As most SolarWinds investigations have stabilized, it’s a good time to give the full report to your Board of Directors. They’ve hopefully been curious, and you’ve likely been giving them bits and pieces along the way. Now it’s time to give them the big picture and explain the takeaways. This article covers the 5 main points you should address when giving a final report to the board on SolarWinds.
#1 What Level was your Financial Institution Impacted?
As with all incidents, the level of impact dictated the level of investigation you needed to perform, as well as response tactics. So this is a great place to start. We’ve found that everyone falls into one of the categories below:
- 0 - No solar winds in your environment or the affected version not installed.
- 1 – The affected version was present, but there was no communication to avsvmcloud[.]com (or other known Command and Control url or IP).
- 2 - Evidence exists of backdoor connection to the attackers’ Command and Control.
- 3 - Evidence exists of 2nd payload delivery, aka TEARDROP – in this case you probably should involve a forensics team. Once place to check is the affected domains (at the bottom): https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
- OR - You’re not entirely sure. This is probably due to inadequate logging capabilities. Definitely take a look at #4 below.
For more information on how the attack worked see: https://www.bedelsecurity.com/blog/solarwinds-what-do-we-know-so-far
#2 - What investigation did you perform?
There’s a fine line here; board members don’t want to see the actual logs. But they probably want to know more than “We checked and we’re good.” This will vary depending on where you landed on #1. Some ideas:
- We scanned the affected server and found no evidence of the backdoor files.
- We reviewed the Firewall/SIEM logs from March 1, 2020 to December 20, 2020 and found no connections to the known command and control servers.
- Our IPS provider found no evidence of lateral movement from the affected server.
#3 – What was the immediate response?
This is explaining what actions were taken to contain and remediate the threat. Some examples:
- Did you disable network connectivity to the affected server?
- Have you taken a snapshot of the server for future forensics (if necessary)?
- Have you preserved logs via backup (firewall, SIEM, webfilter, IDS/IPS)?
- Were there controls that prevented this?
- Were your 3rd parties impacted?
#4 - What changes do you need to make?
Even if your financial institution was not impacted by this attack, this is a great opportunity to determine if you would be prepared to respond. It’s also time to look at your existing controls to see how the attack would have gone in your environment. Some takeaways we’ve seen:
- Block or whitelist internet access for servers.
- Ensure proper logging for all critical network segments, ingress & egress, lateral movement, and systems logging.
- Make sure logging goes back at least a year; the longer the better.
- Consider a SIEM or outsourcing to a SIEM provider.
See more details here: https://www.bedelsecurity.com/blog/mitigating-supply-chain-attacks
#5 - Prepare for more attacks like this.
You need to explain what makes the SolarWinds attack different. This is a supply chain attack; where a trusted, known application was affected at the source - at the supplier. Security experts feared a supply chain attack like this one for years because they knew that it could be distributed to thousands of organizations without question AND because it could go undetected for a long period of time.
This will change the playbook going forward for attackers and it will change “what” and “who” we can trust as risk managers and cyber professionals.
From a regulatory standpoint, we should also expect increased guidance and scrutiny on how this risk is managed.
Closing
While this pretty much describes most incident response templates, I thought it would be helpful to put it in context of this specific attack. Let me know if you have any questions.
Or if you need assistance handling or reporting on this incident, let us know at support@bedelsecurity.com . We’re here to help in any way we can.
Additional Resources:
Mitigating Supply Chain Attacks
https://www.bedelsecurity.com/blog/mitigating-supply-chain-attacks
SolarWinds: What do we know so far?
https://www.bedelsecurity.com/blog/solarwinds-what-do-we-know-so-far
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
IT Risk Assessment vs. Vendor Risk Assessment Simplified
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified