Thoughts on SolarWinds Incident for FedGov
Post authors: Patrick Kelly, IT Director; David Scaffido, IT Manager; Sarah Mirzakhani, IT Principal
The Information Technology community is in the midst of one of the most far-reaching cybersecurity failures in history. The supply chain for SolarWinds updates[1] provided an opportunity for attackers to gain entrance into a broad customer base without directly attacking fortified defenses. The next steps for potential victims include recognition of the breach, remediation of the affected network assets, and recovery. Recovery would be achieved to a level of assurance for confidence, integrity, and availability of an organization’s data and operations.
For federal government agencies, this presents a unique identification and remediation procedure as defined by Department of Homeland Security’s Emergency Directives (ED 21-01) Mitigate SolarWinds Orion Code Compromise.[2] Agencies must conduct system memory, host storage, network and cloud forensic analysis and hunt for indicators of compromise (IOCs)[3] or other evidence of threat actor activity. Threat actor activity includes user impersonation, privilege escalation and data exfiltration.
Required actions stated in ED 21-01 includes details on steps and operational tasks to identify threat actor activity. The actions include detailed analysis of the SolarWinds devices memory and storage, analysis of network stored activity for new external DNS domains involved in SolarWinds connections, blocking external network traffic to and from the SolarWinds platforms and removing any inexplicable accounts and any persistence mechanisms identified. If the agency is not prepared to perform this detailed analysis and recovery, the Cybersecurity and Infrastructure Security Agency (CISA) encourages the agency to report the incident and coordinate finding a qualified service provider capable of conducting forensics.
Agencies need to evaluate data exfiltration strategies and continually test the effectiveness of these complex configurations. In addition, agencies should position their detective controls to identify and report on abnormal behavior when it comes to connectivity between internal systems and external systems. In the SolarWinds case, these devices connected to domains and systems (avsvmclavsvmcloud[.]com) outside of the expected behavior for SolarWinds systems. It is reasonable that vendor devices connect to vendor controlled external systems for updates and maintenance. But connections outside of that expectation should produce alarms to be investigated. Should outside vendor devices be segmented into subnetworks for monitoring and protection? Any network connections from your secured network should not be a direct connection to the unexplainable and subsequent malicious destination.
Many experts are classifying this attack as very sophisticated.[4] The scenario of indirectly attacking a target by first attacking a third party, which occupies a trusted host position inside the desired target, allowed the attackers to operate undetected for months. A trusted host is an internal host which is granted a network presence without question or challenge. The host is allowed to operate with almost no scrutiny surrounding the actions and behaviors taken by the host. The value of a trusted host to an attacker exists in the ability of the attack to avoid detection due to the fact that the agency will trust the actions of the host without question. Combine unchallenged access to the internal network with some creativity and experience with data exfiltration, and you have a data breach which impacts thousands of computers and questions the assurance that the agency can control sensitive and valuable data.
CLA provides cybersecurity and data privacy resources to help you protect your information and systems. Our professionals combine technical knowledge with IT audit and assurance experience to help you address issues involving compliance, security, and testing. We can perform services to assist your agency in identifying weaknesses in your layered defense strategy. Using the foundation of the NIST Cybersecurity Framework of Identify, Protect, Detect, Respond and Recover, we offer actionable recommendations to improve your security profile. We test and measure the effectiveness of continuous diagnostics and mitigation as it integrates with your vulnerability management program.
Our team of Federal industry auditors, consultants, and IT specialists are here to support you and your agency. Subscribe to our email communications to get the latest news and information. Our experienced professionals can help navigate the complexities of IT security and audit readiness, best preparing you for what lies ahead.
[1] The ongoing SolarWinds information regarding the data breach – Security Advisory | SolarWinds
[2] DHS Emergency Directive (ED 21-01) – Emergency Directive 21-01
[3] Indicators of Compromise – Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services | CISA
[4] Attack Summary – The SolarWinds Cyber-Attack: What You Need to Know (cisecurity.org)
Comments are closed.