Last week, the United States Cybersecurity & Infrastructure Security Agency (CISA) advised on initial steps to take in response to the SolarWinds software that was compromised by advanced persistent threat actors. While federal agencies were under a deadline to complete certain actions, this issue will require continued clean-up and longer-term efforts to mitigate the threat.
Staying the course, organizations will want to scan their environments for the presence of the compromised SolarWinds software. There may be places you forgot to look. In addition, backdoored versions of the software may be lurking on offline systems. In today’s reality of remote work, there could be systems and devices with the software that simply haven’t been detected yet because they weren’t connected to the network. You will want to monitor for that.
Here’s what you want to include in your continued clean-up efforts.
Multiple scanning methods for vulnerabilities, IoCs associated with SolarWinds breach
Look at the rest of your security toolset to complement your malware detection capabilities. You want to scan for the malicious version of the software in multiple ways. To be safe, scan local, remote and network-based.
Tripwire Enterprise and Tripwire IP360 can both find malicious versions of the software on your systems, complementing your other endpoint scans and broadening the search across your greater environment. Tripwire IP360 will find the vulnerabilities associated with the SolarWinds breach. Tripwire Enterprise, while widely known for secure configuration and change detection, will also discover the software, as it looks at file systems and indicators of compromise.
Use the different tools under your belt to ensure an accurate assessment.
Monitor system integrity to prevent reintroduction of malicious software
Baseline your system against a known, good state and check for any changes. There could be downstream effects associated with SUNBURST that we don’t know about. Persistent monitoring will also track for offline systems coming back online that could reintroduce bad software into the system. This is especially an issue if a compromised asset comes back online and connects to a critical asset, but it applies to the scenario in which new assets are being added to the environment, as well. Tripwire users can look to Tripwire Enterprise for integrity management capabilities that address this; consider it a backstop of sorts for detecting unusual or unauthorized activity.
Check your logs
Make sure you have some log management tool in place for processing your firewall logs. This should be integrated with your secure configuration management process. You can also gather logs for valid internal SolarWinds usernames to see where those credentials have been used since the installation of the of the trojaned software. You should also check logs for outbound communication to the C2 domain.
Sweep the whole house to find SolarWinds software
With a breach of this nature and scale, there will be outlying issues to address beyond these first few days of clean-up. Persistent monitoring and clean-up will be critical to catch the stragglers. Ensure malware detection and endpoint solutions are up to date, check to see that your vulnerability management and other tools have coverage for finding the SolarWinds software, check logs and take the time and effort for a deep clean. Dusting off one piece of furniture in your house might look clean until you realize the dust has just settled everywhere around. A full persistent clean-up is needed to mitigate the threat of this issue.
For more information on how Tripwire can support your clean-up efforts of compromised Solarwinds issues, please contact your Tripwire representative or request support here.