Background
SolarWinds Orion was infected with unauthorized code from a malicious third party sometime before March 2020. Customers who installed the corrupt software between March and June activated the malicious code which gave attackers access to their internal networks. The attack has been labelled as Sunburst by some, Solarigate by others. For simplicity I will use Sunburst.
Sunburst is a supply chain attack that targets a supplier to an organization rather than the organization itself. This attack did NOT require an unpatched software vulnerability, a zero-day vulnerability, nor a misconfiguration of the systems. Normal patching and configuration management systems cannot assist in preventing or detecting this type of attack.
What’s happening now
Most organizations have reviewed their Orion installations to determine if they were impacted. If you are still unsure you can reference the FireEye report detailing indicators of compromise (IOC) to look for.
Detect before exfiltration
Supply chain software attacks are a difficult and growing problem. While it is true there is no amount of vulnerability management that can prevent these attacks, there are security controls that can assist in detecting and shutting down the attack before an attacker can exfiltrate data. Below I highlight the 12 steps of the attack and security controls that can be deployed to detect and possibly block the attack.
Realistic controls to deploy
Your enterprise firewall should NEVER allow full access to the Internet from all systems in your datacentre. If the Orion servers were denied access to the Internet the attack would have been blocked. Network security policy management (NSPM) tools facilitate analysing firewall policy for over-provisioned access as well as certifying rules on an annual, or more frequent, basis.
- Servers with access to the Internet should have a well defined policy with specific source, destination, and services allowed.
- Review all firewall rules annually, or more often, for business relevance.
- Review all firewall rules for overly permissive access such as any/any access.
Deploy a network detection and response (NDR) product analysing the traffic going to the Internet or other non-enterprise controlled networks. Several reputable NDR vendors have indicated they were able to detect malicious internal traffic that would have been present in steps 4 – 9 from our figure.
- Deploy an NDR product that can detect reconnaissance traffic and lateral movement.
SAML is a wonderful tool to reduce user authentication friction. Golden SAML, leveraged in the attack, is a powerful tool that allows a hacker to impersonate ANYONE in the organization.
- Ensure SAML authentications in your service provider logs correlate to SAML tokens issuance by the identity provider.
The attackers leveraged organizations implicit trust of IP ranges hosted on AWS and Azure platforms. Implicit trust of any outside organization should be heavily scrutinized.
- Only permit access to systems on IaaS platforms on a least privilege basis. Deny any/any access to IaaS IP address ranges by default and only allowed after a risk analysis.
Closing
Supply chain attacks are a powerful attack vector that are somewhat easy for attackers to leverage as an ethical hacker showed by infiltrating 35, some major, organizations, even after Sunburst was widely disclosed. This attack vector will be leveraged again. The attack is not novel and can be thwarted with basic network security hygiene and the addition of a few basic network security controls. Update your controls now so you will be alerted to the next SUNBURST before your data leaves the building.
First published on Gartner Blog Network
