SolarWinds...Just the Tip of the Iceberg
Though the SolarWinds breach from 2020 is behind us, many of our clients are still unclear as to the nature of the breach or how the attack was orchestrated. SolarWinds estimates that between 18,000 and 33,000 customers running a breached version of SolarWinds Orion software were impacted. We do know that the attacker(s) in question are likely a Nation State. How was the attack carried out? In simple terms, this is what happened:
On or around September 4, 2019, attackers compromised the update server for the SolarWinds Orion product. In March of 2020, the threat actors created malware that was deployed from within the SolarWinds update infrastructure and designed to place a trojan into the client’s system to gain administrative rights. Next, the attackers moved laterally across the compromised organization and generated valid credentials. Following this, the attackers conducted reconnaissance from within the network and planned the next stages of their attack. Ultimately, the goal was to access a global account and remain undetected. Details will continue to emerge over the coming weeks and months around the specifics of the breach as this continues to be an evolving and ongoing event.
We have learned from the SolarWinds breach that an organization can do everything correctly and still be compromised. A risk-based approach should be taken to mitigate the damage by doing the following:
· Implement a patch management solution (patches come out every week). Your operating system and third-party software need to be kept up to date. If your operating system is no longer supported, it is well beyond time to update. Remember, just keeping your systems patched mitigates more than 90% of known vulnerabilities.
· Use an anti-virus, and anti-malware product and implement an email hygiene solution. In the modern office, IT providers have walled off most of the avenues of attack but two still remain --web browsing and email -- and that is where many attacks originate today.
· Monitor your network. Work with a dedicated cybersecurity firm, like Black Talon
Security, to offer you Predictive Threat Intelligence to proactively alert you about any suspicious activity, including unauthorized file access attempts.
· Conduct a complete cybersecurity assessment or Cloud security assessment every year. This is a critical step to understanding your infrastructure that cannot be ignored. If you do not know what your exposure is, you cannot work to correct it.
· Perform a tabletop Incident Response Activity and be aware of your response. Every organization needs to perform a tabletop exercise to prepare for the worst. A facilitator will create a plausible scenario that will exercise your team’s plan and expose them to what could happen in a real incident.
· Backup your data. This should go without saying. Back your data up and back it up offline (tape or a removable drive) so if a disaster happens, you can access the data. Test your backups regularly, this can be as simple as a single file that you ask for monthly. Keep at least one year of backups and more if you can. Frequently attackers are in your system for extended periods of time and one month of backups is no longer sufficient to ensure adequate protection.
· Use Multi-Factor Authentication (MFA) everywhere. If you cannot walk over and touch a server, it needs to have MFA enabled. This is an oversimplification, of course, but it still holds true. If you are at home and you or someone from your office needs to access files on a work PC, you need to be logging in with MFA.
· When buying expensive office equipment that your business depends on, ask the vendor if the next operating system will be supported and have them put that in writing.
· Consider the services of a Virtual Chief Information Security Officer (vCISO). CISO’s are expensive and in demand. A vCISO can augment your staff and offer you an hourly rate that is more cost-effective than hiring someone full or part time.
· Conduct vulnerability scans and penetration testing on your environment(s).
· Conduct cybersecurity awareness training and simulated phishing attacks against all employees within your organization
· Finally, make sure to do your due diligence - ask questions of your vendors, and ask us what questions you should be asking.
Mr. John Zuska, CISSP, vCISO