If you use the recently compromised SolarWinds Orion monitoring products, you are already reviewing your infrastructure and possibly blocking network access to the servers in your domain. For those of you who do not use the SolarWinds software, this is an opportunity to review your own processes and determine whether you would have detected the compromised code and backdoors.
The instructions for mitigating the SolarWinds compromise, provided by the US Cybersecurity and Infrastructure Security Agency (CISA), are a good example of the process required to identify and remove sophisticated advanced persistent threats (APTs), even those executed by nation-states. If you can perform these steps, then you’re in a good position to respond properly if the need arises.
Create a forensic image
First, determine if you could forensically image all suspected devices in your network. Forensic imaging creates an exact copy (including the empty space) of a server’s or workstation’s hard drive. Access Data FTK Imager is one such product that allows you to take a complete backup of a system to deem whether it’s forensically sound. It generates hash reports for regular files and disk images to ensure that you have an exact copy of the drive.
When imaging physical hard drives to external locations, make sure you have a large enough destination to copy the image to. When you have cloud servers and virtual machines in the mix, ensure that you have a location that you can image the system and store that in a secure location. As a general rule, if the server is already on, image the system while running. If the server has already been powered down, then image it offline. Preferably you want image the system in the state it was in and take it offline after you have imaged it. Once you have ensured that you have all forensic evidence saved, then power down the servers and take them offline.
There is a debate regarding whether you should take an attacked server offline. When faced with ransomware, for example, you are told to leave the machine online so should you need to negotiate with the attacker you are able to communicate and transfer the necessary information. In the case of an incident like SolarWinds, the mandatory action for all impacted government systems is to take the systems offline so that they cannot communicate with the command-and-control computer. Microsoft took the unusual action of putting a kill switch on the intended domain to ensure that impacted machines can’t connect back and infect other machines. It’s recommended not to rebuild or reintroduce the impacted Orion software back into a network.
Review and analyze network traffic logs
Next, determine if you have the resources to review and analyze stored network traffic logs. In the case of SolarWinds, it appears that this backdoor was introduced as early as March 2020. You might not store store log files for that long. Review how many weeks’ or months’ worth of storage you are able to store. Consider forwarding log files to offsite storage. Services such as Splunk can be used to review and search for indicators of compromise.
If you have access to Microsoft’s Sentinel product, you can search its database for indicators of compromise. You can run a query command to extract the information as noted on the GitHub site. Make sure you know the time zones of all log files and event logs that you are storing. Being able to correlate among different time zones and time offset ensures that you can make correlations among events.
Audit enterprise security products
Review and audit all enterprise security products that you use in your network. Ensure that the updating process ensures that they are kept up to date. Ask your vendors for information about their security processes. Do they use two-factor authentication or other processes to ensure that their coding and development process is kept secure? Attackers clearly see the value in attacking the very software that monitors us, so it’s imperative to ensure that their processes are as secure as they can be.
Review network analysis capabilities
Review if you have the resources and expertise to analyze your network to fully understand network traffic and the forensic information it generates. Review whether your firm has cyberinsurance and what resources are provided by your coverage.
Limit Kerberoasting on your network
The CISA document recommends resetting passwords and mandates that a technique called Kerberoasting is limited in your network. It lists the following steps:
- Understand the concept of Kerberoasting and require use of long and complex passwords (greater than 25 characters) for service principal accounts. Implement a good rotation policy for these passwords.
- Replace the user account by group Managed Service Account (gMSA) and ensure that you implement them.
- Set the account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4 or AES 128-bit encryption. To do this define the Security Policy setting, for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types as documented in this Microsoft documentation.
- Understand how to reset the Kerberos Ticket granting ticket password and perform the reset twice.
Even if you weren’t directly impacted by SolarWinds, review and understand the concept of Kerberoasting, a method used to extract service account credentials from Active Directory. This type of attack is not a new concept and was first introduced in 2014. The best mitigation is to ensure service account passwords are longer than 25 characters and not easily guessable.
Enable logging as well by ensuring that the proper setting is in place. Domain controllers can log Kerberos TGS service ticket requests by configuring “Audit Kerberos Service Ticket Operations” under “Account Logon” to log successful Kerberos TGS ticket requests.
It’s important to check what the Kerberoasting attack did before it turned on its payload. As Microsoft notes, it checks for certain security software. If that software is enabled, it doesn’t launch on the system.
Take the time to review what you might have done to be alerted to intrusion activity in your network. We may not be able to prevent these attacks, but we should be able to be alerted to them.
![Digital Transformation [DX] > dandelion seeds blown by a virtual wind of change](https://images.idgesg.net/images/article/2020/01/cio_dandelion_seeds_blown_by_virtual_wind_of_change_digital_transformation_flower_by_dawid_zawila_cc0_via_unsplash_abstract_digital_wave_stream_by_pete_linforth_aka_thedigitalartist_cc0_via_pixabay_1200x800-100826623-small.3x2.jpg?auto=webp&quality=85,70)
