While it may be some time before we fully grasp the full implications of the massive SolarWinds data breach, we must respond to its security lessons immediately. We talked to several industry experts about what companies should be doing now to protect their systems from similar risks.
Jason Rebholz, MoxFive
Companies should first check to see if they are using the impacted Orion software. If yes, conduct searches of the environment for publicly available Indicators of Compromise (IOCs) to determine whether post-exploitation activity occurred. If additional IOCs are identified, a full investigation should be conducted to determine the extent of attacker activity.
Alan Rainer and Bridget Choi, Kivu Consulting
CISA has published a number of IOCs, in addition to further recommendations and analysis. If a system has a compromised SolarWinds Orion update (defined in CISA alert), take care when investigating. Consider initiating incident response as soon as possible and do not modify the system before gathering forensic artifacts. Eliminating compromised code prevents an intruder from entering, but it won’t evict any attackers on the network. SolarWinds customers should visit the Security Advisory page and apply the 2020.2.1 HF 2 patch to remediate the backdoor code.
Jim Jaeger, Arete[Anyone running Orion software] should immediately disconnect and power down servers running affected versions (2019.4 through 2020.2.1 HF1). (SolarWinds has subsequently released a clean, upgraded version of Orion that clients can install.) Per the CISA directive, organizations should image any server running the affected Orion software and conduct a forensic analysis to identify malicious activity.
Organizations who had previously installed infected versions of Orion should also perform active threat hunting to identify illegitimate outbound C2 connections and malware associated with attacker exploitation of the Orion DLL backdoor. Due to the sophistication of this attack, affected organizations that don’t routinely conduct forensic analysis or threat hunting should seek assistance from a cybersecurity firm skilled in these areas.
Adam Hart and Matt Ahrens, Charles River Associates
Antivirus signatures on potentially affected systems must be updated and the systems scanned for active threats. Firewall rules should be written to block all domains and IP addresses that have been associated with the malware. Although Microsoft took control of the identified command and control domain “avsvmcloud[.]com” to create a kill switch for the malware, there still likely multiple persistence mechanisms that have been deployed after the initial intrusion. Businesses must search their logs for indicators of compromise and understand if there’s been further access to their specific network.
Andrew Topp, West Monroe Partners
The passwords for any accounts with access to SolarWinds infrastructure should be reset immediately. If possible, a full password reset for all user and service accounts, as well as a double reset of the KRBTGT account password should be performed to limit the impact of any credential compromise. In general, there are several steps all organizations should take to educate users, protect credentials, and enhance visibility into their networks:
- Educate users on the dangers of phishing and other compromise attempts.
- Protect all credentials with multifactor authentication to reduce the risk of compromised credentials being used to gain access to the environment, and train users to reject and report suspicious multifactor authentication prompts.
- Limit privileges as strictly as possible.
- Deploy an Endpoint Detection and Response (EDR) tool such as Carbon Black, SentinelOne, or CrowdStrike to provide the ability to monitor system behavior and threat hunt for suspicious activity.
- Deploy Security Information and Event Management (SIEM) tools or log aggregation functionality with the ability to correlate activity across servers and network devices to better identify suspicious behavior patterns.
- Identify an internal team or outsourced Managed Detection and Response (MDR) provider to consume and act upon incoming data from EDR and SIEM tools – unlike traditional “set and forget” AV tools, these products generate massive amounts of data that must be triaged and acted upon.
- Conduct a regular threat hunt to identify potential compromise. There are vendors that offer services to collect data, search for indicators of compromise, and identify vulnerabilities, hopefully before they can escalate to an attack. These types of threat hunts can be performed on an ongoing basis using data from EDR and SIEM tools, or can be found using log collection tools deployed to endpoints.
- Have updated disaster recovery, business continuity, and incident response plans that include coverage for worst case scenarios. Organizations should have plans that can handle the potential recovery of the complete environment, and regularly test these plans to be confident that they can be executed while meeting recovery time and point objectives agreed upon with the business.
SolarWinds a.k.a. SunBurst malware, serves as a reminder that a patient and persistent threat actor can exploit almost any network, and often our own cybersecurity has dependencies tied to the practices of our upstream trusted vendors. One of the recommendations the experts point to is having an updated actionable data breach plan that can be accessed at a moment’s notice, including timely access to incident response and remediation experts recommended by the cyber risk insurance carriers helping policyholders battle these morphing risk exposures on a daily basis.