Free AI web copilot to create summaries, insights and extended knowledge, download it at here

4066

Abstract

reases-in-cyber-risk-from-internet-exposure-124be0f43bf5">from the Internet</a> to log into systems where customer systems retrieve updates.</li><li>Leverage insider threat monitoring.</li><li><a href="https://2ndsightlab.com/cloud-penetration-testing.html">Penetration tests</a> and <a href="https://2ndsightlab.com/cloud-security-assessment.html">security assessments</a> of deployment systems, processes, and products. (Services available from my <a href="https://2ndsightlab.com/">company</a>.)</li><li><a href="https://readmedium.com/the-attackers-are-in-your-network-now-what-91c0be94a4e2">Alerts on any suspicious or risky behavior such as password resets</a>.</li><li><a href="https://readmedium.com/trust-is-overrated-9bb32be4a68c">Provide specific domain names for updates so customers can lock down retrieval of updates to specific domain names</a>.</li><li>Better: Provide a specific IP range also. Cloud providers allow you to create IP blocks if that is an option.</li><li><a href="https://2ndsightlab.com/cloud-security-training.html">Cybersecurity training</a> for developers, executives, and any decision-makers within the organization so they can make <a href="https://readmedium.com/how-to-think-about-cybersecurity-7b87ed4357b3">better cybersecurity decisions</a>.</li></ul><p id="62ac"><b>SolarWinds Customers — Disallowing access to the C2 channel and limiting credential abuse</b></p><ul><li>Use <a href="https://readmedium.com/20-cybersecurity-questions-for-executives-to-ask-security-teams-f813a92a806">defense in depth</a>. Leverage network, identity, and secure system architecture.</li><li>Consider multiple mechanisms to monitor for threats that are not accessible to manipulation by a single set of credentials or malware.</li><li><a href="https://readmedium.com/the-aftermath-of-stolen-credentials-dbcebde531dc">Segregate users to limit access in case credentials get compromised</a>.</li><li>The <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">Sunburst malware</a> needs to call home to a C2 channel. Firewalls outside of the control of any users on the monitoring system should only allow access to specific update servers use by the SolarWinds product.</li><li>Alert on rejected network traffic related to critical systems. Outbound rejected network traffic would be an indicator of compromise.</li><li>Alert on credential use anomalies — but the challenge, in this case, is that the attackers were able to create valid credentials that would likely not trigger such alerts.</li><li>Use <a href="https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log">Azure Activity Logs</a> to monitor calls to Azure platform actions, including checking out what IP address is making the calls.</li></ul><figure id="1f2f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*ZUSCwrbTGf83s4t1P9uOmA.png"><figcaption></figcaption></figure><ul><li>Require <a href="https://readmedium.com/mfa-is-a-pain-a492679d70ea">MFA</a> and use <a href="https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview">Azure conditional access</a> to prevent the use of end-user credentials without additional factors.</li><li>Set alerts for the indicators of compromise related to Mimikatz password resets mentioned in my last post.</li><li><a href="https://readmedium.com/the-aftermath-of-stolen-credentials-dbcebde531dc">Limit the ability to enable SSO and access SAML signing certificates leveraged by attackers, as explained in the prior post</a>.</li><li><a href="https://readmedium.com/the-aftermath-of-stolen-credentials-dbcebde531dc">Separate those who administer access from those who use the access</a>.</li><li>Create roles with the minimum required permissions. Unfortunately, SSO administration in Azure requires a highly-privileged account, and you cannot create a <a href="https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles">custom role</a> for this purpose without signing up for an Enterprise account on Azure.</li><li>If you cannot

Options

create a custom role, limit and monitor the use of administrative permissions with one of my favorite features in Azure — <a href="https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure">Privileged Identity Management</a>. Require two people and a limited time for sensitive changes in your Azure subscriptions.</li></ul><div id="b0e3" class="link-block"> <a href="https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"> <div> <div> <h2>What is Privileged Identity Management? - Azure AD</h2> <div><h3>Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage…</h3></div> <div><p>docs.microsoft.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*OqkAPeV6GZ9zoBHl)"></div> </div> </div> </a> </div><p id="6f9a"><b>Everyone</b></p><ul><li>Organizations need well thought out directives from the highest level in organizations to implement cybersecurity properly.</li><li>Consider checking out my book — <a href="https://www.amazon.com/Cybersecurity-Executives-Cloud-Teri-Radichel-ebook/dp/B0852M2XBJ/ref=as_li_ss_tl?dchild=1&keywords=cloud+security&qid=1608240675&sr=8-24&linkCode=ll1&tag=2ndsightlab-20&linkId=de6484656fb3d7551cba0e3e4bcaff47&language=en_US">Cybersecurity for Executives in the Age of Cloud </a>or an upcoming <a href="https://2ndsightlab.com/cloud-security-training.html">security class</a> (later this year). Follow me on <a href="https://twitter.com/teriradichel">Twitter</a>, connect on <a href="https://www.linkedin.com/in/teriradichel">LinkedIn</a>, or check out the <a href="https://2ndsightlab.com/">2nd Sight Lab</a> website for updates.</li><li>You may also schedule a call with me or other security professionals if you have cybersecurity questions through <a href="https://www.iansresearch.com/">IANS Research</a>.</li><li>If you’d like a <a href="https://2ndsightlab.com/cloud-penetration-testing.html">penetration test</a> or <a href="https://2ndsightlab.com/cloud-security-assessment.html">security assessment</a>, please reach out to me on <a href="https://linkedin.com/in/teriradichel">LinkedIn</a>.</li></ul><p id="890b">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2020</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="3b5e"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="5610"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

SolarWinds Hack: Retrospective 3

Part 3: What could we do better to prevent similar breaches in the future?

One of my stories on the SolarWinds Breach, Data Breaches, and Network Security.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

Now that we’ve considered how the SolarWinds hack started and the actions attackers were able to take as a result of the system compromise, we can take a look at what might have helped prevent the breach and would have limited the damage.

I do not have all the insider details. However, these recommendations will help many organizations, regardless of the specifics of the SolarWinds hack. These recommendations are a high-level overview. I offer ways to get more information, if needed, at the end of this blog post.

It’s unfortunate that attackers got onto the SolarWinds systems. As I write about in my book on Cybersecurity for Executives in the age of Cloud, it’s more unfortunate that affected organizations could not detect the C2 traffic, and that the users on the SolarWinds systems had all-powerful credentials that could be used to create additional user access via SAML signing certificates. Here’s how you can better protect yourself from a similar fate.

This is the same type of build and deploy system and segregated access I implemented at a security vendor that I helped move to the cloud, except that we were using AWS. It’s harder with a smaller team but now with things like permission boundaries on AWS and privileged identity management on Azure, it’s a bit easier than it was then.

SolarWinds — Development System and Update Server Security

Architect the development system with segregation of duties to ensure one person alone cannot take critical actions.
Secure source control system with network and user segregation.
Set up appropriate network segregation and zero trust networking between any systems involved in software development, testing, deployment, and sending updates to customers.
Ensure code integrity through the process and perform code reviews on critical parts of the system.
Secure any automation APIs and systems used in the process appropriately, including API authentication mechanisms and zero trust networking.
Use MFA and Azure Conditional access.
Require hard to guess passwords.
Disallow access to administrative ports from the Internet to log into systems where customer systems retrieve updates.
Leverage insider threat monitoring.
Penetration tests and security assessments of deployment systems, processes, and products. (Services available from my company.)
Alerts on any suspicious or risky behavior such as password resets.
Provide specific domain names for updates so customers can lock down retrieval of updates to specific domain names.
Better: Provide a specific IP range also. Cloud providers allow you to create IP blocks if that is an option.
Cybersecurity training for developers, executives, and any decision-makers within the organization so they can make better cybersecurity decisions.

SolarWinds Customers — Disallowing access to the C2 channel and limiting credential abuse

Use defense in depth. Leverage network, identity, and secure system architecture.
Consider multiple mechanisms to monitor for threats that are not accessible to manipulation by a single set of credentials or malware.
Segregate users to limit access in case credentials get compromised.
The Sunburst malware needs to call home to a C2 channel. Firewalls outside of the control of any users on the monitoring system should only allow access to specific update servers use by the SolarWinds product.
Alert on rejected network traffic related to critical systems. Outbound rejected network traffic would be an indicator of compromise.
Alert on credential use anomalies — but the challenge, in this case, is that the attackers were able to create valid credentials that would likely not trigger such alerts.
Use Azure Activity Logs to monitor calls to Azure platform actions, including checking out what IP address is making the calls.

Require MFA and use Azure conditional access to prevent the use of end-user credentials without additional factors.
Set alerts for the indicators of compromise related to Mimikatz password resets mentioned in my last post.
Limit the ability to enable SSO and access SAML signing certificates leveraged by attackers, as explained in the prior post.
Separate those who administer access from those who use the access.
Create roles with the minimum required permissions. Unfortunately, SSO administration in Azure requires a highly-privileged account, and you cannot create a custom role for this purpose without signing up for an Enterprise account on Azure.
If you cannot create a custom role, limit and monitor the use of administrative permissions with one of my favorite features in Azure — Privileged Identity Management. Require two people and a limited time for sensitive changes in your Azure subscriptions.

What is Privileged Identity Management? - Azure AD

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage…

docs.microsoft.com

Everyone

Organizations need well thought out directives from the highest level in organizations to implement cybersecurity properly.
Consider checking out my book — Cybersecurity for Executives in the Age of Cloud or an upcoming security class (later this year). Follow me on Twitter, connect on LinkedIn, or check out the 2nd Sight Lab website for updates.
You may also schedule a call with me or other security professionals if you have cybersecurity questions through IANS Research.
If you’d like a penetration test or security assessment, please reach out to me on LinkedIn.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab