MegaplanIT

MegaplanIT

Security & Compliance

Cyber-Attack SolarWinds

Cyber-Attack SolarWinds. Several organizations were recently made aware of a software supply chain attack that directly impacted a subset of customers using particular SolarWinds products. Detection and response guidance has been published by several public and private sector sources, with additional details on the malicious software and its capability. The scale and potential severity of this security issue are significant. For organizations running the vulnerable SolarWinds software components, the backdoor is designed to “phone home” to a Command and Control (C2) service over the internet and perform additional malicious activities as defined by the attacker such as dropping additional malware, stealing, and abusing privileged credentials, and using the SolarWinds system as a beachhead to move laterally throughout the enterprise environment.

The cyber-attack SolarWinds situation can become even more problematic when security monitoring and control systems are not adequately in place and operational, providing attackers with an additional advantage. Do we have sufficient logging in place, to detect and alert on suspicious activity? Have we implemented endpoint detection and response (EDR) tools for enterprise visibility? Do we even have the right personnel in place to respond to adverse events promptly? This year has not been without its challenges for businesses pivoting to Work from Home solutions, activating business continuity and disaster recovery plans, and updating incident response plans. Adding software supply chain attacks to the list may seem daunting for companies already struggling to move toward their business goals. However, these situations also present opportunities to reassess, learn, and refocus on ways to further transform your business and succeed in this environment.

Who is affected?

Based on the Cyber-Attack SolarWinds security advisory, customers that downloaded and installed the following Orion Platform software builds and versions are affected:

  •  4 HF 5
  •  2 with no hotfix installed
  •  2 HF 1

More specific version details may also be found in the CISA government agency alert released on December 17, 2020. The product updates were released between March and June 2020. The advisory guides how to confirm which version and updates are currently installed. It also itemizes several products and their “affected” vs. “not affected” status. Therefore, organizations should review the current advisory and compare the list with internal information on deployed solutions within the enterprise. It is entirely possible that a SolarWinds customer may not be affected by this particular issue if they did not use the vulnerable software or failed to update their software to a compromised version that was released during the security event period. A Krebson Security article published December 14 includes a partial list of SolarWinds customers, illustrating the range of organizations using SolarWinds software products.

The Orion Platform version 2020.2.1 HF 2 hotfix is available for customers who are intended to address the known malicious software updates. On December 13, 2020, SolarWinds notified approximately 33,000 active maintenance customers with potential exposure during the March – June 2020 period. On December 14, 2020, the SolarWinds 8-K filing also mentioned that an estimated 18,000 or fewer customers may be affected.

Cyber-Attack SolarWinds: How did this happen?

It is important to keep in mind that active investigations can result in additional discoveries that may alter the scope, timeline, or magnitude of these security events. Public information reported by Cyber-Attack SolarWinds indicates that the company email and productivity tools (Microsoft Office365) were targeted, and the build environment was affected. Attackers routinely target and compromise organizations, using a variety of techniques. Initial Access methods documented in the MITRE ATT&CK framework include phishing, supply chain compromise (relevant for some SolarWinds customers), and obtaining or abusing valid credentials.

What should I do – Activating your Incident Response Plan

For organizations directly affected by the SolarWinds vulnerability, digital forensics, and incident response (DFIR) processes should already be activated. Where organizations do not maintain internal DFIR competencies, experienced third parties can provide critical investigative support and incident response lifecycle guidance. Please refer to the Additional Resources section for links to detailed technical analyses and methods to detect malicious activity. The CISA government agency alert and DHS Emergency Directive include detailed, practical steps to mitigate the SolarWinds software vulnerabilities including forensic evidence preservation, system and network isolation, and recovery activities after completing containment and eradication procedures. These steps generally align with the Incident Response Life Cycle published by NIST (SP 800-61).

As mentioned in a Microsoft blog by the Microsoft 365 Defender Research Team on December 18, 2020, organizations need to focus not only on standard “preventative protections” but on ways to detect and respond to an active compromise within the organization’s enterprise. The following security monitoring and control areas should be considered, as you assess your internal environment:

  •  Digital Forensics/Incident Response (DFIR) Support – Are retainers or agreements in place with third parties, to augment internal staff and competencies before a significant security event?
  •  Endpoint detection and response (EDR) tools – Are any tools in place with enterprise visibility into active systems and processes? If you needed to find a malicious file by filename or hash value quickly, how would you do it? Are personnel actively involved in threat hunting activities?
  •  Incident Response Plan – Is the IR Plan and processes in place, up-to-date, and periodically tested? Are teammates trained periodically, before an actual incident?
  •  Identity & Access Management (IAM) – Are access controls in place to restrict access to internal resources based on the principle of least privilege? Is monitoring and alerting integrated with a SOC service? How are you ensuring that any deployed multi-factor authentication (MFA) or single sign-on (SSO) systems are not disabled or abused?
  •  Logging and monitoring solutions – Is logging configured on all active systems and devices? Do you have an inventory to confirm logging coverage? Are logs centrally aggregated and analyzed for suspicious activities? How long are logs retained? Are externally managed SOC services needed to address internal shortcomings?
  •  Network security controls and Network Traffic Analysis (NTA) – What solutions are in place to control ingress and egress traffic? Are intrusion detection/prevention systems (IDS/IPS) in place, tuned, and generating alerts? Are DNS calls being logged?
  •  Security Testing – Is periodic penetration testing and vulnerability scanning performed, to evaluate the security of systems, networks, and applications?

 

Cyber-Attack SolarWinds, MegaplanIT Is Here To Help

MegaplanIT Holdings, LLC provides professional services and Managed SOC services to our clients, based on their specific needs. We partner with our clients and identify the right balance of products and support services to keep your business focused and moving forward in the right direction. Our team can provide professional services and implement managed endpoint detection and response solutions, support investigative activities, and conduct more routine security and compliance efforts. Whether you are looking for a Security Health Check, managed services, security testing, Incident Response support, or security and compliance controls guidance, our team is ready to help your business overcome challenges and become a more streamlined and resilient operation.

MegaplanIT Is Here To Help

MegaplanIT Holdings, LLC provides professional services and Managed SOC services to our clients, based on their specific needs. We partner with our clients and identify the right balance of products and support services to keep your business focused and moving forward in the right direction. Our team can provide professional services and implement managed endpoint detection and response solutions, support investigative activities, and conduct more routine security and compliance efforts. Whether you are looking for a Security Health Check, managed services, security testing, Incident Response support, or security and compliance controls guidance, our team is ready to help your business overcome challenges and become a more streamlined and resilient operation.

Share this post

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business