Okay folks, let’s talk about SolarWinds.

For those not familiar with it, SolarWinds is a network management system (NMS). It’s probably the most ubiquitous NMS out there, so we shouldn’t jump to conclusions that FireEye and Treasury were both breached by an SolarWinds vuln. 1/
That would be an illusory correlation. If you’re jumping to that conclusion (or that FireEye and Treasury use a common MSP), at least be clear that you’re guessing.

It’s a lot like the DC Sniper case where we focused on white vans. SolarWinds (like white vans) is everywhere 2/
NMS are excellent targets. They have access to most (often all) systems on the network, so outbound IP ACLs are not a useful control. Netflow usually doesn’t help either since the NMS not only has access to everything, but it’s also talking A LOT. 3/
NMS are usually used to monitor network devices and critical servers. If you’ve ever seen a network map with devices shown as green/yellow/red, that was probably built by an NMS.

How does the NMS generate the map? Sometimes it’s as simple as a ping command. 4/
More often, the NMS uses SNMP (network management protocol) or an installed agent to learn the status of remote devices.

Now they’re called network MANAGEMENT systems for a reason: in addition to status, they can modify configuration, restart services, etc. 5/
Not all NMS are able to change anything, and those that can don’t always allow it for all systems on the network.

The bad news is that the most critical systems are also those most likely to have change access through NMS configured. This isn’t a failure in security modeling. 6/
Recall that security also includes availability (CIA triad). The more critical the system, the more likely it is that you want to ensure the availability of it.

NMS ensures availability by monitoring for things like services becoming unresponsive and restarting them. 7/
This all happens before an admin even notices the service had an issue.

Even when the NMS is in monitor-only mode, it can still be used to read configurations, which often include enough information for attackers to laterally move to those systems. 8/
So suppose you have a SolarWinds NMS installed. Should you pull it offline? Not at all.

What should you do? Check log retention and archive whatever you have. I expect we’ll see specific IOCs for SW within a few weeks. You want data for eventual threat hunting. 9/
Regardless of which NMS you use, you should absolutely lock down access to the admin interfaces using access control lists.

Consider monitoring and alerting on any attempted access to the admin interface as well. 10/
If you have East/West netflow, consider doing some analysis of NMS traffic and looking for outliers. That won’t be easy in most cases.

I’ll close by reiterating that hitting an NMS like SolarWinds often gives attackers keys to the kingdom. It’s like domain admin++. 11/
But that doesn’t mean you get rid of your NMS. You just need to threat model routes to target your NMS and monitor the heck out of those.

You should probably also revisit the systems managed by the NMS and model whether the juice is worth the squeeze (it usually is). 12/
However, in most orgs the NMS is configured by ops (who maximize availability) vs security (who usually maximize confidentiality). Do some threat modeling.

TL;DR - Don’t throw out the baby with the bathwater or you’ll likely be flapping in the (Solar)Wind... /FIN
This thread brought to you by Cypher, who was a good boi and let me type this on our night walk.
Okay, SolarWinds had a vuln.

That doesn’t change any of my recommendations. Regardless of which NMS you use, my recommendations stand. Threat model, log, and alert around your NMS. /FIN2
Okay, so everything I said about NMS stands. But since it's now apparent that there was a supply chain compromise, you should run (not walk) to start investigating your systems. It's unlikely this was used to compromise just a few networks. 13?/
But it also probably wasn't used to target every network where SolarWinds is installed. Attackers realized what a sensitive access this was. They know that every time they use it, they risk detection. I suspect they were very choosy about where to deploy. 14/
But if the attackers knew this access was coming to an end, they likely would stop being choosy about where to install beachhead access.

That's the big unknown for me. When did the attackers learn that they were losing access and what did they do? 15/
Many (most?) organizations slow roll their incident responses and telegraph an investigation. If that happened here, then it's possible that the attackers moved aggressively to use their soon-to-be-gone access to target lots of orgs. 16/
But even if attackers said "let's get all the beachhead access we can right now," that's just beachhead access. If attackers went full-bore, they won't have resources to work all those accesses yet. Use their resourcing issues to your advantage and hunt now. /FIN3?

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

14 Dec
Moving beyond the technical aspects of the #SolarWinds breach, I think it’s clear that @FireEye dealt Russia a major blow by detecting this.

It’s hard to overstate the value of intelligence on government agencies, especially during an administration change. 1/
But this administration change is particularly important for Russia. There’s no question that the Biden administration will be more stern in its approach to Russia and knowing what’s being discussed/what’s coming was paramount for them. This intel loss cannot be overstated. 2/
So as you’re slogging through this week putting out the myriad dumpster fires surrounding this event, know that Komrade Boris is having to explain to Daddy Putin that they’ve lost a critical source at the time they needed it most.

Then smile and say “fsck those guys!” /FIN
Read 4 tweets
27 Nov
Buckle up folks, if you're looking for a fantastic example of the need for sound vulnerability management programs, read on (this is about more than Drupal):
The day before Thanksgiving, Drupal released a patch for a critical vulnerability for which exploit code is available. 1/n
Oh, BTW this is a serialization vulnerability. This is bad. It allows for a local file overwrite. In most cases, this means it will result in an RCE.

Did your team notice the vulnerability notification on Wednesday? The day before Thanksgiving? 2/n
I hear the choirs of "we don't use Drupal because CMS are all vulnerable" but that's dumb. Your corp website probably uses a CMS of some variety. "Custom developed" means that nobody else is looking at the code. In most cases, this is security through obscurity. 3/n
Read 8 tweets
14 Oct
After further reflection I think Twitter has made a mistake censoring the NY Post article. It's garbage journalism, but that's not why they censored it.

Twitter is claiming that it contains hacked content and linking to it violates its policies. 1/n
First, let's note that Twitter has consistently penalized accounts for linking to hacked content. Their actions are at least consistent when viewed at face value.

The question for me then is this: does this constitute "hacked content?" I really don't think it does. 2/
If you take the story at face value, this is data recovered from abandoned property. Imagine you see a computer in a public trash can. You take it and extract data from the drive. Is that hacked data? More importantly, would Twitter censor a story with that data? 3/
Read 9 tweets
15 Sep
I've had a few DMs asking me if I support censorship and how I reconcile free speech with asking YouTube to take action on this content.

The original context was that @Viking_Sec was being algorithmically driven to this content and THAT is concerning by itself. 1/
This is also several degrees of bad. It's not "swastika might mean something else" (what???) when you are putting someone wearing a Jewish symbol in an oven. I don't think this has any place on the platform, but that's up to the platform and advertisers who support it. 2/
On the broader question of censorship, content platforms have a choice for what they wish to allow.

But they have a responsibility to not push offensive and radicalizing content to those who don't ask to see it. Driving dangerous content because people engage is unacceptable. 3/
Read 5 tweets
24 Jul
Garmin is in a unique position with their ransomware incident. They are both a manufacturer AND hold regulated data. The value of their devices is directly tied to the availability of their apps and the personal data they hold.

I don't see that Garmin has a choice but to pay. 1/
The fact that a single incident seems to have taken down their data service AND their manufacturing indicates very loose trusts or very flat networks. Neither is good from a security perspective, but I'm also confident that either will be quickly corrected, no big deal to me. 2/
What IS a big deal to me is my personal data. Many ransomware groups exfiltrate data before encrypting and demand extortion payments from victims, lest they release this data. That's almost certainly the case here.

If Garmin refuses to pay, I don't see things going well. 3/
Read 6 tweets
2 Jul
All right stop
Just intubate and listen
Ice is back with misguided intention
COVID grabs a hold of me tightly
Shortness of breath both daily and nightly
Will it ever stop?
Yo, I don't know
Turn off the lights, put a tag on my toe
To the extreme, I rock ICU like I'm comatose
Light up a room, I'm a chump, experiencing new lows

Cough

Heck yeah, the ventilator goes woosh
Hypoxia killing my brain like a I'm a selfish douche
Deadly, the EKG beeps a dope melody
Performing this concert should have been a felony
Large groups in public?
That's not okay
You better wear a mask
'cause COVID don't play
I'm creating a problem
But I won't solve it
Check out my vent while the respiratory therapist resolves it
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!