Craig Peterson: Well, it’s looking more and more like those Russian hackers are behind the massive SolarWinds cyber attacks. Hackers use it to compromise many U. S. Government agencies ‘ networks. Some of the most sensitive agencies you can think of, including the Department of Defense, the Department of Justice, and then there’s the most prominent companies globally, managed services providers, which brought the hack down all the way to small businesses.
[00:00:27] That’s what we’re going to talk about right now. What was the hack? How could you prevent this? Not just in your business, but in your home, I’m going to give you a couple of different little tips that are going to take you a long way. And kind of explain just what happened.
[00:00:43]One of Microsoft’s most closely guarded secrets was accessed from their internal systems as part of this hack. They lost their absolute crown jewel. Microsoft Security Response Center team said “We detected unusual activity within a small number of internal account. And upon review, we discovered one account use to view source code in several source code repositories.” Like scores of other cyber attack victims, Microsoft unknowingly downloaded, and installed this malicious backdoor, giving access to their networks to hackers. And obviously Microsoft was not monitoring the account usage like they should have been.
[00:01:29] Hackers hid the back door in one of SolarWinds products, a widespread network management tool called “Orion.” However Microsoft’s disclosure was the first admission that hackers had accessed internal company systems. Microsoft had known for days that source code had been breached and they didn’t want us to know.
[00:01:52]The company said that the compromised account could only view Microsoft source. As it did not have the necessary permissions to tamper with it. Like they had been able to tamper with SolarWinds product called Orion.
[00:02:10] But the real risks are coming to all of us, because if you have the source code, you know how to take over Windows computers, how to steal information from home and business computers. While hackers may not have changed the Microsoft source code repository, just sneaking a peek at the Microsoft secret will have disastrous consequences.
[00:02:34] The hacker scored a blueprint on how to hack current and future Microsoft products, an absolute disaster for all of us. That knowledge alone gives the hackers insight into Microsoft software and services, inner workings and allows them to get around many Microsoft security features. Hopefully Microsoft doesn’t have hard-coded passwords, hard-coded keys and other things inside their software that are semi-permanent and make it even more vulnerable in the future.
[00:03:15] So let’s talk about SolarWinds right now. Who are they? Well, they make what’s called network management software and they’ve sold it to government agencies and tens of thousands of businesses. Including pretty much every big business that you can think of. 499 of the fortune 500 companies are using SolarWinds.
[00:03:41] So this hack represents several massive failures of leadership and cyber security within these businesses. The sloppy practices, misplaced priorities, poor leadership up and down became evident. They even move their software development to Eastern Europe. We’re Russia can affect its software where Russia has influence on so many of these software developers, this is insane.
[00:04:11]Supply chain risk is not unique to SolarWinds. In a supply chain like this warehouse we’re looking at right now in a picture, you have people who are manufacturing things, shipping them to you, they go into your warehouse and then you use them, maybe you build buildings. Maybe you do other things with all of these items that come in from your suppliers.
[00:04:35] Well, in the computer world, we have suppliers as well, just like these network management tools. So any software or service provider that we use as businesses, or frankly at home, presents real risks to us. Think about what could happen when bad guys get into cloud systems, havoc and destruction can reign.
[00:05:00] They’ve already gotten into some of these cloud systems and they’re bound to get into more in the future. Makes me wonder if they also stole the source code for Microsoft’s cloud systems. You know, the ones, the reselling as “Microsoft Azure. “Well, that could be fun. Not.
[00:05:19] So the SolarWinds hack resulted from our collective approach to cybersecurity, which is in dire need of an upgrade.
[00:05:26] This team of highly sophisticated hackers, tucked away inside SolarWinds or Ryan product, a little piece of malware that quietly harvested data. Ultimately, including our Justice Department and Treasury’s internal correspondence and email. And Oh, by the way. 75% of the largest corporations in the country’s secrets were also stolen.
[00:05:56]Analysts at FireEye said that this malware retrieves and execute commands after an initial dormant period of up to two weeks. They transferred files. They manage profiles, which is a very big deal for bigger companies that are using things like Microsoft’s directory services. They also were able to perform system reboots and disable system services, including services that might be there to help prevent hackers and viruses.
[00:06:27] This malware masquerades is network traffic as the “Orion Improvement Program” protocol. Some improvement. It sounds like a lousy protocol. Thanks. SolarWinds. But this malware stores the reconnaissance results within these legitimate plugin configuration files.
[00:06:48] And that allows it to blend in with the legitimate SolarWinds activity. It’s a back door. It’s using multiple obfuscated blacklists. That means they’re kind of hidden. They’re block lists that they’re able to get into that are typically used to identify forensic and antivirus. So by having control over these obfuscated black list and blocked lists, they were able to circumvent most of this older style antivirus software — which I’ve been warning about for the last number of years. The antivirus software just doesn’t work. I agree with a McAfee and Symantec about that one.
[00:07:34] So the hackers kept their malware footprint very low. They preferred to steal the credentials to perform lateral movement throughout the network.
[00:07:45] They’re professionals. They were able to do this east-west movement. Once you’re inside a network, it typically takes about a week for them to have control over everything inside of a network, just statistically.
[00:08:01] They’re moving around, when they’re in, to other machines are looking at servers. The looking at these files shares that you have set up on Microsoft computers. They’re looking at the active directory server. What do they have access to? The same sort of thing that can happen with ransomware, but in this case, they’re stealing the data and they were not holding it for ransom.
[00:08:23] They weren’t saying, Hey, “pay us or we’re going to release this.” There’s been no extortion demands. This is really increasing the amount of harm hackers can do because they get into these systems, and we don’t know about it until sometime afterwards.
[00:08:41]The hacked companies via the SolarWinds back door, they did not use the most basic security controls available. They were not monitoring outbound connections, which is very, very important. Every last one of these infected organizations, government agencies, businesses, could have stopped the SolarWinds hack from proceeding any further by just stopping unneeded outbound connections.
[00:09:12]What’s happening here while it is phoning home? This malware wants instructions. What should I do? What do you want me to do with this data? And allows the hackers to get around and poke at all of these machines. Professional organizations should never allow Willy nilly, outbound connections.
[00:09:36] We have to control where people are going and how they’re getting there. I’m going to give you a couple of real quick and easy ways to make sure you can stop this at the most basic level.
[00:09:51] Of course, when we’re targeting to get into the next generation firewalls. And examining all of the traffic in and out, it gets more complicated.
[00:10:02] But some very simple things will get you that 95% solution.
[00:10:09] You know, security is a two-way street. Because we are all on networks and our networks are provided by somebody else. We have internet service providers. We have providers for data on our cell phones. So responsible operators of all of these networks and super networks need to make sure they are not part of the problem.
[00:10:35] There’s a way to shift the balance and outbound security is the key to helping make sure the bad guys can’t get in and move around. If enough networks are taking measures to keep themselves from propagating these threats to other people through the networks, the attacks will slow down.
[00:10:58] This is much of the problem that I talk about with VPNs as well. And so have a look at my VPN mini course on what to do with VPNs. Just stop it from spreading across your network because a virtual private network, typically, is just extending your business network and making you more vulnerable to attacks.
[00:11:22] When companies and site owners block, unneeded outbound connections, you’re able to dramatically improve your security and protect your clients and vendors. Remember too, you are responsible if you have vendors, if you have clients who you are communicating with, who you’re sharing files with, you have a responsibility to make sure your keeping them safe, as well as keeping yourself safe.
[00:11:52]Frankly, any efforts to really reduce the ability to send malicious packets over a network, reduces the attack’s maximum effectiveness. Next generation data-analyzing firewalls are an essential part of security. And going to talk more about these right now, but I have a mini course on firewalls. Next generation firewalls what to do and how to do it.
[00:12:20] Because most firewalls can filter both inbound and outbound data, but most of them are not doing deep stream inspection. They might be doing some packet inspection, but not deep stream inspection. So I’m going to. Do some training specifically on that as well, but you can shut down the inbound, which most places are doing.
[00:12:44] But not necessarily the outbound, depending on how you are set up. The outbound rules are meant to protect the network improvement outside harm from coming in and calling home. But they’re not examining, supposedly legitimate inbound traffic. That’s another problem, right?
[00:13:05] So the firewalls must check every file that’s transferred from a website and that includes just web pages, et cetera. They have to be inspected, not deep packet inspection. But actual content inspection. So that you can help make sure that you’re not pulling something in. Like you’re visiting a website and you have something as simple as a drive by download all the way through malicious data being brought in, which means it makes your network management a little more complicated.
[00:13:41]So even some of the older firewalls that are out there can prevent connections to command and control servers. I’m going to give you a really great way to do this in just a couple of minutes. And I have a mini course on some of this stuff. I’ll, I’ll tell you about too but stopping malware from calling home is going to stop it from taking commands to run programs that may have already been installed that may be downloaded from the internet because you’re not monitoring what’s coming into your network through supposedly legitimate channels.
[00:14:16]So here’s what you do to start with individual computers should have their outbound firewalls configured to discourage the spread of malware within a network. Now neither Windows nor MacOS, does this by default.
[00:14:32] A simple security boost comes from blocking unused or unneeded ports. And I have more advanced training on that if you need it as well.
[00:14:42] This is going to stop infected desktop machines or servers from launching attacks on the rest of the network. That’s one of the worst things that happens with ransomware. You’ve heard it. You may have seen it yourself, but it infects a machine and then it starts just spread to the other machines on the network.
[00:15:02] Now that can all be stopped.
[00:15:07] That’s called a zero trust network. Okay. And so the idea here is that no machine can talk to every other machine except maybe for the firewall. And in fact, you end up with multiple firewalls. So you are watching what is going on on your network. Really? Does sales need access to the accounting payroll data?
[00:15:32] Uh, no.
[00:15:34] So why are they on the same network? Why are we not putting an effective block in place? I have courses where we talk about zero trust and I think every business needs to pay attention to this. And even in home networks, I think this is the future, frankly.
[00:15:54]Watch any outbound DNS connections because the DNS ports have been used and hijacked by the bad guys lately. They’re using what looks to be the DNS protocol to allow them to go out and talk to these servers. It’s a real problem, frankly. So by removing the root server lists from individual machines, that’ll stop them from getting out.
[00:16:21] And then you can block DNS at your firewall, whether it’s zero trust network or regular network. Then you’re going to want to configure your DHCP to use that trusted DNS machine.
[00:16:35] Now there’s another way to do this on simpler networks , and it is called Umbrella . That’s what we use with our customers. And what happens here is it helps to prevent the malware from phoning home. So you can see in this picture, you have business’s, laptops, homes, et cetera, trying to call out and just being completely unable to.
[00:17:00] Because it’s legitimately blocked . Because when it says, how do I get to. TD bank. And it’ll give you the address, right? That’s how normally works. And in the internet world is the same way. It’ll give you an internet address. If Umbella blocks that request because it knows it’s a bad guy or suspects a might be a bad guy, it can’t get the address for TD bank. It’s absolutely fantastic. So this really will help you a lot. And if you don’t have a single machine running your DNS, set up all of your machines to use open DNS or Umbrella.
[00:17:40] Another thing you can do that’s going to be huge for you is to use proxies. To get to the web, et cetera. And these stop individual devices from going directly out to the internet, they allow the use of robust anti-malware and antivirus software. It’s a wonderful way to go.
[00:18:00]One of the things we have to do is figure out what’s valuable, and where is it located? Is it on this machine? Is it on a server? Is it in a file? Share? Because companies of all sizes, as well as individual home users, have to understand which data they have is valuable where it lives so that it can be properly protected.
[00:18:24] We’ve got to ensure that proper access controls are in place. Vital auditing tools are in place and anomaly detection has put in place. Security teams need to know where their data is at all times across all environments, how they would use it and who has access to it to apply the appropriate controls.
[00:18:46] And at home, the other thing we have to do is make sure that we don’t have our data just sitting Willy nilly on a machine in our network that is not fully protected. And now I’ll do a course on this. I think it’s well worth it now. On putting in a machine, maybe a virtual machine, that is secure. Show you how to do it all. Let me know, just email me@craigpeterson.com. If you think that might be worthwhile to you.
[00:19:16] Now you also, if you’re a business you need to be examining your logs for the SMB sessions. These are the file sharing protocols. That are inside your network. People say: Uh, mount the “N” drive cause that’s where we have all of this stuff for the “Z” drive or, the “J” drive. You’ve probably heard it that way before.
[00:19:39] But hackers are using SMB sessions you’ve already set up to access the servers and directories. They follow what’s called a delete, create, execute, delete, and create pattern. And they do it over short periods. If you see that, you probably have intruders in your system. So keep an eye on those logs, probably on an active directory server.
[00:20:04] You want to monitor existing scheduled tasks for quick updates. Use frequency analysis to identify anomalous modification. Watch for a legitimate Windows tasks executing new unknown binaries. Detecting this type of attack means using what are called persistent defense mechanisms. People have to pay attention to this in the business world.
[00:20:31] Now a company may have the best security controls that are available in the world. Still. It doesn’t mean that their vendors are doing what they need to do.
[00:20:42] Again, the supply chain. What software do you have? What services are you using? Do they have adequate security? And that’s been evidenced by this SolarWinds hack.
[00:20:55] So make sure you’ve got proper oversight over, not just your first tier vendors, but also vendors’ vendors. So-called Nth parties. If you’d like, I have some information on this. There are contracts available out there and you might want to check with your attorney if you don’t want to get a basic one from me.
[00:21:16] That you put in place with your vendors to make sure that they have some liability, some skin in the game in case they get hacked. And to uncover vulnerabilities in the cyber threats. Embedded in the deepest layers of third party vendor supply chains can be almost impossible, but at least you need to know what your liabilities are. And you’ll find that out pretty quickly when you ask your vendors to sign these agreements.
[00:21:45]And to mitigate attacks, companies need to harness the power of artificial intelligence. These AI companies are leveraging tools that offer what’s called “Forward-looking Operational Resilience.”
[00:22:01] So when you’re mapping out the larger extended third party supply chain. Down to the Nth parties in real-time, continuously monitoring those suppliers. We’re talking about absolute massive scale. Even monitoring this stuff for a smaller business. And it cannot be done by a human-scale process. AI is going to hold a lot of hope out there for every last one of us.
[00:22:29] Software supply chain attacks are frankly, some of the most challenging threats to prevent, because they take advantage of the trust that you have with your vendors, with your customers.
[00:22:44] The trust that your machines have talking to each other and software update mechanisms. That are really trusted by users. And what are you supposed to do? Or are you going to audit that patch that came from Microsoft? Right? That’s why so many people. Wait a little bit. When Microsoft comes with an update, let’s make sure that this isn’t a real problem here for us.
[00:23:08]Companies also should start thinking about the zero trust architecture. These networking principles where everything, every connection goes through a firewall then is examined. Every role, on access, is examined and examined thoroughly. And we’re looking at our servers were looking at our internal users and external users, making sure they have minimum access to get their jobs done.
[00:23:42]When you’re deploying any new software or technology into the network, we’ve got to ask ourselves what would or could happen if that product gets compromised because of a malicious update, what could it access? What are the potential extortion or ransom risks and try and put controls in place to help minimize the impact as much as possible.
[00:24:07] You know, I can’t believe that this would happen, frankly it makes my head explode here. It’s unbelievable to think that any of these major companies, it’s unbelievable to think that these massive federal agencies would allow this to happen. It’s so easy to stop. And frankly, I saw this coming with SolarWinds. About two years ago. We worked with them. We tried to stop what SolarWinds was doing. We let them know about some of these security problems.
[00:24:41] And we asked them to fix what we considered very apparent issues and problems and they didn’t fix any of them. So we d SolarWinds as a vendor about two years ago, which is about when everybody else should have as well. The things they were doing are completely unbelievable. They really didn’t care about security. I’m going to say that just based on, on what I’ve seen. So mainstream which is my company. We said, forget about it. Uh, we’re just going to have to “roll our own” as it were.
[00:25:15] I can’t believe that professional organizations in the federal government and regular companies didn’t figure this out either. We’ve got to be more careful.
[00:25:24] SolarWinds got caught up with cutting costs and ignoring security issues. But so were many of its customers. We went through some of the basic stuff that can be done, use Umbrella or open DNS I’ll home user can use that and it’s going to be a huge win for them.
[00:25:45] Use the next generation firewalls and make sure you’re filtering everything coming in and going out and blocking outbound connections that aren’t absolutely necessary. And if you can move to a zero-trust network, that’s what we build for companies. It’s the only way to have a modicum of real security.
[00:26:09] This is just unbelievable, frankly. And I needed to pull out the duct tape. To stop my head from exploding because it’s just so, so bad.
[00:26:19] This is what’s been deemed denied gree, a cyber Pearl Harbor. It’s a wake up call and frankly, this may be a declaration of war by Putin and our friends over in Russia. Because it looks like the Russians now have secrets from pretty much every Federal agency and the Fortune 500 companies. That is a very, very big deal. And it looks like they were in our networks since 2019. So even longer than we initially thought.
[00:26:59] This supply chain hacks, going to have consequences. For years. Literally years and it’s going to affect home users and business users as well. And that’s why I’m putting together a bunch of training. I’ve got a great special report on this that you are going to love, and it goes through everything I just covered here.
[00:27:23] Drop me a quick email with SolarWinds in the Subject line. Just email me. At Craig peterson.com me@craigpeterson.com. I’ll be glad to get it off to you. Just put SolarWinds in the subject line. I love what we did with this. I love what Karen did in organizing all of this information. And it’s mandatory for businesses, including small, Soho small office, home office businesses. Frankly, as well as individuals, this is something you need to understand.
[00:27:55] So, thanks for joining me today. And keep an eye out. I’m going to be doing a lot more of these special reports and mini courses as the year moves on because we’ve got to protect ourselves.
[00:28:07] Take care everybody. And thanks again.