Cloud Security
Published in

Cloud Security

SolarWinds Hack: Retrospective

Part 3: What could we do better to prevent similar breaches in the future?

In this three-part series on the SolarWinds hack, I examined big picture issues related to the SolarWinds and FireEye Breach. Part two considers the root causes of the SolarWinds and subsequent system access. This last post considers the prevention of breaches similar to SolarWinds in the future. Check out the links at the bottom of this post for all the articles in this series.

Now that we’ve considered how the SolarWinds hack started and the actions attackers were able to take as a result of the system compromise, we can take a look at what might have helped prevent the breach and would have limited the damage.

I do not have all the insider details. However, these recommendations will help many organizations, regardless of the specifics of the SolarWinds hack. These recommendations are a high-level overview. I offer ways to get more information, if needed, at the end of this blog post.

It’s unfortunate that attackers got onto the SolarWinds systems. As I write about in my book on Cybersecurity for Executives in the age of Cloud, it’s more unfortunate that affected organizations could not detect the C2 traffic, and that the users on the SolarWinds systems had all-powerful credentials that could be used to create additional user access via SAML signing certificates. Here’s how you can better protect yourself from a similar fate.

This is the same type of build and deploy system and segregated access I implemented at a security vendor that I helped move to the cloud, except that we were using AWS. It’s harder with a smaller team but now with things like permission boundaries on AWS and privileged identity management on Azure, it’s a bit easier than it was then.

SolarWinds — Development System and Update Server Security

SolarWinds Customers — Disallowing access to the C2 channel and limiting credential abuse

  • Use defense in depth. Leverage network, identity, and secure system architecture.
  • Consider multiple mechanisms to monitor for threats that are not accessible to manipulation by a single set of credentials or malware.
  • Segregate users to limit access in case credentials get compromised.
  • The Sunburst malware needs to call home to a C2 channel. Firewalls outside of the control of any users on the monitoring system should only allow access to specific update servers use by the SolarWinds product.
  • Alert on rejected network traffic related to critical systems. Outbound rejected network traffic would be an indicator of compromise.
  • Alert on credential use anomalies — but the challenge, in this case, is that the attackers were able to create valid credentials that would likely not trigger such alerts.
  • Use Azure Activity Logs to monitor calls to Azure platform actions, including checking out what IP address is making the calls.


Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2021

Next: Prevent the Next Solar Winds Hack with Cybersecurity Fundamentals: Ask the right questions to prevent future data breaches


Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon.

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Need Cloud Security Training? Curriculum: 2nd Sight Lab Cloud Security Training

For a recap of cybersecurity news last week check out the 2nd Sight Lab Cybersecurity News Blog. Malware, vulnerabilities, data breaches, cost of a data breach, cybersecurity laws, and interesting cybersecurity developments.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts


Articles on the SolarWinds Hack

SolarWinds Hack Retrospective Part 1: SolarWinds and the big picture for executives

SolarWinds Hack Retrospective Part 2: What caused the breach and what does the malware do?

SolarWinds Hack Retrospective Part 3: What could we do better to prevent similar breaches in the future?

Prevent the Next Solar Winds Hack with Cybersecurity Fundamentals: Ask the right questions to prevent future data breaches

Zero Trust for Software Updates: Consider network requirements when purchasing products

Hackers as Cloud Customers: How SolarWinds Hackers used AWS and Azure

Amazon declined to testify at congressional hearing on SolarWinds hack: From scandalous headlines to knowledge in cybersecurity




Cybersecurity in a Cloudy World

Recommended from Medium

{UPDATE} Candy Fruits Mania Hack Free Resources Generator

Reconnaissance Series: “Excessive Research” — If you know what I mean

Digital Ethics — renewing the CIO CMO bond

Flash Stock Firmware on Samsung Galaxy Core Prime SM-G361HU

Flash Stock Rom on Samsung Galaxy

ModSecurity and owasp-modsecurity-crs about

Enforcing MFA to Support Company-Wide ID Security


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty |

More from Medium

Lapsus$ Ransomware Group and Okta Breach

What the fish is Edge Computing?

Confessions of a Serial CISO: Enterprise Security Metrics

10 Ideas for Security Guard Technology