Companies using the recently attacked SolarWinds Orion monitoring products will already be reviewing their infrastructure and blocking network access to domain servers. If you don't use SolarWinds software, this is a great opportunity to review your own process and determine if there are any infected code and backdoors.
The guidelines for mitigating Solarwinds attacks, provided by the US Cyber Infrastructure Security Administration (CISA), are a good example of the process required to identify and eliminate even sophisticated advanced persistent threats (APTs) from hackers backed by the state. If you can follow the steps according to the guidelines, you will have an advantageous position to respond appropriately to your needs.
Forensic image generation
First, make sure that all suspected devices on the network can be imaged forensically. Forensic imaging creates an exact copy (including empty space) of a server or workstation hard drive. The Access Data FTK Imager is one of the products that can perform a full backup of the system to determine whether it is forensically safe or not. Generate hash reports for regular files and disk images to ensure you have an exact copy of your drive.
When imaging a physical hard drive to an external location, there must be enough capacity on the object to which the image is copied. If you have a mix of cloud servers and virtual machines, make sure the system is imaged and stored in a safe location. Normally, if the server is already on, the system is imaged while running. When the server power is off, the image is taken offline If possible, it is better to image the system in its original state and then go offline. After verifying that all forensic evidence has been saved, power off the server and go offline.
There is a debate over whether the attacked server should be taken offline. For example, if ransomware attacks, a message prompting you to put the system online is displayed, so if you need to negotiate with the attacker, you can communicate and transmit necessary information. In the case of the SolarWinds incident, the mandatory action for all infected government systems is to go offline so that they cannot communicate with the C&C computer. Microsoft took an unusual step by installing a Kill Switch on domains intended to prevent the infected computer from reconnecting and infecting other computers by stopping the ransomware function from spreading. It is recommended not to rebuild or introduce infected Orion software into the network.
Network traffic log review and analysis
Next, review the saved network traffic logs and check if there are any resources to analyze. In the case of SolarWinds, this backdoor appears to have been built at least as early as March 2020. You may not be able to store log files that long. Consider whether you can store weeks or months of storage. Consider transferring log files to offsite storage. Services like Splunk can be used to review and search for signs of breaches.
If you have access to Microsoft's Sentinel product, you can search the database for signs of compromise. You can extract the information by executing the query command as specified on GitHub. You must know the time zone of all logfiles and event logs being saved. If you can correlate between different time zones and time offsets, you can create correlations between events.
Enterprise security product audit
Review and audit all enterprise security products used in the network. Make sure it is kept up to date through the update process. Contact the supplier for information about the security process. Do you use two-factor authentication or other processes to keep your coding and development processes safe? Since attackers clearly know the value of attacking the very software that monitors the network, it is important to ensure that the security process is as secure as possible.
Network analysis function review
Review the resources and expertise available to analyze the network to fully understand the network traffic and the forensic information it generates. Review whether you have cyber insurance and coverage of supported resources.
Limit cover roasting in the network
The CISA document recommends password reset and requires a technique called Kerberos to be restricted in the network. Follow the steps below.
- Understand the concept of cover roasting and use a long and complex password (25 characters or more recommended) for the service principal account. Implement an appropriate rotation policy for these passwords.
- Change the user account to a group managed service account (gMsa), and check if the implementation was successful.
- Set the option so that the service account supports AES256_CTS_HMAC_SHA1_96 and does not support DES, RC4, and AES 128-bit encryption. To do this, define security policy settings and do 'Network Security: Configure Encryption types allowed for Kerberos'. Set the acceptable encryption types to AES256_HMAC_SHA1 and Future encryption types as per Microsoft documentation.
- Understand how to reset the Kerberos Ticket Granting Ticket (TGT) password and perform the reset twice.
Review and understand the concept of cover roasting, a method used to extract service account credentials from Active Directory, even without being directly affected by SolarWinds. This type of attack is not a new concept and was first introduced in 2014. The best mitigation is to make the service account password longer than 25 characters and not easy to guess.
Make sure you have the proper settings to enable logging. Domain controllers can log Kerberos TGS service ticket requests by configuring 'Audit Kerberos Service Ticket Operations' in 'Account Logon' to log successful Kerberos TGS ticket requests.
It is important to verify what the cover roasting attack did before turning on the payload. According to Microsoft, this attack identifies specific security software. If the software is active, the attack will not run on the system.
Take the time to review the work you have done to be alerted about intrusion activity on your network. Even if you may not be able to prevent these attacks, you should still be alerted.
0 Comments