• About
  • Subscribe
  • Contact
Thursday, May 8, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

8 ways to stop Sunburst and other supply chain attacks

Thomas Lintemuth by Thomas Lintemuth
February 22, 2021
Photo by Ray Bilcliff from Pexels

Photo by Ray Bilcliff from Pexels

Background

SolarWinds Orion was infected with unauthorized code from a malicious third party sometime before March 2020.  Customers who installed the corrupt software between March and June activated the malicious code which gave attackers access to their internal networks.  The attack has been labelled as Sunburst by some, Solarigate by others.  For simplicity I will use Sunburst.

Sunburst is a supply chain attack that targets a supplier to an organization rather than the organization itself.  This attack did NOT require an unpatched software vulnerability, a zero-day vulnerability, nor a misconfiguration of the systems.  Normal patching and configuration management systems cannot assist in preventing or detecting this type of attack.

What’s happening now

Most organizations have reviewed their Orion installations to determine if they were impacted.  If you are still unsure you can reference the FireEye report detailing indicators of compromise (IOC) to look for.

Detect before exfiltration

Supply chain software attacks are a difficult and growing problem.  While it is true there is no amount of vulnerability management that can prevent these attacks, there are security controls that can assist in detecting and shutting down the attack before an attacker can exfiltrate data.  Below I highlight the 12 steps of the attack and security controls that can be deployed to detect and possibly block the attack.

Realistic controls to deploy

Your enterprise firewall should NEVER allow full access to the Internet from all systems in your datacentre.  If the Orion servers were denied access to the Internet the attack would have been blocked.  Network security policy management (NSPM) tools facilitate analysing firewall policy for over-provisioned access as well as certifying rules on an annual, or more frequent, basis.

  • Servers with access to the Internet should have a well defined policy with specific source, destination, and services allowed.
  • Review all firewall rules annually, or more often, for business relevance.
  • Review all firewall rules for overly permissive access such as any/any access.

Deploy a network detection and response (NDR) product analysing the traffic going to the Internet or other non-enterprise controlled networks.  Several reputable NDR vendors have indicated they were able to detect malicious internal traffic that would have been present in steps 4 – 9 from our figure.

  • Deploy an NDR product that can detect reconnaissance traffic and lateral movement.

SAML is a wonderful tool to reduce user authentication friction.  Golden SAML, leveraged in the attack, is a powerful tool that allows a hacker to impersonate ANYONE in the organization.

  • Ensure SAML authentications in your service provider logs correlate to SAML tokens issuance by the identity provider.

The attackers leveraged organizations implicit trust of IP ranges hosted on AWS and Azure platforms.  Implicit trust of any outside organization should be heavily scrutinized.

  • Only permit access to systems on IaaS platforms on a least privilege basis.   Deny any/any access to IaaS IP address ranges by default and only allowed after a risk analysis.

Closing

Supply chain attacks are a powerful attack vector that are somewhat easy for attackers to leverage as an ethical hacker showed by infiltrating 35, some major, organizations, even after Sunburst was widely disclosed.  This attack vector will be leveraged again.  The attack is not novel and can be thwarted with basic network security hygiene and the addition of a few basic network security controls.  Update your controls now so you will be alerted to the next SUNBURST before your data leaves the building.

First published on Gartner Blog Network

Related:  FutureCISO Security Alert: Worst cyber security vulnerability
Tags: Event mesh Gartner Solace Digital manufacturingexfiltrationFireEyeGolden SAMLindicators of compromiseNetwork Detection and ResponseSolarigateSolarwinds OrionSolarwinds SUNBURSTzero-day vulnerability
Thomas Lintemuth

Thomas Lintemuth

Thomas Lintemuth researches industry trends and best practices regarding network security technologies including firewalls, network access control, intrusion detection, DDoS, micro-segmentation, remote access and zero trust environments. Previously, Lintemuth managed the network engineering team and directed the operational and project aspects of a national network. He managed the security engineering team deploying numerous technologies including IAM, PAM, CASB, SIEM, DLP, IDS.

No Result
View All Result

Recent Posts

  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR
  • Dataiku brings new AI capabilities to create and control AI agents
  • Microsoft reveals the rise of a new kind of organisation in the AI era
  • St Luke’s ElderCare enhances data security and user experience with Juniper

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe