SolarWinds Breach: How do we stop this from happening again?

by | Dec 23, 2020

SolarWinds Breach: How do we stop this from happening again?

The SolarWinds breach is perhaps one of the worst, if not the worst public hacking events in history. Much has been written on what happened, and I’m not going to regurgitate those details. There is inestimable complexity ahead for CISOs to try and identify the extent of their compromise and then get comfort that the threat actors are out of their environment.

Even after the dust settles from the SolarWinds breach, the fact remains that there is nothing preventing a similar attack in the future. Supplier / third party risk assessment questionnaires and vuln scanning didn’t help here (we’ve talked about this in our Cyber Kumite series) and they won’t help next time either, but you can be sure that over the coming months you will see hundreds of emails from vendors telling you how their product could have stopped these attacks. From next-gen-next-gen EDR, to Zero Trust widgets, they all will claim to solve these problems, but they won’t. So, how do we as cyber defenders do something about this?

 

Defending against future attacks like SolarWinds

There is a straight-forward solution that has been available for many years, but which very few put in the time and effort necessary to do it properly. The answer is to only explicitly allow data center connections out to the Internet, aka “allow list”. Whether you are worried about Russian hackers compromising your vendor products, or a lazy system admin browsing sketchy sites from that server they are doing maintenance on, this solution goes a long way to undo bad decisions and uncontrollable trojans. Your data center assets are your most critical resources; allowing them access the large part of the Internet is head scratching. Servers are designed to be single-purpose devices, and the scope of Internet access a server needs should be minimal and be able to be quickly mapped and reviewed by administrators. This type of configuration prevents any traffic (including C2) to domains that aren’t explicitly allowed. There are many ways to do this, varying from cheap to expensive. A few solutions:

  • DNS Security – establish system-based DNS security policies that will prevent all domains from resolving unless explicitly allowed. Tools like Cisco Umbrella, Infoblox DNS Firewall, and many others can get the job done.  The downside is that many of these solutions will do nothing about direct IP connections going outbound.  There will likely be a cost to address that.
  • Border Firewall – using your border firewall to limit the destinations allowed from any of your data center network segments. You’ll likely need several profiles to address different types of computing needs, such as VDI etc.  Chances are you own the tools to do this today.
  • Forward Proxy – the true “free” method which sets up a forward proxy gateway, such as Apache or NGINX, and allows you to create a choke point for outbound network traffic. An allow list can be created and managed to ensure that you’re only granting access to sites you trust.  This should be entirely free and effective.

One of the key points to success is to make sure you develop processes so you can maintain these allow lists efficiently, and so it doesn’t slow down your day-to-day IT operations.  The up-front effort is to safely model the network flows of new systems that need public Internet access prior to deploying a system.  Also, plan for your system updates and patching needs.  Solutions like SCCM for Microsoft systems and Red Hat Satellite for Linux can have you covered and allow you to keep your systems from talking directly to the internet.

 

Do this before you buy a new tool

The impact of the Solar Winds hack is wide ranging and will create an enormous amount of cleanup for many organizations.  One of the best defense-in-depth solutions to this problem has been around for decades.  Take a hard look at this approach before committing to new products and technologies.  “Never let a good crisis go to waste” is a common mantra in the security world, so this time around, maybe we should all be looking for an extra network security resource to run this process rather than a tool that will let you down.

 

Mike Pinch
CISM, CISA, CGEIT, PMP Interim CISO, Former CTO | Archive

Mike joined Security Risk Advisors in 2018 after serving 6 years as the Chief Information Security Officer at the University of Rochester Medical Center. Mike is nationally recognized as a leader in the field of cybersecurity, has spoken at conferences including HITRUST, H-ISAC, RSS, and has contributed to national standards for health care and public health sector cybersecurity frameworks.

Mike has built and operated enterprise public cloud environments for over a decade, with primary focus on AWS and Azure environments. He frequently advises clients in helping to adapt their cybersecurity programs to the new challenges that cloud adoption creates.

Mike focuses on security architecture and strategy, Zero Trust design, cloud security, emerging technologies, and electronic medical record protection programs.