SolarWinds Hack: Retrospective
Part 3: What could we do better to prevent similar breaches in the future?
In this three-part series on the SolarWinds hack, I examined big picture issues related to the SolarWinds and FireEye Breach. Part two considers the root causes of the SolarWinds and subsequent system access. This last post considers the prevention of breaches similar to SolarWinds in the future. Check out the links at the bottom of this post for all the articles in this series.
Now that we’ve considered how the SolarWinds hack started and the actions attackers were able to take as a result of the system compromise, we can take a look at what might have helped prevent the breach and would have limited the damage.
I do not have all the insider details. However, these recommendations will help many organizations, regardless of the specifics of the SolarWinds hack. These recommendations are a high-level overview. I offer ways to get more information, if needed, at the end of this blog post.
It’s unfortunate that attackers got onto the SolarWinds systems. As I write about in my book on Cybersecurity for Executives in the age of Cloud, it’s more unfortunate that affected organizations could not detect the C2 traffic, and that the users on the SolarWinds systems had all-powerful credentials that could be used to create additional user access via SAML signing certificates. Here’s how you can better protect yourself from a similar fate.
This is the same type of build and deploy system and segregated access I implemented at a security vendor that I helped move to the cloud, except that we were using AWS. It’s harder with a smaller team but now with things like permission boundaries on AWS and privileged identity management on Azure, it’s a bit easier than it was then.
SolarWinds — Development System and Update Server Security
- Architect the development system with segregation of duties to ensure one person alone cannot take critical actions.
- Secure source control system with network and user segregation.
- Set up appropriate network segregation and zero trust networking between any systems involved in software development, testing, deployment, and sending updates to customers.
- Ensure code integrity through the process and perform code reviews on critical parts of the system.
- Secure any automation APIs and systems used in the process appropriately, including API authentication mechanisms and zero trust networking.
- Use MFA and Azure Conditional access.
- Require hard to guess passwords.
- Disallow access to administrative ports from the Internet to log into systems where customer systems retrieve updates.
- Leverage insider threat monitoring.
- Penetration tests and security assessments of deployment systems, processes, and products. (Services available from my company.)
- Alerts on any suspicious or risky behavior such as password resets.
- Provide specific domain names for updates so customers can lock down retrieval of updates to specific domain names.
- Better: Provide a specific IP range also. Cloud providers allow you to create IP blocks if that is an option.
- Cybersecurity training for developers, executives, and any decision-makers within the organization so they can make better cybersecurity decisions.
SolarWinds Customers — Disallowing access to the C2 channel and limiting credential abuse
- Use defense in depth. Leverage network, identity, and secure system architecture.
- Consider multiple mechanisms to monitor for threats that are not accessible to manipulation by a single set of credentials or malware.
- Segregate users to limit access in case credentials get compromised.
- The Sunburst malware needs to call home to a C2 channel. Firewalls outside of the control of any users on the monitoring system should only allow access to specific update servers use by the SolarWinds product.
- Alert on rejected network traffic related to critical systems. Outbound rejected network traffic would be an indicator of compromise.
- Alert on credential use anomalies — but the challenge, in this case, is that the attackers were able to create valid credentials that would likely not trigger such alerts.
- Use Azure Activity Logs to monitor calls to Azure platform actions, including checking out what IP address is making the calls.
- Require MFA and use Azure conditional access to prevent the use of end-user credentials without additional factors.
- Set alerts for the indicators of compromise related to Mimikatz password resets mentioned in my last post.
- Limit the ability to enable SSO and access SAML signing certificates leveraged by attackers, as explained in the prior post.
- Separate those who administer access from those who use the access.
- Create roles with the minimum required permissions. Unfortunately, SSO administration in Azure requires a highly-privileged account, and you cannot create a custom role for this purpose without signing up for an Enterprise account on Azure.
- If you cannot create a custom role, limit and monitor the use of administrative permissions with one of my favorite features in Azure — Privileged Identity Management. Require two people and a limited time for sensitive changes in your Azure subscriptions.
What is Privileged Identity Management? - Azure AD
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage…
- Organizations need well thought out directives from the highest level in organizations to implement cybersecurity properly.
- Consider checking out my book — Cybersecurity for Executives in the Age of Cloud or an upcoming security class (later this year). Follow me on Twitter, connect on LinkedIn, or check out the 2nd Sight Lab website for updates.
- You may also schedule a call with me or other security professionals if you have cybersecurity questions through IANS Research.
- If you’d like a penetration test or security assessment, please reach out to me on LinkedIn.
Teri Radichel — Follow me @teriradichel
© 2nd Sight Lab 2020
Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon.
Need Cloud Security Training? Curriculum: 2nd Sight Lab Cloud Security Training
For a recap of cybersecurity news last week check out the 2nd Sight Lab Cybersecurity News Blog. Malware, vulnerabilities, data breaches, cost of a data breach, cybersecurity laws, and interesting cybersecurity developments.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
Articles on the SolarWinds Hack