Sophos Solarwinds

Posted on  by admin

Sophos CEO Kris Hagerman said the SolarWinds hack underscores the need for partners and customers to think beyond internal security and consider supply chain risk.

The more than 250 federal agencies and businesses who had their networks accessed because of the SolarWinds attack didn’t have their own security estates used as the attack vector, Hagerman said. Instead, Hagerman said the SolarWinds hackers came in through the doors of other vendors, whether it be cloud vendors or IT systems management vendors.

“You cannot think about your security only in the context of, ‘How well am I secured?’” Hagerman said during an interview at Best of Breed (BoB) Winter 2021, hosted by CRN parent The Channel Company. “You’ve got to go beyond that to say, ‘How well am I secured and how well am I securing everything that I connect to?’ I mean, it’s a daunting undertaking.”

[Related: Mimecast Breach Linked To SolarWinds Hack, Allowed Cloud Services Access]

So when, in the spring, a pop-up message hit the screens of IT staff using a popular piece of software called SolarWinds, around 18,000 workers in companies and governments diligently downloaded. It doesn't seem to have any integration between this two. I could not figure out how to push the logs from Sophos Cloud to SolarWinds SEM. I do find SolarWinds SEM have Sophos Cloud Connector but I believe the connector are getting logs from SEM agent install on the machine and it is not getting logs from the Sophos Cloud console itself. This post describes the steps to set up the Sophos Central Deployment Automation Policy for Solarwinds N-Central (Windows Only). Note: If you need assistance with plugin implementation, please contact [email protected] for support. The SolarWinds Academy offers education resources to learn more about your product. The curriculum provides a comprehensive understanding of our portfolio of products through virtual classrooms, eLearning videos, and professional certification.

The SolarWinds hack will force every single channel partner to be security aware and security literate regardless of if they actually sell cybersecurity products or not, Hagerman said. As more information has emerged, Hagerman said it’s become clear that the attackers not only used vendors like SolarWinds but also compromised Microsoft resellers and leveraged them as a vector to attack their customers.

As a result, Hagerman said the SolarWinds hackers were able to move laterally from corporate environments to cloud environment and back again without facing much resistance.

“This SolarWinds incident is probably one of the most dramatic and impactful security incidents of the past decade,” Hagerman said. “And it has all sorts of pretty important implications for companies of all sizes, and in particular for the channel.”

SophosSophos solarwinds orion

Demand for Towerwall’s application penetration testing has soared since the SolarWinds attack became public, with very large organizations wanting to ensure their developers are coding according to the Software Development Life Cycle (SDLC) plan, according to Michelle Drolet, co-founder and CEO of the Framingham, Mass.-based solution provider.

Towerwall also looks at all the roles inside an application to ensure that users aren’t able to switch roles with one another or escalate privileges, and can put together an actionable plan for developers to do remediation, Drolet said. By looking at the IP an application is sitting on and doing penetration tests, clients can move beyond certifications and verify the security of a third-party application themselves.

Sophos Solarwinds Orion

“Vendor risk management has become a big part of any cybersecurity program, and it’ll continue,” Drolet said. “We don’t need to boil the ocean, but if we do things thoughtfully and according to the risk tolerance of a specific organization, we will have success keeping the bad guys at bay.”

Hagerman said the SolarWinds breach has also put boards of directors on high alert, with pretty much every responsible board asking within 48 hours of the hack going public Dec. 13 if they could have been similarly compromised. Companies of all sizes need to have a good answer to that, so Hagerman said they’re turning to channel partners for visibility into potential attack vectors.

“Whether they are SMBS of 50, 100, 200 employees or enterprise organizations of 500,000 employees, those organizations face the same kinds of threats,” Hagerman said. “The channel is going to have to help them figure out how to protect themselves against those threats efficiently.”

Hagerman compared the SolarWinds attack to somebody robbing a home by tunneling under the house, waiting for the homeowner to go on vacation, and then drilling holes up underneath the house. While partners should ensure they can detect and are protected against those kinds of sophisticated attacks, Hagerman recommended that solution providers first ensure they’re getting the basics right.

“Before you worry about people tunneling under your house, make sure you lock your front door and your back door,” Hagerman said. “Make sure all your windows are locked. Make sure that you’ve got lights turned on at night on your front porch and your back porch. Make sure that you’ve got a security camera set up. Make sure you’ve got some motion detectors.”

Once partners have a well-organized home operation, Hagerman said they should then turn their attention to preventing, detecting and responding to more sophisticated attacks, ideally in an automated fashion. Customers often need help managing and monitoring their endpoints, as well as determining how to best respond in real time to an active attack, according to Hagerman.

“Once an attack like this occurs, it’s effectively a race,” Hagerman said. “It’s a race between the bad guys who were moving laterally and everywhere they can in the network to find sensitive information and then get it out of there. And it’s a race for the good guys to identity where they are, detect it, and ensure that they kick them out and protect the data.”

Clients need a broad and deep approach to security that goes beyond firewalls and endpoint protection to thwart sophisticated threat actors, said Douglas Grosfield, president and CEO of Kitchener, Ontario-based Five Nines IT Solutions. A comprehensive security strategy must include data leakage protection, segregating networks and limiting the scope and scale of what systems have access to, Grosfield said.

The SolarWinds attack has also made customers hyper-aware of what can go wrong for their business from a security standpoint, Grosfield said. As a result, Grosfield said there’s an opportunity for solution providers to have a deeper conversation around internal security practices, supply chain risk and security awareness training that gives employees a better sense of what the threat landscape looks like.

“Customers are thinking about third-party security,” Grosfield said. “We’ve all learned some lessons from SolarWinds, and it’s proof positive that security is about more than minding your own Ps and Qs.”

Sophos Solarwinds Orion

** We will continue to update this article with additional information as it becomes available. Check back here and GitHubregularly for further updates. ** 

Last updated 2020-12-15T12:18Z – view the changelog below

For security teams who have SolarWinds in their environment looking to initiate incident response, we’re providing thefollowing playbook,based upon our initial understanding of the threat,as an aid to help you investigateany potential attack.The information presented may not be complete or eliminate all threats, but we expect will be effective based on our experience. As more information becomes available about the threat, recommended steps may changeor be updated.

This response process may need to be customized for your environment and is based upon the following assumptions:

  1. Ability to establish when the vulnerable component was introduced into the environment and log coverage for that period.
  2. Assume adversaryhad access to all accounts and credentials utilized by SolarWinds Orion server and the capability to assume the identity of any administrative or related accounts.
  3. Assume adversaryhad the capability and network access to maintain a C2 channel to SolarWinds Orion server.
  4. Ability to determine that no accounts used by SolarWinds, nor accounts used to access the SolarWinds Orion server had full domain administrative rights.
  5. Ability to determine that no active malicious activity occurred relating to the vulnerable component based upon currently available IOCs and detections.

If you find evidence of malicious activity or if you are not able to arrive at some of the baseline conclusions described here,Sophos recommends initiatingyour full incident response procedures or reaching out for external assistance.

Hunt for impacted SolarWindsinstances

Endpointqueries

Sophos EDR/Osquery:Detection queries

Sophos Intercept X:

Sophos Application Control detects all versions of SolarWinds Orion as “SolarWinds MSP Agent”. Application Control is an optional setting – read the Help Guide for instructions on how to enable it, and add SolarWinds to the list of apps you want to block.

Labs detections: List of detections and IOCs

Manual (example):

PS C:Windowssystem32> Get-FileHash C:OrionSolarwinds.Orion.Core.Businesslayer.dll Format-List

Algorithm: SHA256

Hash: CE77D116A074DAB7A22A0FD4F2C1AB475F16EEC42E1DED3C0B0AA8211FE858D6

Path: C:OrionSolarwinds.Orion.Core.Businesslayer.dll

Networkqueries

SolarWinds can be detected via network monitoring by looking forcall-homes made by its updating service. The following Zeek IDS searches may also help: SIEM Searches.

Solarwinds

Note:You may only see outbound connection from your main SolarWinds instance not pollers.

Identify malicious SolarWinds components

Endpoint indicators

Warning: check your configuration for exclusions. Seehttps://twitter.com/ffforward/status/1338785034375999491

Sophos Intercept X / Central Endpoint Protection:

SophosLabs contains both detections for the malicious component and the additional signature that indicate active exploitation. Sophos has also blocked all associated IP and domain indicators for its customers. See GitHubfor detection names.

Sophos EDR/OSquery: Detection queries

Network indicators

Sophos has also blocked all associated IP and domain indicators for its XG andSG customers. If you have additional network telemetry the following searches may also be of use: SIEM Searches

Note: The attacks communicate toC2 via TLS so a file hash hit is unlikely unless you intercept TLS.

Prepare for forensics

If possible, snapshot all affected hosts with impacted versions of Orion installed.

Ensure that snapshotting processes also capture memory.

  • VMware: https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.html.hostclient.doc/GUID-A0D8E8E7-629B-466D-A50C-38705ACA7613.html
  • Hyper-V: https://support.citrix.com/article/CTX126393

A lightweight forensic acquisition can also be performed using the “Forensic snapshot” feature of Sophos EDR.

Scope potentially compromised accounts

Potentially impactedaccounts are:

Solarwinds
  1. All accounts SolarWinds used for network monitoring, this includes Windows local accounts, domain accounts, SNMP, SSH, etc.
  2. All other accounts used on the affected SolarWinds Orion Servers. These include all administrative logins (e.g. EventCode 4624) to the server and any local or service accounts. (e.g local SQL database account.)

The following table can be used to document all potentially impacted accounts:

UsernameDescProtocolDomainDomain AdminServer admin/rootScopeNotes
(fully-qualified username/UPN)Brief overview of what it’s used byWindows/KRB/NTLM SNMP SSH etc(y/n)(y/n)What hosts this is applicable to

Identify high-value attack paths for potentially compromised accounts

For all potentially compromised accounts listed above,identifyother high-value systems (e.g. domain controllers, Active Directory Federation Services, and Azure Active Directory Connect servers) to which they had access.

  1. Evaluate local system authentication logs for anomalous activity from compromised accounts.
  2. Bloodhound can also be used to map out access of any potentially impacted accounts.

If servers or accounts involved in federated authentication (e.g. ADFS servers) were potentially impacted, refer to Microsoft’s customer guidanceand develop an appropriate additional containment strategy.

Containmentand eradication

Solarwinds

Warning: these steps assume a desire to preserve the environment for further forensic investigation and may have an impact on production environments.

  1. Isolate all SolarWindsOrion instances from the network:
    1. Instant isolation can be performed at the host level using such controls as Sophos EDR via Sophos Central.
    2. Host-based isolation should be backed up by networkbased isolation. Systems should be migrated to an isolated non-routable VLAN with console access only (migrating to a VLAN helps preserve network state for future forensics).
  2. Perform credential reset or disable and recreate all potentially impacted accounts:
    1. Important:Ensure that no fresh or reset accounts areused to access any compromised infrastructure.
  3. Rebuild fresh monitoring servers from known-good sources ready for release of Orion platform version 2020.2.1 HF 2, which is planned for release on Tuesday, December 15, 2020.
  4. Consider taking forensic snapshots and rebuilding additional exposed hosts, including:
    1. Any hosts running the SolarWinds agent.
    2. Any hosts for which potentially compromised accounts had access rights.

Changelog

2020-12-15T12:18Z Added warning about checking your configurations for exclusions