In this webinar we explain why the SolarWinds attack is different from all known scenarios and how to protect your company or manufacturing site from it. Act fast, be aware!

1. SolarWinds supply chain attack: why we should take
it seriously
Analysis, discussion and mitigation
By Patrick Coomans (Agoria, Sirris) and Tatiana Galibus (Sirris)

2. How to categorize this type of attack
2© sirris | www.sirris.be | info@sirris.be | 15/01/2021
Known knowns
Known Unknowns
Unknown
Unknowns

3. The story of SunBurst: global intrusion campaign
▪ When? we can trace up to October
2019-June 2020, detected in
December.
▪ How? SolarWinds, Orion IT
management software, normal
update
▪ Who is affected? 18 000
companies affected, government,
consulting, technology, telecom
and extractive entities in North
America, Europe, Asia and the
Middle East.
▪ …and Belgium too
▪ What can it do? Surveillance and
execute random code

4. 3 key takeaways
➢Is it possible to keep track of new
attack types?
➢How to provide supply chain
security?
➢Why it is crucial to keep the logs and
info for a long time?

5. How does it work?
▪ Source code was modified and the style
was mimicked
▪ SUNSPOT is used to insert the
SUNBURST backdoor into the Orion
build through hijacking
MsBuild.exe process.
▪ Target source code is modified before it
has been read by the compiler.
▪ Hides by obfuscation
▪ SolarWinds.Orion.Core.BusinessLayer.dll
is a malware base
▪ DNS beaconing to Command and
Control

6. Analyzing SunBurst kill chain

7. How to detect it? FireEye recommendations
❖ Yara rules to detect TEARDROP
❖ querying internet-wide scan data
sources for an organization’s
hostnames
❖ impossible rate of travel if a
compromised account is being used
❖ LogonTracker module to graph all
logon activity
❖ monitor existing scheduled tasks for
temporary updates
Stellar particle

8. Official recommendations:
https://www.solarwinds.com/securityadvisory
➢ Versions affected:
Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, version 2020.2.5300.12432
Orion Platform 2020.2 HF1, version 2020.2.5300.12432
➢ Incidents with abuse of Security Assertion Markup Language (SAML)
tokens consistent with attack and no SolarWinds instances. Follow-up
the updates!
➢ If SAML abuse is identified, simply mitigating individual issues,
systems, servers, accounts will not lead to the adversary’s removal
from the network. In such cases, organizations should consider the
entire identity trust store as compromised.

9. Tools to identify infiltration: https://us-cert.cisa.gov/ncas/alerts/aa20-352a
• Sparrow.ps1 to help detect possible compromised accounts and applications
in the Azure/M365 environment. Sparrow focuses on the identity- and
authentication-based attacks
https://github.com/cisagov/Sparrow.
• Impossible logins, Long SAML token validity, same creation and use
timestamp, tokens with missing MFA details
• Check the public list of Indicators of compromise (malicious domain, IPv4 or
hash)

10. Immediate mitigations
▪ utilize Orion Platform release 2020.2.1 HF 1
▪ Ensure that SolarWinds servers are isolated / contained
▪ If SolarWinds infrastructure is not isolated, restrict scope of
connectivity and admin accounts, block outcoming traffic for
endpoints with SolarWinds software.
▪ Consider (at a minimum) changing passwords for accounts that
have access to SolarWinds servers / infrastructure.
▪ Consider a review of network configurations if Orion
management software was used.
▪ Review federation trusts & OAuth application & service principal
credentials: https://msrc-
blog.microsoft.com/2020/12/13/customer-guidance-on-
recent-nation-state-cyber-attacks/

11. Lessons learnt
▪ Diligently performing updates
improves security? Not always!
▪ The most high-profile victim
is the US government: no one
is protected from highly
sophisticated attack
▪ One of the biggest ever cyber-
attacks: removing is highly
complex and challenging
▪ Be aware, stay informed, keep
the logs

12. TIPS: ASSUME BREACHED – prepare response
12© sirris | www.sirris.be | info@sirris.be | 15/01/2021
1. Asset inventory
• You cannot protect what you don’t know: understand the
attack surface, your keys to the kingdom
• Data, Applications, Devices
• Know what was installed, used, or connected to your network
and when: keep a trace

13. TIPS: ASSUME BREACHED – prepare response
13© sirris | www.sirris.be | info@sirris.be | 15/01/2021
2. Logging
• You can never have enough logging
• Store logs securely, retain them as long as possible, up to 18
months if you can
• DNS, DHCP, firewalls, routers, WiFi, application servers,
access points, authentication logs, EDR logs, …
• Make sure NOT to log passwords, identities, PII in clear text!!

14. TIPS: ASSUME BREACHED – prepare response
14© sirris | www.sirris.be | info@sirris.be | 15/01/2021
3. File integrity monitoring
• For servers, containers, …
• Track changes to critical configuration files, scheduled tasks,
scripts

15. TIPS: ASSUME BREACHED – prepare response
15© sirris | www.sirris.be | info@sirris.be | 15/01/2021
4. Network flow
• Keep traffic metadata (netflow)
(check Elastic Stack, Zeek.org, or commercial software)
• Full packet capture for critical applications / cases
(check Arkime, Wireshark, …)

16. TIPS: ASSUME BREACHED – prepare response
16© sirris | www.sirris.be | info@sirris.be | 15/01/2021
5. Keep spam & phishing filter content
• Best: archive ALL e-mail
• Good: archive all suspicious, filtered or flagged mail,
including mails that have been released by users

17. PREVENTIVE MEASURES
17© sirris | www.sirris.be | info@sirris.be | 15/01/2021
1. Know and reduce your attack surface area
• Know what is on your network
(Asset inventory, internal vulnerability scanning, …)
• Know what is exposed publicly
(External scanning, e.g. Sweepatic)
• Remove or disable unused or unnecessary applications,
services or data
• Archive or remove data that is not longer needed
• Leave deception beacons lingering around

18. PREVENTIVE MEASURES
18© sirris | www.sirris.be | info@sirris.be | 15/01/2021
2. Network Detection and Response
• Egress traffic filtering
• Understand your traffic, identify top talkers, identify
anomalies in traffic patterns
• Deploy deception technology, honeypots

19. PREVENTIVE MEASURES
19© sirris | www.sirris.be | info@sirris.be | 15/01/2021
3. Strict patching and endpoint protection
• Active exploitation of 0-day vulnerabilities often starts within
4-8 hours, so immediately patch high-risk vulnerabilities
• Deploy decent enterprise-grade EDR software on all
endpoints
• Decommission what can’t be patched (out of support)

20. PREVENTIVE MEASURES
20© sirris | www.sirris.be | info@sirris.be | 15/01/2021
4. Segmentation
• Segment off critical assets, old assets, endpoints, IoT
devices, …
• Use a zero-trust security architecture

21. PREVENTIVE MEASURES
21© sirris | www.sirris.be | info@sirris.be | 15/01/2021
5. Authentication & Authorization
• Least privilege where possible
• MFA for at least all key staff, people with elevated privileges

22. How Sirris/Agoria can help you?
Contact us for a free 1hr intake
Opt for a collective workshop to
strengthen solid foundations.
Choose 1 or 2-day orienting advise in
order to take advantage of our expertise
combining both manufacturing and IT
technology
Are you protected or dangerously
exposed?

23. Roadmap to cyber security
Free 1hr
intake
Collective
initiatives
Master
class
Learning
network
Orienting
advise
Maturity
level
Security
scan
Action
plan

24. Upcoming events: Sirris+Agoria
▪ Master Class Cyber Security in 30 Steps Jan, 20th, 2021
▪ Internal IT Security, Basic Cyber Resilience, Cyber Hygiene
▪ Kick-off 20/01, then 3 sessions on 27/01, 10/02 and 10/03.
▪ Master Class Security for Digital Service Builders Jan, 26th and Feb, 2nd 2021
▪ DevSecOps, AppSec, OWASP, security pipeline
▪ 2 half-days, 8:30-12:00
▪ Learning Network Security in Manufacturing Q2 2021
▪ Demand-driven topics: anomalities in OT, changing perception of security as cost
▪ Webinar: Trusted Mobile Apps Feb 2021
▪ Webinar: OT security in Manufacturing Feb 2021
▪ Webinar: Cyber security in digital services, March 2021
▪ Thematic Event: CS meets Manufacturing Q1,2021

25. Feedback & Questions
THANK YOU!