The SolarWinds breach has again exposed the trusted supply chain as a favored method of cyber-attack. Nation-state level threat actors compromised its software updates in order to rollout backdoor access among its customer base. The network management and monitoring powerhouse has upwards of 300,000 customers across enterprise and government, so the potential fallout from this breach may be unprecedented. The blue team has moved swiftly. Detection signatures have already been released and official guidance on mitigating the threat is already in circulation.
Supply Chain Threat Mitigation
However, several security controls specific to the SolarWinds breach are precisely that – specific to SolarWinds. What of the rest of the Managed Service Provider ecosystem? How would you mitigate this threat before the next major supply-chain attack is disclosed?
What to do now
We have pulled together HolistiCyber’s prevention and threat-hunting approach below. This applies both to SolarWinds today, and other Managed Service Provider (MSP) customers.
- Block all internet egress from SolarWinds or other MSP, and servers or other end points with SolarWinds software
- Restrict the scope of connectivity to endpoints from SolarWinds or other MSPs. Especially those that would be considered Crown Jewel assets
- Look for SMB sessions that show access to legitimate directories and follow a : DELETE -> CREATE -> EXECUTE- > DELETE -> CREATE pattern in a short timeframe
- Identify logins from the attackers ASNs (Autonomous System Number) alongside baselining and normalization
- Identify and analyze suspicious logons based on Fireye’s recommendations as part of this attack
- Identify ‘One to Many’ relationships for logons -> use the logon tracker above to graph all logon activity and analyze systems displaying 1:many
- Monitor existing scheduled tasks for temporary updates, and monitor all windows tasks schedules executing new\unknown binaries
- Review SolarWinds (or other managed service provider) network architecture – segment these servers and collectors – ensure all servers are isolated
- Review SolarWinds or MSP permissions – who has access, to what, making sure not to use everyday accounts. Change all passwords including all service accounts
- Review all Domain Administrator accounts
- Review logons – analyze logons sourced from different regions within windows of time which humans cannot feasibly travel
- Review windows logs especially EID 4702