What We Know: SolarWinds Attack (+Lessons To Be Learned) I Compuquip

February 18, 2021 Phillip Tarrant Phillip Tarrant

6 Min Read

As the story continues to unfold and we come to understand more about what really occurred at SolarWinds, it goes without saying that this will be an attack infamously known for the ages—merely due to its size and the sheer number of organizations affected by this hack that remained undetected for months. 

Before we dive in, let's do a quick recap on what happened:

What Happened at SolarWinds?

Unknown attackers breached SolarWinds and injected code into their Orion software. While the attackers are still unknown, evidence points to Russia, although they have denied involvement. Orion software was used by many companies and government agencies. This is known as a supply chain attack since the attackers didn't attack the companies or agencies directly; they attacked by using software from a trusted vendor that had malware. 

Builds for versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1 of the company's Orion network management platform were all affected. This attack has been labeled as the largest supply chain attack in history as over 18,000 companies were affected. Now that we are caught up on what happened at SolarWinds, let's talk about some factors that people within the company may have missed and reveal important lessons to be learned from this attack.

The Attack Tools And Vectors Used For The SolarWinds Attack

While most people focused on SolarWinds, the same group has also been shown to have attacked several other companies using different vectors, including password spraying and password guessing. Malwarebytes has indicated the attackers were able to compromise their Office 365 via a "dormant email protection product.” CISA has even said that the threat group used MFA bypass techniques to access some cloud-hosted applications.

How Patience & Incredible Restraint Helped The Attackers

One of the largest things that got my attention was how much planning and thought went into this attack. These attackers didn't just smash and grab—rather, they gained access and assessed exactly how they could maximize their impact. They figured out exactly what they had access to and how to utilize their target assets. This proves many things, but most notably, the attackers were experienced, a group of many, and had access for a long time before they made their move.

No One Was Safe - Not Even Those In Security

Another thing about this attack is who was affected. The shortlist of affected companies is a who's who of security; Cisco, Intel, Nvidia, Belkin, Qualys, Microsoft, FireEye, Malwarebytes, Palo Alto Networks, and Cox Communications, just to name a few. Several US government agencies were also compromised, such as the departments of Commerce, Energy, Defense, Justice, and Homeland Security. FireEye has disclosed that the attackers also stole copies of their advanced RedTeam tools used in penetration testing. FireEye has released Yara rules to help security professionals hunt and find these tools.

Incredibly Advanced And Numerous Anti-Detection & Evasion Techniques

The code injected into the software used a variety of evasion techniques to avoid detection. This included multiple safeguards and checks to make sure the software didn't crash. It looked for processes and files that might have detected it and stopped the malicious part of the code if found. It also used DNS traffic to steal the data. It spoofed legitimate apps and files to look as normal as possible. It didn't do anything malicious until after two weeks of being on the system. It also uses IPs based in the same country for command and control communications.

A First of Its Kind - The Golden SAML

This was the first known instance of the Golden SAML, which allows an attacker to forge identities across the enterprise by gaining access to the ADFS Server. This means even cloud services and SSO applications weren't safe.

Lessons to Be Learned From The SolarWinds Attacks

As we are still unwinding the ball of yarn that is the SolarWinds attack, it's impossible to list all the lessons to be learned, but here are a few:

  1. Least Zero Trust: This attack shows the importance of Zero Trust and least privilege. Zero Trust is based on the premise that no one has standing privilege, not even administrators. All-access should have an expiring time limit and have "just enough" access to get the job done.

  2. Behavior-based vs signatures: Attacks like this show us that behavior-based antivirus such as SentinelOne is the way to go for the highest protection level.
  3. Data Exfiltration Detection and Prevention: One thing we learned is that a number of security vendors have published reports stating that, upon review, their various intrusion detection technologies did detect the activity, but that the significance of the alerts did not rise to an actionable level. Exfiltration and Data Loss Prevention is something that many companies don't focus on. Ingress (inbound) filtering is only one step—egress (outbound) filtering is something that should also be done. Lockdown DNS and create an approved domain list for servers that reach out to the internet.

How to Prevent Supply Chain Attacks in Your Own Organization

As enterprises become more and more reliant on outside providers, it’s no longer enough to just worry about your own businesses’ cybersecurity—you have to worry about the cybersecurity of every business in your supply chain as well. Plus, thanks to evolving hacker technology and increased oversight from regulators, the risks associated with a supply chain attack have never been higher. 

The recent SolarWinds attack is a prime example of what can go wrong if there are vulnerabilities in your supply chain. So, how can you prevent them? Here are a few tips:

  1. Set clear standards and thoroughly vet all supply chain partners. Heavily regulated industries, such as finance and healthcare, already provide for third-party risk testing or have some sort of standards in place that vendors need to comply with. Even if this doesn’t apply to your industry, make sure you take the initiative to set your own standards and thoroughly vet anyone who could be a part of your supply chain. If you’re looking for a new vendor, for example, you and the vendor should establish a certain level of trust and transparency about what data is available, who can access it, and how it will be used before the partnership begins. 

  2. Include your supply chain in your disaster recovery and response plan. Just because you’ve done your research and vetted your supply chain doesn’t mean your network environments are 100% risk-free. So, if an incident does occur, it’s important to have a clear, coordinated approach to managing your incident response so you can drive a well-synced response effort. Planning for the worst as a team allows you to work together so all parties involved can mitigate any damages faster.

  3. Conduct red teaming. Red teaming is the process of discovering single or multiple vulnerabilities within your network at any means necessary. This multi-layered adversary simulation attack is targeted towards the systems, security, people, and policies responsible for a real-world attack against your organization. This makes it possible to understand where a single or batch of vulnerabilities may live within your network so they can be closed before an attack occurs.

Subscribe to The Compuquip Blog for More Cybersecurity Insights in Your Inbox!

As this story continues to develop daily, our experts are here to understand more about what went on at SolarWinds and bring tips to help keep you and your organization’s cybersecurity battle-ready. Subscribe to our blog today to receive the latest news on cybersecurity, threats, and much more!

 

how-to-choose-the-right-mssp-guide

cdo-guide-to-omnichannel-security