Necessary Steps to Recover From Systemic Identity Compromises
A “highly sophisticated” adversary breached the supply chain of a popular IT management software provider, SolarWinds, in order to infiltrate government agencies and private companies. SolarWinds is a company that develops IT infrastructure management software, so this attack resulted in the placement of malicious code inside of the company’s Orion Platform software builds. This attack has been dubbed Solorigate.
Organizations that have experienced systemic identity compromise need to start recovery by re-establishing trustworthy communications. This will enable effective triage and coordination of business operations recovery.
Response objectives in approximate order:
- Establish secure communications for personnel key to the investigation and response effort.
- Investigate the environment for persistence and initial access point, while establishing continuous monitoring operations during recovery efforts. Investigate and review cloud environment logs for suspicious actions and attacker IOCs, review endpoint audit logs for changes from on-premises, and review Administrative rights in your environments.
- Regain and retain administrative control of your environment and remediate or block possible persistence techniques and initial access exploits.
- Improve posture by enabling security features and capabilities following best practice recommendations.
How your organization detects attacker behavior depends on which security tools you have available, or choose to deploy in response. 2W Tech is a Microsoft Gold Partner and can help those spinning up applications to Microsoft Azure that have been affected by Solorigate, or any systemic identity compromise. After a security event is a good time for organizations to reflect on their security strategy and priorities. Before a security event happens, is an even better time to ensure you are ready and protected for anything that comes your way. Regardless of which camp you are in, give 2W Tech a call today and let us help you improve your security posture.