Cloud Security
Published in

Cloud Security

SolarWinds Hack: Retrospective

Part 3: What could we do better to prevent similar breaches in the future?

In this three-part series on the SolarWinds hack, I examined big picture issues related to the SolarWinds and FireEye Breach. Part two considers the root causes of the SolarWinds and subsequent system access. This last post considers the prevention of breaches similar to SolarWinds in the future. Check out the links at the bottom of this post for all the articles in this series.

Now that we’ve considered how the SolarWinds hack started and the actions attackers were able to take as a result of the system compromise, we can take a look at what might have helped prevent the breach and would have limited the damage.

I do not have all the insider details. However, these recommendations will help many organizations, regardless of the specifics of the SolarWinds hack. These recommendations are a high-level overview. I offer ways to get more information, if needed, at the end of this blog post.

It’s unfortunate that attackers got onto the SolarWinds systems. As I write about in my book on Cybersecurity for Executives in the age of Cloud, it’s more unfortunate that affected organizations could not detect the C2 traffic, and that the users on the SolarWinds systems had all-powerful credentials that could be used to create additional user access via SAML signing certificates. Here’s how you can better protect yourself from a similar fate.

This is the same type of build and deploy system and segregated access I implemented at a security vendor that I helped move to the cloud, except that we were using AWS. It’s harder with a smaller team but now with things like permission boundaries on AWS and privileged identity management on Azure, it’s a bit easier than it was then.

SolarWinds — Development System and Update Server Security

SolarWinds Customers — Disallowing access to the C2 channel and limiting credential abuse

  • Use defense in depth. Leverage network, identity, and secure system architecture.
  • Consider multiple mechanisms to monitor for threats that are not accessible to manipulation by a single set of credentials or malware.
  • Segregate users to limit access in case credentials get compromised.
  • The Sunburst malware needs to call home to a C2 channel. Firewalls outside of the control of any users on the monitoring system should only allow access to specific update servers use by the SolarWinds product.
  • Alert on rejected network traffic related to critical systems. Outbound rejected network traffic would be an indicator of compromise.
  • Alert on credential use anomalies — but the challenge, in this case, is that the attackers were able to create valid credentials that would likely not trigger such alerts.
  • Use Azure Activity Logs to monitor calls to Azure platform actions, including checking out what IP address is making the calls.

Everyone

Teri Radichel — Follow me @teriradichel

© 2nd Sight Lab 2020

Next: Prevent the Next Solar Winds Hack with Cybersecurity Fundamentals: Ask the right questions to prevent future data breaches

____________________________________________

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon.

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Need Cloud Security Training? Curriculum: 2nd Sight Lab Cloud Security Training

For a recap of cybersecurity news last week check out the 2nd Sight Lab Cybersecurity News Blog. Malware, vulnerabilities, data breaches, cost of a data breach, cybersecurity laws, and interesting cybersecurity developments.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

____________________________________________

Articles on the SolarWinds Hack

SolarWinds Hack Retrospective Part 1: SolarWinds and the big picture for executives

SolarWinds Hack Retrospective Part 2: What caused the breach and what does the malware do?

SolarWinds Hack Retrospective Part 3: What could we do better to prevent similar breaches in the future?

Prevent the Next Solar Winds Hack with Cybersecurity Fundamentals: Ask the right questions to prevent future data breaches

Zero Trust for Software Updates: Consider network requirements when purchasing products

Hackers as Cloud Customers: How SolarWinds Hackers used AWS and Azure

Amazon declined to testify at congressional hearing on SolarWinds hack: From scandalous headlines to knowledge in cybersecurity

--

--

--

Cybersecurity in a Cloudy World

Recommended from Medium

Digital infrastructure for digital rights

HTC 10 Official Mobile Review https://t.co/uA1Pk4K6zs

Cyberdefenders-Malware Traffic Analysis 1

In this we are going to create and run an instance and then create and attach an EBS volume using…

How to Hard Reset HTC Desire L

How to Hard reset your HTC Desire

Importance Information Security

Ollie(MEDIUM)-THM Writeup

Should you use Express-session for your production app?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com

More from Medium

Article of the Day: the importance of Network Security

Know more about SOAR platform in cybersecurity: (Orchestration, Automation and Response)

Soar Platform, Security Orchestration and automation

What if…

Top 5 security tools and services for 360° coverage