What Does the SolarWinds’ Sunburst Backdoor Mean for ICS?

December 17, 2020

First and foremost, to our customers: We do not use SolarWinds in our infrastructure, but we can help you find it and track your remediation efforts for the Sunburst backdoor, especially where it enters your ICS environment. We’ve posted a separate article on our support page along with the policies and rules for our platform.

I wanted to wait to write this blog post for a couple of reasons. First, I’m not going to have any greater insight into technical workings of the Sunburst backdoor than the great analysts who are much closer to the problem. Second, I wanted to let our team look at how we can currently respond to this threat and how we can improve our own product going forward to support customers in these types of situations.

Fortunately, some great news overnight for the organizations working to address this. It looks like yet another DNS Kill Switch has been enabled by the teams at GoDaddy, Microsoft, and FireEye.

Now, let’s move on to the matter at hand. If you are reading this you are probably in the ICS security world, so what does this IT management tool attack have to do with ICS systems?

First, given SolarWinds’ popularity, it’s an everyone problem. You might even be running parts of it in your ICS system and not know it. I’ve sat in on many large-scale ICS projects where it was my job to read the cybersecurity portion of the RFP. Solutions like SolarWinds’ Orion have some appeal when the customer basically hands over all IT management and cybersecurity responsibilities to the prime contractor for the ICS system. So, while your organization may have never knowingly purchased SolarWinds’ Orion platform, you might have indirectly, and it’s probably being run with far less supervision than on the IT side. This is the same problem we saw with Microsoft’s DNS and the licensing server CodeMeter issues earlier this year.

There’s also a third reason I took a couple of days to write this blog, because I’m starting to feel like a broken record, stuck in that one groove, just spinning at 45 RPM and saying over and over again, “It’s about the fundamentals!”

I’m not the only one either. Charlie Miller, a renowned zero day writer, is quoted in his Twitter feed, saying, “The SolarWinds attack is interesting because you can’t really stop it from happening. However, you can detect (and stop) lateral movement and data exfiltration from your network. In that sense, this isn’t really anything new.” [emphasis added for drama]

Splunk’s blog post on the matter said much the same thing with Ryan Kovar saying, “While Sunburst Backdoor is a sophisticated attack vector, it is still just a trojan on a network with lateral movement. Many of your typical network defense techniques and incident response techniques can be utilized immediately. If you happen to know which hosts on your network are running SolarWinds Orion, start your hunting with those hosts as this is where the adversary gains a foothold.” [emphasis again added for this author’s own purposes.]

My own team of brilliant engineers when asked what our response to this threat was came back and said, “We have the same snort signatures everyone is pulling, and those are available immediately. Since we can detect software down to the .dll version, we can give you a pretty accurate view of where the original threat would have been able to start. Run an asset configuration change report in Industrial Defender on the history of that asset, and you can even tell what time you became a potential victim on that machine to help you narrow down your investigation to a more reasonable search history.”

So, what is the conclusion for the ICS world on this latest of cybersecurity travesties?

  1. Know your assets
  2. Know what’s on your assets
  3. Know your accounts on your assets
  4. Know your assets vulnerabilities
  5. Know your assets conversations
  1. Establish SECURE baselines
  2. Manage reality vs. baseline
  3. Manage account usage
  4. Manage your boundaries
  5. Manage attack surface

If this looks or sounds familiar, it’s because you can reference the other posts we’ve been putting out all year about security fundamentals.

At the end of the day, it all really comes down to doing your best, and the best is relentless execution on the same fundamentals we’ve been preaching for the last 20 years. It’s not new, but it’s hard. Today’s fancy new defense tools are no replacement for asset management controls. Threat intel won’t do you much good if you lack contextual asset data. Additionally, AI benchmarking will only learn and continue to allow bad habits or provide partial coverage if your environment was already out of compliance when the tool was implemented. The most useful security tools are the ones that automate fundamental practices and build workflows around them to make it easier for analysts to focus on the real problems.

Industrial Defender has been helping our customers do this for the better part of decade. If you’ve had enough fire drills every time your boss reads about a new problem on the front page, and you want to get serious about applying solid ICS cybersecurity protections, we recommend reading our implementation guide for the 20 CIS Controls. This guide offers helpful advice on how to apply ICS security fundamentals, with expert tips from practitioners who have experience using these controls in ICS.