SolarWinds’ recent breach introduces a host of critical security issues for Government agenciesAnd healthcare institutions, government agencies, and large corporations in other industry sectors.
SolarWinds produces a variety of popular IT infrastructure monitoring solutions, and their breach has resulted in the introduction of compromised files in updates of these monitoring solutions.
These monitoring solutions have been used by 18,000 companies, with one of the most popular being FireEye – the use of hacked SolarWinds hacks the FireEye team’s red tools.
Due to the popularity of SolarWinds, many organizations are now scrambling to determine whether they have also experienced a breach or other security issue, due to the use of the compromised SolarWinds software.
While responding to an issue like this, it is important to consider that a response is required in two ways. The first set of responses needs to focus on determining whether the use of compromised SolarWinds software causes any security issues within your organization and take measures to mitigate the possibility of any issues arising as a result of using the compromised software.
Assuming the hacked SolarWinds software ran into your environment or was previously running in your environment, some of the recommended repair steps might include the following:
- Assume all accounts that SolarWinds use for monitoring have now been hacked. Monitoring software typically uses service accounts to log into servers, network devices, and other IT infrastructure. Any accounts that SolarWinds have access to should be considered compromised and treated accordingly.
- Look for using a SolarWinds monitoring account. Assuming a valid recording existed prior to this incident, the logs should be searched to see if any of the accounts used by SolarWinds were used to try to access systems that are not normally monitored by SolarWinds and whether the account usage patterns are suspicious.
- Theook for the C&C traffic associated with the attack. Hacked SolarWinds associates with some specific IP addresses and connections with some specific domains. Communications to these IP addresses and domains should be blocked and alerts set up in SIEM to ensure that any attempts to communicate with those destinations promptly point to a system for further investigation and remediation.
- sLook for SolarWinds IOCs and other malware or potential indicators of a breach. Verifications should be initiated to see if any systems within your environment have been compromised and which systems the IOC is found on are flagged for further investigation and remediation.
- Take a snapshot or other form of backup that can be used for forensic later if needed. While getting rid of compromised software is critical, before patching or rebuilding of SolarWinds systems occurs, it may be beneficial to take a snapshot or backup so that forensics can be performed in a SolarWinds environment at a later time if needed.
- Get rid of the compromised programs. SolarWinds now provides a patched version of their software that eliminates the compromised component. While at least this corrected version should be applied, if possible, it would be best to consider building a clean SolarWinds system from scratch because the compromised SolarWinds software may have infiltrated other software components within the server on which SolarWinds is installed. The server must be considered compromised as well.
- Segmentation of the network. If not already present, this latest security issue is a perfect illustration of why network segmentation is important to the internal network. No system within the network should have unrestricted access to everything else on the network.
Although dividing the network will not prevent such problems from occurring, it will go a long way towards mitigating such issues which will limit other resources in the environment that the compromised system can be used to access.
Although far from being comprehensive, the above mentioned remedies and treatments provide an overview of some of the major steps an organization can take to start dealing with this problem within its organization. However, as mentioned above, an adequate response to this breach requires two different types of responses.
Fixing the problem within your organization is essential, but one has to bear in mind that SolarWinds products are used by thousands of companies around the world.
- What other FireEye situations do we not know about yet?
- Who are the business partners or software vendors who might be using a hacked version of SolarWinds?
- How many third parties will it be discovered that they have suffered from issues similar to FireEye?
- Do we have any SolarWinds system that uses business partners who host PHI whose data has been leaked in a similar way to the Red Team tools?
- Have any companies that we purchase software from suffer from concessions in the supply chain due to their use of SolarWinds where we now have to worry about the PACS we just purchased to use as a vector to attack us?
- Have other security suppliers been breached where they now have to worry about the tools we rely on to protect us that are no longer effective?
While I hope the answer to all these questions will be no, as security professionals we need to prepare for the worst even as we hope for the best.
This brings us to the important question of how to address these risks which recommended the following control considerations:
- Third-party risk management. A robust third-party risk management process is essential to mitigate business partner risks and supply chain risks. It is also important to remember to evaluate the third-party risk management processes of business partners and suppliers as part of your assessment process. An issue with your business partner’s business partner may still be a problem for you.
- Zero confidence. Partial segmentation and other distrust strategies are becoming increasingly critical. Every system must be treated as if it is penetrable, be it public face or internally. Limiting what the system can reach goes a long way toward ensuring that any security incident is still contained.
- Defense in the rear. Whether it’s due to a security vendor’s concession or some other reason, the truth is that controls sometimes fail. An in-depth defense approach is critical to ensuring that even if a control in the environment fails, there are other controls that can work to mitigate the problem.
- Remember we’re all in this together. Healthcare organizations need to be increasingly transparent and share threat intelligence and information about safety strategies that work and not work for them. Security is essential to patient safety and we need to work together to make sure we keep our systems and our patients safe.
While violations and compromises like these are never a good thing, it is important to bear in mind that every such incident represents an opportunity to learn and use lessons learned to further improve security within our environments. Let’s all take the time to reassess our strategies in light of recent events and make sure we are protected from these future attack vectors.
Christopher Frens is the Information Security Officer and Associate Vice President of Information Technology Security at Mount Sinai South Nassau