SolarWinds Defense – Blue Team Perspective

Jon Zeolla

How it happened

SolarWinds Network Monitoring Systems have been a de-facto standard for network monitoring and defense for an extended period of time. The recent breach occurred by gaining access to the SolarWinds servers and replacing files that are part of the Orion Network Monitoring suite with malicious versions. Once this happened, customers who updated to Orion’s compromised version was infected with a 0-day; a previously unreleased and unknown, malware variant. From there, different tools and techniques have been utilized to move throughout the network to gain persistence, and otherwise take advantage of the compromised systems.

Fallout

Companies worldwide are still attempting to respond to incidents and breaches resulting from the initial SolarWinds compromise, also known as Solarigate or Solarstorm. From a technical standpoint, you may be wondering how we can stop that initial breach. In other words, how can we prevent malicious updates from even being introduced into our network altogether. Though difficult and sometimes near impossible, there are still ways you can help to minimize the after-effects. When your updates are corrupted, especially when they are signed and bypass all operating system security measures, you cannot stop the initial breach.  Along with the current cleanup that companies are dealing with from Solarigate/Solarstorm, Senators. Maggie Hassan (D-N.H.) and John Cornyn (R-Texas) re-introduced a bill in February of 2021 that is intended to enable the National Guard to be deployed to help mitigate state cyber-attacks.

EDR

The security measures you have in place to mitigate the effects post-breach, initially preventing privilege escalation, or monitoring events with Endpoint Detection and Response software, otherwise known as EDR, can make or break a network’s security posture. Utilizing EDR software to monitors scripts, user file changes, or system file modifications, you can minimize the damage that malware can accomplish post-breach or before said malware traverses the network entirely. You can effectively isolate and limit the potential damage with the alerts generated from these systems, to allow security teams to respond to an infection properly, and thoroughly.

Traditional anti-malware solutions generally look for malware signatures. Some may also include a host-based firewall. Though when a 0-day exploit or default operating system tools are used against you, i.e., PSexec or SMB lateral movement and privilege escalation become easier and less obvious. Some of this lateral movement you can limit with the host-based firewall. However, without a proper EDR, attackers can use your standard tools like PowerShell against you to elevate privileges, and then the firewall can be disabled.

Monitoring and Alerting

To compliment EDR solutions, you should also consider utilizing a Security Operations Center that continuously monitors a Security Incident and Event Monitoring, or SIEM, platform. SIEMs can ingest logs from servers, endpoints, EDR software, firewalls, routers, switches, etc. The best way to have up-to-date data is utilizing free and or commercial Threat Intel feeds coupled with a well-placed and fully implemented SIEM. These feeds can be integrated into most SIEM solutions and provide lists of known bad IPs, malware signatures, and other correlation capabilities.

With Threat Intel lists implemented, your event data will be more visible and viewing the logs and creating correlation rules much easier. Alerts can be generated to report on malicious lateral movement and other post-breach maneuvers through the culmination of intel lists, log sources, and correlation rules. Once again, by seeing these alarms, you can block C2 servers at the firewall, isolate systems through EDR, and otherwise limit the effect of any breach.

Conclusion

In this blog we gave a little bit of context to the SolarWinds breach and the resulting fallout. Between the extensive update validation to legislation being introduced that allows for the National Guard to assist with the mitigation of any state-sponsored cyber-attacks; the goal is always to prevent what you can and minimize as much of the damage as possible. EDR and SIEM are two of the most prevalent ways you can help provide the visibility needed to respond to these types of attacks. As supply chain attacks increase, always remember that a combination of hardware, software, and people will be the primary contributors to keeping your data and infrastructure secure. No single solution is going to be an end all be all in protecting the organization.