We are at the end of 2021, a time when you would expect to see security experts predicting security issues for the coming year. I prefer to go back to the security issues that we have been monitoring to ensure that we have learned all the necessary lessons from them.
SolarWinds Attack: Know Your Suppliers’ Security Posture
It has been literally a year since the attack on the SolarWinds software supply chain made headlines and we are still trying to fully understand the potential of this type of attack. The attackers were stealthy and were only discovered because one of the companies involved, FireEye, had elite capabilities to monitor and detect intrusions.
I wonder in these situations if my company would have the tools and resources to know if such an attack was happening. I assume that not only would I not be aware of this intrusion, but many of you would also not have the resources to do so. According to Microsoft, the attacker was able to “forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.” This should make us think about the source of the software we install and whether we can trust our vendors and their security processes, let alone our own security processes.
Lessons learned: Review with your software vendors their security processes. Look for abnormal behavior, especially in highly privileged accounts. Check when new federated trusts are created or add credentials to processes that can perform actions such as mail.read or mail.readwrite. You will also want to block known C2 endpoints in your network perimeter firewall.