Since the SolarWinds news broke, my colleagues and I have been discussing how CIOs can prevent a supply chain exploit in our environments. Together we have dozens, if not hundreds, of solutions we are able to deploy. I reached out to several of my peer CIOs & CISOs in the CIO Professional Network to obtain feedback from front-line professionals on how to deploy solutions established in our environments that can lower the probability of a successful exploit.
Here’s what they had to say.
Implement Controls to Establish Multiple Lines of Defense
Attackers typically need to get privileged credentials to carry out attacks. However, the SolarWinds supply chain attack did not require a credential provisioning event where security monitoring could detect a new credential was attempted, issued, or taken over. The SolarWinds attack inherited credentials and system account certificates used to enable the Orion network monitoring software making “credential/certificate misuse detection” stealthy and difficult. However, it’s still important to follow the guidelines to protect your credential management system.
- Use multifactor authentication for accounts with escalated privileges. Most exploits will look to establish account credentials with escalated privilege.
- Use least privilege to limit the number of people internally who have access to role privileges and make certain those accounts/individuals with privileges use multifactor authentication. For system accounts use a certificate or token authentication to prevent system accounts from being misused. Review access management and consider putting in a Privilege Access Management System (PAM solution) to manage, control, and audit access to privileged accounts.
- Always encrypt traffic in transit within your community to prevent credential harvesting/theft, referred to as Man in the Middle attacks. CIO network perimeters are increasingly mobile perimeters, especially when so many people are working remotely. Therefore, the use of a virtual private network or other similar controls must be used to encrypt traffic are necessary to prevent man in the middle credential harvesting attacks.
- Have installed, enabled, and updated/patched anti-malware protection on servers that host commercially licensed software. Commercially-licensed software is a vector for supply chain exploits. Malware detection systems can detect when an attacker is attempting to activate malware on your assets.
- Make certain you are on top of managing your IP address ranges and your asset inventory (physical/virtual) – know what you are responsible for protecting. Scan your IP address ranges for vulnerabilities using a commercial product or service. Some companies have reported knowing they run the SolarWinds Orion product but were unsure of what devices it was installed on, slowing Orion patch remediation and incident investigations.
- Remove all default credentials from your environment. Consider using a Local Administration Password Solution (LAPS solution) to randomize and control passwords in your environment.
Evaluate Your Current Vendors and Prospective Solution Providers
- Do business with accredited firms: SOC1 & SOC2 Type 2, ISO 27001/2, and/or NIST certified suppliers.
- Know what user, system account, or service account rights a solution requires within your network prior to licensing or subscribing to the service. Based on what rights are required, determine if you wish to do business with this entity or if you’ll need to establish mitigating controls based on elevated privileges required by the solution.
- Understand how the solution system uses and manages security certificates.
- Consider subscribing to a service that evaluates and rates software/solution providers’ security practices.
- Include language in software and solution systems that hold solution providers accountable via penalties and other remedies for attacks facilitated by their software solutions.
Maintain Proper Software/Solution Hygiene
- Eliminate software you don’t use or authorize by eliminating the rights for individuals to download software.
- Stay on top of patch management – most successful post penetration exploits take advantage of unpatched software.
Ensure Historical Visibility and Logging to Facilitate Detection, Response, and Forensics
- Incidents like a supply chain attack, underscore the need for endpoint/asset attack detection and response software to not only quickly contain issues, but more importantly, provide visibility via a look-back log archive. Once an attack like a supply chain exploit has been identified, it’s important to identify historically if any of the indicators of compromise were executed in your environment. By implementing a log monitoring system, often referred to as a Security Incident and Event Management or SIEM, syslogs can be historically maintained, searched, and analyzed for the patterns inherent in an exploit. These visibility, preventative, and detective controls can save you a lot of time and money when answering key questions about incidents.
- Consider using a “defense in depth” architecture, which provides the capability of adding several attack mitigation strategies. One feature to put into a defense in depth security architecture is redirecting suspect Internet traffic to purpose-built security systems. These purpose-built assets are known to be compromised and directing traffic to “nowhere”. While this traffic re-direction is in progress, capture the transaction details and add queries to your traffic visibility framework to capture traffic to suspect websites. Use proxy and other controls to blacklist or manage access to Internet sites and Intrusion Protection/Detection solutions to monitor for nefarious and unusual network traffic.
- If using a defense in depth or sandbox architecture as noted above, make sure your sandbox assets are not domain-joined. This specifically has been noted in the supply chain research notes by FireEye as referenced in an interview with Jake Williams, a senior security trainer for SANS.
Test the Preparedness of Your Cybersecurity Emergency Response Team
- It is important that when (not if) your company is suspected to be, or is actually found to be a victim of an attack; you know how you would respond to an attack not just technically, but commercially with customers and potentially law enforcement officials.
- Now is the time to practice emergency response procedures and processes logically via tabletop exercises and physically via actual emergency response exercises. These tests of your emergency response systems provide important learnings and feedback prior to an actual incident.
Thanks to all in the CIO Professional Network who contributed to this article. Our hope in publishing these recommendations is that we can continue to assist one another maintain proper protection standards against cyber attackers and especially those looking to use a supply chain exploit.