On Jan 6th, the Cybersecurity and Infrastructure Security Agency (CISA) updated their Emergency Directive 21-01 with supplemental guidance and activity alerts on the SolarWinds Orion Compromise.
Read the update here: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3. While the guidance is intended for federal agencies, any organization tasked with protecting against vulnerabilities will find the recommendations informative and applicable.
As the ramifications of this dangerous event continue to evolve, our team is vigilantly monitoring the situation and collaborating with industry experts as well as customers on impact and guidance.
What We Know to Date
- GreenPages does not use or rely upon SolarWinds in our Managed Services offerings, but we realize that some of our customers do own and operate SolarWinds within their environments.
- GreenPages is in contact with our platform partners and we do not believe our partners are directly impacted by the SolarWinds hack or similar supply chain hacks.
- GreenPages is also aware that the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies are actively monitoring for additional attack vectors which may exist in environments without SolarWinds, including SAML token abuse to impersonate authorized users.
- This information is fluid and we are continuing to monitor information.
What We Recommend and What We’re Doing to Help Clients
- We highly recommend that any organization running SolarWinds products or integrating with SolarWinds products follow CISA’s and Homeland Defense recommendations to address potential exposure and related hacks. https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3
- CISA has released a scanning tool which can be used to detect potentially suspicious activity. GreenPages is familiar with the tool and can run it for our customers or coach others through the intricacies. The CISA tool is available here: https://github.com/cisagov/Sparrow
- We also recommend that all organizations, whether they run SolarWinds products or not, take this threat seriously and enact practical steps to tighten their security posture. The following recommendations are a great place to start:
- Cloud Security - This is evolving on a regular basis and you need to keep on top of it. The most powerful security and management capabilities available today are coming from cloud services, but they must be enabled to be effective.
- Managed Detection & Response (MDR), Security Information and Event Management (SIEM), and Security Operations Center (SOC) services provide 24x7 monitoring, evidence collection, threat detection, and remediation—enabling organizations to track, trace, and limit nefarious activity.
- Principal of Least Privilege - Securing of Privileged Access should be the top security priority at every company.
- Clean up and lock down Active Directory. Remove unused IDs and use principles of least privilege access, especially for elevated credentials.
- Strong Passphrases—not Passwords. Passphrases combining several words together (minimum of 14 characters) are stronger than shorter Passwords.
- Single sign-on (SSO) and Passphrase vault software makes it easier for end users to use these complex and long passphrases without forgetting them.
- Accounts with elevated privileges should not be able to access the internet. Admins accessing the internet can bring malicious software into the environment, directly onto servers, and with elevated access—which is very dangerous.
- Enable multi-factor authentication (MFA) for everyone and everything that you can, including Internet and SaaS applications and all external services. Brute-force and targeted “guessing” are made much less likely with MFA.
- Asset Management - You need to know what you have in order to protect, monitor, and patch for vulnerabilities.
- Vulnerability Management Program & Hardening - Once you have an inventory you can then update vulnerabilities and harden your environment.
- Layered security hardening and monitoring tools improve both prevention and anomaly detection.
- Monitoring, Logging, Auditing, and Alerting - Think of ways to increase overall visibility and what is needed for forensics if you suspect a compromise.
- EDR - Next-gen endpoint protection is a must in today’s world.
- Implement NGFW/WAF/Perimeter Controls - A traditional packet filtering or stateful firewall is not enough.
- Security Awareness/Phishing/Social Engineering Training. End users are an extremely weak link in every organization and are common targets for attackers. Ensuring that end users know what to and what not to do improves your defenses by limiting dangerous behaviors such as password sharing, unsafe browsing, and email link activation (spear phishing.)
Way to Engage with GreenPages for Help
- We can assist and coach customers through enacting the practical steps outlined above.
- We can run or guide customers in running the CISA suspicious activity detection tool indicated above.
- In addition to the CISA suspicious activity detection tool mentioned above, we can use OpsRamp, Tenable, and GreenPages’ own RECON tools to scan and analyze your networks.
- We offer comprehensive security assessment and planning services.
- We can review policies and posture and develop both tactical hardening plans and long-range strategies.
- We can provide Incident Response and Hardening services for concerned customers.
- We provide MDR and Managed SOC offerings (Security Operations for monitoring, alerting, and awareness, and incident response); two of our top partners include Arctic Wolf and NetEnrich—both leaders in the field.
Prescriptive Technical Guidance & Additional Resources
- January 5th Joint Statement from the FBI, CISA, ODNI (Office of the Director of National Intelligence) and the NSA: https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
- Industry commentary of recent Microsoft statement: https://www.infosecurity-magazine.com/news/microsoft-solarwinds-attackers/
- Jan 5th coverage of statements made by the Office of the Director of National Intelligence: https://www.reuters.com/article/us-global-cyber/u-s-intelligence-agencies-say-russia-likely-behind-hacking-of-government-agencies-idUSKBN29A2HG
- Steps outlined by SolarWinds to update or upgrade specific Orion Platform versions: https://www.solarwinds.com/securityadvisory
- Steps outlined by Microsoft for customers to protect themselves from recent nation-state cyberattacks: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
- CISA’s Emergency Directive—a comprehensive response to the Solar Winds Orion Code Compromise: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance
- GreenPages’ Blog with additional steps you can take right away to strengthen your overall security posture, such as hardening your passwords, turning off unused systems, revoking domain administrator credentials, pen testing, etc: https://www.greenpages.com/blog/december-security-breaches
If you have any questions regarding this Security Advisory or would like to speak with a GreenPages’ engineer, we’re standing by to provide you with any guidance you need. Just reach out to your TAM, your Account Executive or contact us here!