Introducing Our SolarGate MITRE Threat Profile

by Kath Kennelly

sunburst

SolarWinds may be the largest supply chain breach, but it’s not the first major supply chain attack leading to devastating financial and reputational costs. The software development and build process used by SolarWinds is common throughout the software industry. According to Sonatype’s 2020 State of the Software Supply Chain report, 90% of all applications contain open-source code - and only 11% have known vulnerabilities. 

Per the Palo Alto Networks Advisorythere are three initial phases identified from the SolarStorm intrusion:  

  1. A SolarWinds Orion server updates its software and downloads the malicious update containing the SUNBURST backdoor.  
  2. SUNBURST then sends DNS requests to check in with the attacker, which contain information identifying the organization. The attacker chooses to designate some organizations as being of interest for further intrusion.  
  3. For SUNBURST to gain further access into the network, additional steps are needed, starting with downloading and executing an additional malicious payload. 

CyberGRX Threat Profile 

Security is a multi-step process requiring controls for timeliness, strength, and coverage across the enterprise and its third parties.

In response to this breach, we launched the SolarGate MITRE® Threat Profile via our Framework Mapper feature. This capability provides customers an in-platform tool that visualizes associated attack methods and prioritizecritical controls for remediation and is mapped to the techniques and tactics identified by MITRE ATT&CK frameworkThe focus is to identify preventative controls addressed in the MITRE techniques. By applying tactics, techniques, and procedures (TTPs) used by threat actors of the SolarWinds breachCyberGRX’s Threat Profile can help identify major security gaps amongst third parties. Customers can now quickly identify potentially impacted third parties as new, sophisticated threats emerge as well as assess their security posture based on CyberGRX’s system-scoped assessment controls. (Register for the feature demo here)

Initial access was targeted in various different ways by the attackers and remains a key tactic to initiate a breach. Below are some key control areas that must be assessed and validated across the portfolio.   

MITRE Tactic 

Associated CyberGRX Controls 

Initial Access 

  • 2.2.2.1 Vulnerability Scans 
  • 2.2.3.3 Patch Management 
  • 3.3.3.1 Access Management Program 
  • 3.3.3.2 Access Reviews 
  • 3.4.2.2 Application and Services Security Testing 
  • 3.6.1.5 Desktop and Laptop Malware Detection 

Credential Access 

  • 3.3.1.2 Least Privilege 
  • 3.3.2.4 Password Requirements  
  • 3.3.2.5 Password Change Requirements 
  • 3.3.2.8 Privileged Account Protection  
  • 3.3.2.6 Credential Scanning 
  • 3.3.2.9 Email Authentication 
  • 3.6.1.2 Desktop and Laptop Application Control 
  • 3.6.2.2 Server Application Control 
  • 3.6.3.7 Virtualized Endpoint Host Intrusion Detection (HIDS) and Prevention Systems (HIPS) 

Command and Control 

  • 3.7.1.2 Network Routing Services Logging 
  • 3.7.1.3 Domain Name Service (DNS) Protection 
  • 3.7.2.2 Network Firewalls 
  • 3.7.2.3 Network Intrusion Prevention  
  • 3.7.2.4 Network Intrusion Detection 

Privilege Escalation 

  • 3.3.2.8 Privileged Account Protection 
  • 2.3.1.1 Collect - Data Ingestion and Management 
  • 2.3.2.1 Assess - Security Alerting and Analytics 
  • 3.2.1.4 End User Behavior Activity Monitoring 
  • 3.6.2.5 Server Malware Detection 
  • 3.6.2.8 Server Malware Response Capabilities 

 

industries affected
Conclusion 

While security will always be compromised by human error, there are preventative measures that can be implemented to limit risk. CyberGRX’s SolarGate MITRE® Threat Profile categorizes gaps based on business structure and industry which enables customers and vendors across multiple industries to get visibility and prevent and halt threats.  

Given the state of the ongoing SolarWinds breach, now, more than ever, evolving tools to rapidly evolving combat supply chain compromise techniques is needed. With CyberGRX’s MITRE® Threat Profile, customers now have a tool that breaks down threats and provides sophisticated mitigation controls.  

Register for the demo here!