solarwinds MSP breach supply chain

SolarWinds: Preventing and Hunting other MSP Attacks

The SolarWinds breach has again exposed the trusted supply chain as a favored method of cyber-attack. Nation-state level threat actors compromised its software updates in order to rollout backdoor access among its customer base. The network management and monitoring powerhouse has upwards of 300,000 customers across enterprise and government, so the potential fallout from this breach may be unprecedented. The blue team has moved swiftly. Detection signatures have already been released and official guidance on mitigating the threat is already in circulation.

Supply Chain Threat Mitigation

However, several security controls specific to the SolarWinds breach are precisely that – specific to SolarWinds. What of the rest of the Managed Service Provider ecosystem? How would you mitigate this threat before the next major supply-chain attack is disclosed?

What to do now

We have pulled together HolistiCyber’s prevention and threat-hunting approach below. This applies both to SolarWinds today, and other Managed Service Provider (MSP) customers.

  • Block all internet egress from SolarWinds or other MSP, and servers or other end points with SolarWinds software
  • Restrict the scope of connectivity to endpoints from SolarWinds or other MSPs. Especially those that would be considered Crown Jewel assets
  • Look for SMB sessions that show access to legitimate directories and follow a : DELETE -> CREATE -> EXECUTE- > DELETE -> CREATE pattern in a short timeframe
  • Identify logins from the attackers ASNs (Autonomous System Number) alongside baselining and normalization
  • Identify and analyze suspicious logons based on Fireye’s recommendations as part of this attack
  • Identify ‘One to Many’ relationships for logons -> use the logon tracker above to graph all logon activity and analyze systems displaying 1:many
  • Monitor existing scheduled tasks for temporary updates, and monitor all windows tasks schedules executing new\unknown binaries
  • Review SolarWinds (or other managed service provider) network architecture – segment these servers and collectors – ensure all servers are isolated
  • Review SolarWinds or MSP permissions – who has access, to what, making sure not to use everyday accounts. Change all passwords including all service accounts
  • Review all Domain Administrator accounts
  • Review logons – analyze logons sourced from different regions within windows of time which humans cannot feasibly travel
  • Review windows logs especially EID 4702

As always, HolistiCyber experts are happy to talk through prevention and threat modeling and third party risk management approaches that will help organizations defend against these kinds of targeted supply chain attacks now and more importantly – to prevent it happening in future.

HolistiCyber

HolistiCyber enables organizations in their cyber defense challenge, providing them with state-of-the art consultancy, services & solutions to help them proactively and holistically defend themselves in a new era of constantly evolving cyber threats, many of which lead to nation state grade attacks.

Learn more…

Share:

Share on facebook
Share on twitter
Share on linkedin

We use cookies to provide the services and features offered on our website, and to improve our user experience.