Supply Chain Threat Mitigation
However, several security controls specific to the SolarWinds breach are precisely that – specific to SolarWinds. What of the rest of the Managed Service Provider ecosystem? How would you mitigate this threat before the next major supply-chain attack is disclosed?
What to do now
We have pulled together HolistiCyber’s prevention and threat-hunting approach below. This applies both to SolarWinds today, and other Managed Service Provider (MSP) customers.
- Block all internet egress from SolarWinds or other MSP, and servers or other end points with SolarWinds software
- Restrict the scope of connectivity to endpoints from SolarWinds or other MSPs. Especially those that would be considered Crown Jewel assets
- Look for SMB sessions that show access to legitimate directories and follow a : DELETE -> CREATE -> EXECUTE- > DELETE -> CREATE pattern in a short timeframe
- Identify logins from the attackers ASNs (Autonomous System Number) alongside baselining and normalization
- Identify and analyze suspicious logons based on Fireye’s recommendations as part of this attack
- Identify ‘One to Many’ relationships for logons -> use the logon tracker above to graph all logon activity and analyze systems displaying 1:many
- Monitor existing scheduled tasks for temporary updates, and monitor all windows tasks schedules executing new\unknown binaries
- Review SolarWinds (or other managed service provider) network architecture – segment these servers and collectors – ensure all servers are isolated
- Review SolarWinds or MSP permissions – who has access, to what, making sure not to use everyday accounts. Change all passwords including all service accounts
- Review all Domain Administrator accounts
- Review logons – analyze logons sourced from different regions within windows of time which humans cannot feasibly travel
- Review windows logs especially EID 4702