The worst fears of security experts became a reality recently when threat actors maliciously hid malware inside legitimate updates of SolarWinds network monitoring software. When the malware executed, it reached out to an Internet site controlled by attackers. If the attackers believed the compromised company was a suitable target, they would respond in a way that would trigger the malware to install more malware, opening a gateway for the attackers to gain a presence within the network of the target company.
Because the SolarWinds software was “trusted”, security tools did not detect the malware. Once the attackers gained internal network access (often at the administrator level), they could launch other more damaging attacks.
Security experts have feared this type of attack because busy IT departments around the world do not always take the time to implement the proper controls to mitigate these types of attacks.
While SolarWinds was the carrier this time, there are many types of software that are implemented within companies that could just as easily contain compromised code. In this article, we look at some of the controls that IT departments within financial institutions must adopt if they want to stop the efforts of attackers using supply chain attacks. The controls are:
- Control 1 - Block Internet Egress: Firewalls are customarily configured to block any unsolicited inbound traffic. They are not always configured to block traffic from leaving an institution’s network, but they should be. There is no reason a server needs unrestricted outbound access to the Internet. If updating a server requires access to specific sites, those sites should be the only ones allowed. Institutions that implemented egress filtering for their SolarWinds servers effectively stopped the attack from communicating to the attackers.
- Control 2 – Least Privilege Access: When software is installed on a server or workstation, it should be given the least privileges it needs to run. Wherever possible, software should not be given administrative privileges to a system or to a domain because any malware that is included in an update would then have administrative privileges also. SolarWinds recommended not installing their software using administrative privileges, but some organizations did not listen, and the attackers were able to quickly access any systems on the network as a result. Had SolarWinds been installed with minimal privileges, the attackers would have at least been slowed.
- Control 3 – Log Retention: The SolarWinds attack started in March 2020 and was not discovered until December. Once the attack was discovered, companies were instructed to search their firewall logs for activity that might indicate a compromise. Institutions that only retained their logs for 6 months or less faced the uncomfortable truth that they lacked the data to perform this search. Critical logs should be retained for at least a year, and there are some regulations that require them to be retained for at least 3 years.
- Control 4 – SIEM: While many financial institutions have either an internal or outsourced SIEM (Security Information and Event Management) system, there are some who do not. These systems help make performing the due diligence required to identify a successful attack easier. Without a SIEM, combing through firewall and system logs looking for any evidence that a supply chain attack occurred takes a long time. Institutions that have been holding off on purchasing a SIEM solution should seriously consider taking the plunge, as these types of attacks will likely become more common.
If your institution needs assistance in implementing control sets to protect against supply chain or any other types of threats, or if you have general questions about how the SolarWinds breach may have impacted your institution, shoot us an email at support@bedelsecurity.com.
Additional Resources:
The Scare of Miscellaneous Errors
https://www.bedelsecurity.com/blog/the-scare-of-miscellaneous-errors
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
The Most Underrated Control in Information Security
https://www.bedelsecurity.com/blog/the-most-underrated-control-in-information-security
IT Risk Assessment vs. Vendor Risk Assessment Simplified
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified