The SolarWinds hack provides an interesting insight into how the supply chain can be used as part of a multi-pronged attack. The ingenuity of the bad actors was on full display as they successfully infiltrated, compromised, and manipulated the SolarWinds software update service. With that manipulation in place, the bad actors had the perfect attack vector for bypassing traditional security controls. Inbound firewall rules provided no protection, since the SolarWinds servers reached outward to reach the update service. End point protection software provided little to no protection, since the tampered software packages were not flagged as malicious. Network access controls (NAC) were also quite useless. Outbound URL filtering was of no use since the SolarWinds software update site was entirely legitimate. End point protection did not flag the SolarWinds user activities as malicious either. Unfortunately, the malware was able to be delivered and executed without restraint. All this resulted in SolarWinds servers at numerous organizations being fully compromised within their environment.
However, up to that point, no actual harm was being done. The servers were simply “locked and loaded” with malware. There was still one last step required before the hackers could completely own the SolarWinds servers. The SolarWinds servers needed unrestricted outbound access to the Internet so that they could reach the command and control servers that were operated by the bad actors. Incredibly, many organizations allow servers unrestricted access to the Internet. So the malware was able to reach out to the Internet to contact the target command and control server. With the connection made, the SolarWinds servers were now completely and utterly under the control of the bad actors. Bad things now happened!
But what if the SolarWinds servers had been blocked from reaching the command and control servers? Quite simply, NO harm would have been done even though the servers were infected with malware. Do servers require open access to the Internet? No! Then why do so many organizations allow such access? Perhaps it doesn’t strike some firewall administrators as being too risky. But it is very risky indeed! A better policy would be to generally block servers’ access to the Internet and to only allow access that is actually required. For a SolarWinds server, that required access would include allowing access to the SolarWinds software update service and the Microsoft update service and very little else. A general solution for all servers would include access to end point protection update sites and Microsoft updates sites only. No other access should be allowed for servers except for that which is explicitly required. Such explicit access might be to specific sites that support an application that is unique to a particular server. And by the way, this basic principle should be applied to all types of end points for all outbound access to the Internet.
Network firewalls continue to perform a critical security task at the edge of almost every enterprise network. They continue to have a prominent role in access control and malware defense including acting as a backstop for other technology protections that may be limited or completely missing from an enterprise. But firewalls are only as effective as the security policies that are configured upon them. A security policy that allows servers unrestricted outbound access to the Internet is a risky and ineffective policy. Such policies should be fixed. But even then, how can you make sure that the policy stays in place at all times?
Manually monitoring firewall security policies is a time consuming, arduous and error prone task. Firewall security policy reviews are often performed only in response to a regulatory or compliance requirement. Performing the review manually opens the door to errors and doesn’t scale well with large numbers of firewalls or firewall policies with hundreds of rules. A far better way to monitor firewall policies is through automated products. And there are several to choose from including products offered by FireMon and Skybox Security. Such products automatically assess the security posture of your firewall policies and provide comprehensive reports that can be used by infrastructure teams for remediation purposes as well as for compliance and audit teams. A caution though, those products have out of the box templates that may miss the significance of outbound firewall rules. So it may be necessary to customize the templates to specifically look for loose outbound security rules.
Throughout the SolarWinds debacle, the pundits and experts reporting on the matter have either downplayed or completely omitted the part played by outbound access to the Internet. Absent from the conversation has been the undeniable fact that loose access to the Internet allowed the SolarWinds servers to be completely owned by command and control servers. It is rather ironic that simply blocking outgoing access to the Internet was all that was needed to stop the servers from being owned by the bad actors.
Do you allow unrestricted outbound access for your servers? If you do, you should take steps to block it.
For more information regarding firewall policy checks and malware readiness programs, contact your Gotham Technology Group account manager.