It has been reported that The Department of Homeland Security (DHS) was successfully breached as part of a major attack on U.S. federal agencies by suspected Russian hackers, Reuters said yesterday. Reuters cited “people familiar with the matter” in reporting that hackers believed to be working for the Russian government had successfully gained access to internal communications within DHS.
This breach, in which attackers were living in the system undetected for months, shows the critical importance of lateral movement detection and unnecessary credential remediation. These threat actors were using standard living off the land techniques – leveraging legitimate credentials and connectivity. This is some of the hardest movement to identify, as it appears natural.
A more active approach is needed. It has to be assumed that attackers are getting in, and it’s what we do once they’ve breached that will make the most difference. Once companies understand and appreciate the importance of placing focus on paralyzing attackers inside the network, the greater the chance they have of assembling the necessary technology and tools to robustly secure that network.
CISA is mandating that affected, or potentially affected systems be forensically imaged immediately. The importance of obtaining a full forensic picture, which is then delivered to security teams for remediation and further action, can’t be understated. Ideally security teams will see this as a learning opportunity to make sure their preferred active defense tools have this deterministic capability. Only then can they prepare more thoroughly for future attacks, which is paramount in the fight against cybercrime.
The SUNBURST campaign represents a uniquely distressing intrusion event with implications for multiple industries and network operators. The ubiquity of SolarWinds in large networks, combined with the potentially long dwell time of intrusions facilitated by this compromise, mean victims of this campaign need not only recover their SolarWinds instance, but may need to perform widespread password resets, device recovery, and similar restoration activity to completely evict an intruder.
While this is concerning and unfortunate for the present circumstances, future supply chain attacks—as this will not be the last such incident to impact network defenders and operators—can be met with and detected by aggressive NSM and communication visibility. So long as even the most complex backdoor or implant requires communication to or instructions from a controlling entity, defenders have opportunities to detect and disrupt operations. Through continuous monitoring of network traffic and an understanding of what hosts are communicating, defenders can leverage attacker weaknesses and dependencies to overcome these otherwise daunting challenges.
While the news of the massive global Solar Winds breach is an all-too-painful reminder of the WannaCry attack in 2017 that crippled NHS and dozens of other UK healthcare organisations, today is not the time to panic. If 2020 has taught us anything, it is that the COVID-19 pandemic has improved the resiliency of security professionals and reinforced how determined defenders are to rid networks of cyber espionage adversaries. In fact, all UK companies should respond with a cold, logical, rational response.
As far back as March, Russian hackers affiliated with the Cozy Bear group slipped malware into Solar Winds’ IT management platform and waited for months to detonate it. Thus far, we know that the Department of Homeland Security, U.S. Treasury, and U.S. Commerce Department were hacked. And so were many of the world’s Fortune 500 companies, including many UK companies. What’s next as the world’s largest forensics investigation continues and upwards of 20,000 companies have been breached?
In general, now is not the time for security experts to panic. A practical and measured response is advised. If Solar Winds is being used in your organization, strengthen your security posture as follows:
● Isolate machines running SolarWinds until further information is available as the investigation unfolds
● Reimage impacted machines
● Reset credentials for accounts that have access to SolarWinds machines
● Upgrade to Orion Platform version 2020.2.1 HF1 as soon as possible. Solar Winds has also provided further mitigation steps
In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks. Ensure your company is always on the hunt for adversaries. The sooner you do these things the sooner you can assume no one is lurking in your network in silent mode.