hassan | VP CISO at ICL Group
Designing good policy is about how you allow things into your organization and how you manage them. This event shows something very important: if something is coming from Microsoft, still suspect it. Don’t assume that because it comes from a big company, it is automatically safe. No, they can be compromised just like any other company. Because when you think you know everything, that’s when you fail.
00:33:55:04 - 00:34:01:10
Jeremy Ladner | The CISO Signal
Do you think most enterprises or national CERTs would handle a breach like this better today than they did back then?
00:34:01:12 - 00:34:15:16
Alberto (Deto) Hassan | VP CISO at ICL Group
No, I think still only about 30 to 40% would be ready and perform well. The remaining 60 to 70% would not handle it well because they are not preparing themselves enough.
00:34:15:21 - 00:34:45:01
Jeremy Ladner | The CISO Signal
So I think one of the things that makes the role of a CISO such an interesting career is that it’s so multifaceted. It calls on you to master so many skills. And one of those is getting inside the head of your enemy, understanding your adversary. What advice would you give other CISOs in terms of that foundational mindset when profiling or sizing up their adversaries?
00:34:45:03 - 00:35:05:01
Alberto (Deto) Hassan | VP CISO at ICL Group
I think we have to realize that there are bad actors in the world. There is organized crime. They are smart, they know what they are doing, and they are persistent. You have to be better than them. Otherwise, you will lose.
00:35:05:02 - 00:35:29:06
Jeremy Ladner | The CISO Signal
All right, so our final question is perhaps the most obvious one. Do you think we have really learned the lessons of SolarWinds as an industry? Are we in the same place in terms of our defensive tactics and response strategies, or are we miles ahead of where we were before? Would you say we’ve learned the necessary lessons?
00:35:29:08 - 00:35:53:06
Alberto (Deto) Hassan | VP CISO at ICL Group
We are not in the same place. We are much better, but that doesn’t mean everyone is much better. I would say 30 to 40% have understood that they need to take action to improve their national cyber posture. We are not just talking about awareness, we are talking about culture. You need a cybersecurity culture, like what you see in places like the UK or the United States.
00:35:53:06 - 00:35:58:22
Alberto (Deto) Hassan | VP CISO at ICL Group
The moment you achieve a true cybersecurity culture, then you are in a position to deal with something like SolarWinds.
00:35:59:01 - 00:36:08:08
Jeremy Ladner | The CISO Signal
Mr. Alberto (Deto) Hassan, thank you so much for being our co-host today on The CISO Signal. I really appreciate your time, and I look forward to having you back again.
00:36:08:10 - 00:36:13:13
Alberto (Deto) Hassan | VP CISO at ICL Group
Thank you very much. Have a good day. Bye-bye.
00:36:13:15 - 00:36:46:03
Jeremy Ladner | The CISO Signal
The SolarWinds breach wasn't a sudden explosion. It was a calculated infiltration that unfolded over months. Hidden within trusted systems. Invalidated software. It exposed not only the vulnerabilities of a single company, but the fragility of an interconnected digital ecosystem where trust is the most valuable and most exploited currency. For security leaders, it was a harsh reminder. The adversary doesn't always announce their arrival with fanfare or brute force.
00:36:46:05 - 00:37:16:21
Jeremy Ladner | The CISO Signal
Instead, they embed themselves in the supply chain in the shadows code, patiently watching, learning, and waiting for the perfect moment to move. The consequences reverberate beyond stolen data. They shake the foundations of operational integrity and national security. This is a story not just of a breach, but of a breach in confidence between vendor and customer, between system and operator, between assumption and reality.
00:37:16:23 - 00:37:50:20
Jeremy Ladner | The CISO Signal
As we move forward, the challenge is clear to build defenses that anticipate stealth, to question assumptions long held sacred, and to accept that the perimeter is no longer a lie, but a shifting landscape of trust. Because in the world of cybersecurity, the greatest danger often lies not in the obvious, but the obscured. And so you remain ever vigilant and always listening for The CISO Signal.
Comments