This discussion expresses the views of the author. Debate entries can be sent to [email protected]
What does VG have to do with the Solarwinds accident? Of course nothing. So what am I looking forward to? You should do a VG test. I will return to it further down.
What happened?
Several large companies running Solarwinds were targeted for attack in 2020. The attacks were not malicious from an operational point of view, as things were not removed, but robbery to gain access to sensitive and critical information recovery systems, for as long as possible. , of course preferably without being detected.
The burglary was discovered by Fireeye in December 2020, 9 months after the malicious code began to be distributed.
This report from Mandiant explains in detail how the attack happened, and it became an incentive for me to write This publish:
Was it impossible to prevent this?
of course not. There were many who had Solarwinds Orion who were not injured. One thing is that many were not the target of the criminals, and therefore were not affected. Others had procedures that stopped the experiments before they became harmful. Read some examples she has And she has.
What do criminals require to succeed?
The first part of the attack, or burglary, stayed under most people’s radar by downloading a software update that contained code that allowed criminals to get in. This code then ran several careful checks, which were hidden from view by many, to check if everything was ready for the next step in the burglary. If all is well, the techniques continue to move forward. One of the steps was to open a back door.
What is Command and Control, C2, Home Phone, Tailgate?
Is this something you need to think about? Yes it is.
This is a communication channel used by criminals to carry out large-scale operations across Communications are not normally monitored. It is therefore important to be aware of this vector, and to introduce measures that reduce the potential for it to be misused. This is the gist of this article
If you can browse VG from your own server, the security is very poor
What is meant by this? Is VG dangerous? barely. But. If you can browse VG from domain controllers, backup servers, Solarwinds Orion, or similar servers, you can most likely communicate with the network of criminals. This is what they often rely on to succeed in a dangerous attack. Criminals rely on a liberal policy in your network to succeed in such attacks.
Successful events fall within the allowed traffic. Reduce the attack surface
You need to control what your servers can do on the internet. Allow only what is necessary for production.
RDP is often abused internally
Are you getting an RDP login image on your servers from the office? From home office / VPN? From server to server? Is this necessary for production?
Do you have an MFA as an access control requirement with respect to RDP on all of your servers? If not, why did you choose not to? Is it based on risk assessment?
What do Solarwinds Orion municipality and Østre Toten have in common?
Home phone. command and control. the back door. Criminals needed to connect with themselves to be successful. This is an element in the chain of events that criminals must carry out in order to achieve their goal.
The details of the various attacks are described in Mandiant article And Defer report.
Lockheed Martin’s online murder series shows the different steps criminals often have to take to succeed. Lockheed Martin explains this in Animated movie on its web pages. As mentioned above, #6, Command and Control (C2) was central to both examples. If this chain is broken, the attack is also stopped.
Zero confidence. Never trust, always check.
Assuming it is dangerous. Assuming that servers can’t connect to the internet is scary. Check it out. Do a VG test. Most of the time, this is unfortunately possible.
Technology is a fearsome “enemy”. Putting trust in technology to save us is proving unfortunate all the time. Everyone has technology. Many of them have amazing technology. Without good and proper attention, it quickly turns into false security.
We humans decide the outcome. We humans are risk-averse. We humans find measures. We humans decide policy. We humans make politics. We humans maintain politics. We humans must make the difference. Technology will help, but only after we humans do our work on the whiteboard.
Reduce the attack surface
Successful events fall within the allowed traffic. Create an internet rule for each server, and define what each individual is allowed to do after assessing the risks. Base for domain controllers or domain controllers. Base for your backup servers. Base for SolarWinds Orion, or equivalent server, etc.
Use the source IP. Destination IP if possible. request type. Specific URL if involved. Check all permitted traffic to be able to stop known incidents. SSL decrypts it for full control. Record everything. Alarm for suspicious behavior. He watches. Integrating security solutions into alarm systems. Incorporate them into case management systems so that critical alarms create a state in attention systems, and provide documentation so someone can process them.
This is part of the standard recommendations included in the NSM’s Fundamental Principles of ICT Security. Through these measures, it was possible to avoid the accidents that occurred both in the municipality of Ostry-Totten and the Solarwinds Orion accident.
What about the cloud? What if I outsource my servers to run?
Exactly the same thing applies. Can you browse VG from your most important servers? So you are wide open to attack.
This article was written before the Log4J CVE-2021-44228 vulnerability became known.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”
