Flash Report: CISA Issues Emergency Directive to Mitigate SolarWinds Orion Code Compromise

On December 13, 2020, the Cybersecurity & Infrastructure Security Agency (CISA) issued an emergency directive detailing required action for federal agencies to mitigate the threat of the recently discovered compromise involving SolarWinds® Orion® Network Management products that are currently being exploited by malicious actors. (Read the SolarWinds Security Advisory here.) Given the nature of the threat and its potential impact on many industries outside of federal agencies and the public sector, organizations should take proactive steps to determine if this software revision is in use within their environment, and also evaluate their incident response function to ensure an appropriate level of vigilance.

The goal of an attacker attempting to capitalize on this code compromise is to gain initial access to an organization’s systems and maintain that unauthorized access despite typical interruptions to that initial foothold, like changes to access credentials and system restarts.

As more information is released, including patch fixes by SolarWinds, organizations with the SolarWinds Orion platform should consider proactive steps to reduce their exposure to this event:

  • Patch – SolarWinds has released a Hotfix for this code compromise, with another expected on 12/15/2020. Organizations should continue to monitor guidance from SolarWinds as it releases more information.
  • Detection OpportunityIndicators of Compromise (IOC) have been released, as there are reports of active campaigns targeting private and public organizations. Organizations should use these IOCs to update their antivirus and endpoint detection and response (EDR) and scan their assets for anomalies that match the behavior of this exploit. In addition, with the known IP addresses being used for this attack, organizations can block assets from communicating with domains behind these IP addresses.
  • Tabletop Analysis – For organizations seeking additional guidance, the MITRE ATT&CK knowledge base lays out a good approach to examine the lifecycle, tools and techniques associated with these types of exploit. Incident management teams should use the MITRE ATT&CK framework to understand the level of protection their organization has at the various stages of this attack. This is a useful exercise to uncover blind spots that may need to be addressed. For example, the organization may not have a system or tool to detect lateral movement, which is a technique an attacker would use to move through an organization’s environment after initial access via this code compromise.
  • Identity and Access Management Review – An attacker exploiting this vulnerability is trying to gain initial access, evade detection and move laterally to identify a target or payload of interest. An attacker’s ability to accomplish this goal or to dwell in an environment undetected is critically impacted by the strength of the organization’s identity and access management (IAM). Elements like privileged access management (PAM), identity federation, session management, services account management, and other core disciplines within an IAM program all play a crucial role in defending the organization against these events. This is a good time to evaluate the organization’s IAM program and ensure adequate defense in depth against this and similar attack vectors.

Protiviti can assist companies with preparing for and responding to the evolving threats posed by ransomware and other cyberattacks. Contact Protiviti’s Incident Response Team at IR@protiviti.com for technical, crisis management and investigative support.

This flash report is also available on protiviti.com

 

Curt Dalton

Managing Director
Security and Privacy

Subscribe to Topics

Join Protiviti's Paul Kooney and Stephen Nation as they discuss how to set up trust in an organization in tomorrow's Tech Talks at the TrustWeek 2022 Conference. http://ow.ly/HaT750JfK4Y

#ProtivitiTech #TrustWeek #privacy #security #dataprivacy

Evolving #dataprivacy laws and updates in the #OneTrust system call for a closer look at #privacy systems and processes. Join #ProtivitiTech Ismail Ali and Sam Reiter at #TrustWeek to learn how to take your OneTrust deployment to the next level. http://ow.ly/JlSU50JfHkL

Protiviti is pleased to be a Platinum Sponsor at the #TrustWeek 2022 conference. Join #ProtivitiTech and discover best practices to protect #privacy, #data #security, act sustainably and build trust with clients and within your company. http://ow.ly/1NZN50JfyYN

Embedded analytics have rapidly become one of the new “art of the possible” scenarios. Learn how platform's such as @SAP's BI Launchpad continue to develop data analytics, and enables continued organizational growth: http://ow.ly/TuRj50Jcxy0

#ProtivitiTech #SAP #DataAnalytics

We spend a lot of time thinking about how CISOs can prioritize their earliest actions and advising clients who happen to be new in their CISO roles. By taking the right steps, new CISOs can convey confidence. Read more: http://ow.ly/39sA50Jcw6J

#ProtivitiTech #TechnologyInsights

Load More...