4 steps to find out if your company is affected by Solorigate Cyber-security attack

The cloud is over!

Or is it? This is what some analysts said after the Solorigate attack.

Why? Because one of the targets was Office 365 infrastructure and because one of the companies affected was Microsoft. 

We are still to discover the entire fallout of Solorigate, but for me, it is far from calling cloud security “game over” based on this one. 

SolarWinds attack explained

On December 13th, 2020, the announcement came – someone hacked many customers using SolarWinds software in a supply chain attack.

The news was on high alert. Security experts commented on how severe the situation is. Names of important companies and government institutions started to fly around as possible hack targets. 

Big names, including Microsoft, were affected, and publicly announced it. Some “experts” claimed - the cloud was hacked, you are all vulnerable. 

Weeks later, more details are still being revealed about the so-called “Solorigate” (or “Solarigate”) and its fallout called “Sunburst.” 

In my more than 20 years of experience in the security area, it might be the most significant event that will impact how we think about security for years to come. It raises a set of questions that we all should answer: 

• What if you are not a SolarWinds customer? Should you care about it at all?
• What if you are a Microsoft (or another vendor’s) cloud user? Should you be worried and think about moving out?
• What are the practical implications of SolarWinds for your company, and how to implement any necessary changes?

Here’s my take, based on what is known at the moment, our experience as a company, and my humble, biased opinion and experience. 

SPOILER ALERT

• I will not try to convince you that a supply chain attack is something you can prevent with a magic tool. 
• I will not try to convince you to upgrade your Microsoft licenses to a higher level for “additional” protection. 
• I will give you my take on Solarigate, and its meaning for an ordinary company.
• I will explain why I think that you and your company might have the best people working on you for free.
• I will give you the steps you can follow to use what you already have, to implement detection and protection against what is known as Solorigate. 

If you are interested in the technical steps to follow, scroll directly to the last section, but I hope you will go through the entire flow with me here.

Let’s start. 

What to do after a cyber-security attack?

Step #1 – DO NOT PANIC!

I will tell you a secret right now. It is an answer to one of the interview questions I ask during recruitment for our cyber-security team. The question is:

“What would you advise the customer to do first when they discover that they are under attack?” 

It is the rule to master all other practices in response to the cyber-attack playbook. 

First – let’s get the facts and what we know. If you have not followed Solorigate, it will bring you up to speed; if you have, skip this part, or use it as a refresher. 

1. SolarWinds was hacked, and the attacker delivered the payload through a legit update, distributed to company customers.
2. The attack was carefully planned and executed, most likely months in advance, to slip under the radar as a legit update to the product. 
3. When the attacker planted the payload, they moved to the second stage of delivering the backdoors (now known as Sunburst, Raindrop, and Teardrop – yes, the IT industry has definitely got better at naming those things).
4. In a specific environment with Office 365 and AD FS, they attempted to recover a private key on the AD FS side. 
5. With access to private keys and presence in the network, the attacker could access mailboxes and resources on the Office 365 side and stay present in the environment. 

I have oversimplified the process, I know.

If you are interested in an in-depth analysis of the technical side of the attack, here are two sources to follow: 

• Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - on Microsoft Security blog
• The attack bears a lot of similarities to the NotPetya incident, which unfolded years ago and affected many organizations, with the best–known case being Maersk.

The difference between Solorigate and NotPetya? The latter aimed to be destructive, whereas the goal of the former was to stay undetected and extract information. 

If you want to know more about what’s going on in the cybersecurity business (and what are the biggest trends for the future), check out the video below:

Interested in cybersecurity? Watch the video to find out the biggest trends for the next few years!

Step #2 – You are calm, now what?

What you should get out of the incident for yourself and your company:

1. Could you detect it (or a similar attack) and prevent it before it had happened? 

The answer is simple – NO! Look, big organizations worldwide could not do it with all their skills and resources. Microsoft was hacked. All kinds of government agencies were hacked, major security providers were hacked! 

Without specialized knowledge and resources, you could not do it now, and you will not be able to do it in the future.  Period.

Anyone with advice such as: “You should analyze your supply chain to detect it in the future” should answer your single question: 

“How can I practically do it with my resources, skills, and not being a cybersecurity company but doing my own business?” 

Ask especially if they offer some magic software to detect threats like this in the future. 

If you get the answers to such questions from either a vendor or consulting, please let me know in the comments. 

2. You can’t prevent it, so be better prepared to react and contain it

If you can’t prevent it, then what? 

• Stopping your organization every time there is a major hack or threat is not an option? 
• Rebuilding everything each time you find out? 

These are the real questions you should ask yourself now. 

My take – be prepared to react and contain it. If it happened twice (counting NotPetya), it would happen again. In case it happens, you are interested in answering two questions:

1. Are you affected? 
2. How will you react to it and contain it?

How to know if you are affected? You need to know your state of possession (what you are running, where, what version) and have a quick way to assess:

• Do we have this software? 
• Have we applied the patch, or is this a scenario that applies to our services? 

A good way to start is this:

• Build your threat model (what is essential for you, what kinds of disruptions or attacks might affect you and how),
• Get a list of priority assets and impact on your business in case these are affected,
• Review the tools you have already in place and make use of them,
• Have a response plan and team in place.  

Invest the most in these two elements:

• Your response plan: who will be in charge of the response, who will lead assessments of the impact of your organization, what and how will you verify as a part of your response plan.  
• Your response team: assign a team in charge and give them resources to do it. Resources in terms of authority, training, and tools to be prepared if the next incident will unfold. 

Make fair use of tools you already have and track what’s new in them – make sure they are deployed, up to date, and you understand what you can get from them. 

In the case of attacks like Solorigate, it is more about being prepared and moving than technical prevention against everything upfront. 

Are we done with the centralized cloud model?

First, let’s get the facts straight.

The Solorigate hack used the on-premises infrastructure to unfold. The cloud version is used to access the AD FS private key, which allows an attacker to forge tickets accepted by the cloud service (it might be a good reason for you to get rid of AD FS – reduce the complexity). 

Second, when Solorigate hit, the cloud service users got the fastest response.

What works to your advantage as a cloud user?

The cloud service provider has a stake in the game. They need to clear the incident and fix it to keep their customers (best benefit ever). They also have the skills and resources to know what is happening, analyze it and provide detection and remediation. 

Plus, detection and remediation are the same for every environment. All Office 365 or Azure users use the same service. If there is something on the service side to be verified or changed – it is the same solution for everyone. 

Think about it as the iPhone vs Android model. Instead of myriads of versions and devices (Android) to get updates, iPhone users get the same update on all devices. Deployment and adoption are way higher for iPhone updates than Android users. 

• Azure AD and Azure Sentinel users got the dashboard and detection rules available within days to check if they are affected based on known signals.
• Microsoft 365 Defender got detection and protection rules deployed to all users quickly to let them know if they might be affected and stop it.
• Defender for Identity got updated to cover AD FS and detect events that might be used by others who borrowed techniques from the Solorigate hackers. 

One thing is for sure – whoever did this has the skills and resources. They will do it again, and they will succeed, and it will be done in some new way, which will most likely go undetected. 

When it is detected, cloud service users will get detection and response capabilities first  because of:

• Cloud providers having skin in the game, skills, and resources to produce a solution, 
• Reduced complexity and same services used across all customers,
• The fastest way to deliver and deploy detection and response across services. 

In this game, my bet is on the cloud team! 

How to detect a cyber-security attack? A practical guide.

That’s all nice, but what can you do PRACTICALLY now to handle the situation? 

Now let’s put some meat on the bones as to what you can do to verify if you are affected, or to detect this attack in your network (or similar). 

Here’s a quick list that might be applicable for you if you are a Microsoft stack user:

1. Deploy Azure AD workbook to assess Solorigate risk (free) (link to workbook) – it will tell you if you have some events to worry about. 

2. If you use Microsoft 365 Defender, make sure you use it to detect potential signals and affected devices; here is a detailed guide – guide to Microsoft 365 Defender.

3. If you haven’t done it so far, deploy Azure Sentinel. Connect your Office 365 and Azure AD logs (free of charge for processing) and then apply detection rules and a hunting notebook for Solorigate. Your technical resources are here:

• SolarWinds Post-Compromise Hunting with Azure Sentinel (free): Microsoft tech community
• SolarWinds post-compromise hunting workbook (free): Azure on GitHub
• Solorigate alert rule templates released to Azure Sentinel: John Joyner’s blog

4. If you use Defender for Identity – apply the newest changes and agents to AD FS; here’s the information about it – Microsoft Defender for Identity.

 Please pass it on to your team. It is part of making use of what you already have.

 If you don’t know how to do it or need advice, you know whom to call. 

 And it is not Ghostbusters! 

 No, really. If you need help, just get in touch.