Lessons from Solarwinds

25 August 2021

Keith Glancey, systems engineering manager, western Europe at Infoblox

Keith Glancey, systems engineering manager, western Europe at Infoblox

The Solarwinds attack took the cybersecurity world by storm last year, making all organisations question the security of their networks. Keith Glancey, systems engineering manager, western Europe at Infoblox offers his tips

ommercial enterprises and government agencies alike have been facing off against a highly sophisticated attack targeting supply chain software. IT company SolarWinds announced in December that monitoring products it released in March and June last year may have been compromised through a “highly-sophisticated, targeted and manual supply chain attack by a nation-state”. FireEye and Cisco are just some of the high-profile companies believed to have been affected by the SolarWinds hack.

Government cybersecurity agencies have also warned that the attackers behind the SolarWinds hack are believed to have used weaknesses in other, non-SolarWinds products to attack high-value targets, with Russian state-sponsored hackers emerging as the likely perpetrators.

What’s clear is that many of the world’s biggest technology vendors were caught off guard by the SolarWinds attack. Just like the WannaCry and NotPetya attacks back in 2017, this incident shines a light on how far we still have to go in securing enterprise infrastructure and data from evolving threats. What we know is that the attack targeted SolarWinds’ Orion platform, allowing it to distribute malware to its customers.

So, how can organisations firm up their network security to avoid falling victim to the next attack?

1. Build foundational security
This attack shows that relying on one or two security technologies alone is unlikely to provide protection against sophisticated attacks. In addition to following security best practices such as password rotation, account audits and staying on top of emergency advisories, enterprises and customers alike need to use defence in depth for detection and threat containment.

Using a DNS security solution as part of a multi-solution architecture to look at all possible threats using any channel, including network control protocols like DNS, will go a long way to improving an organisations’ overall security posture. When an attack like this happens, security solutions across an organisation’s DNS can detect anomalous behaviours in the network such as malicious communications, advanced persistent threat activity, domain generation algorithm activity, botnet communications, DNS tunnelling, and data exfiltration. The solution also integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically if any malicious activity is detected.

2. Create resilience with threat intelligence
It’s near impossible to protect your organisation from cybersecurity threats unless you know what you’re up against. Threat intelligence creates timely, reliable and actionable insights that allow enterprises to secure their networks against evolving cyber threats while ensuring unified security policy across the entire security infrastructure.

Not only does it provide actionable insight against current threats, but it also future-proofs an organisation’s defence. Highly contextualised and automated threat intelligence will pool insights from trusted sources to help organisations develop immunity to specific attack methods over time, making organisations more resilient to malware and data exfiltration.

3. Uncover the Value of DDI (DNS, DHCP, IPAM) data
Analysing historical DNS logs is an effective way to see any network activity over a longer period of time and find out what resources a client has been accessing. DHCP fingerprint and IPAM metadata provide contextual information on affected devices such as type of device, OS information, network location and current and historical IP address allocations. All this data helps with event correlation and understanding the scope of a breach.

The SolarWinds attack has taught us that no one is safe from the increasingly sophisticated attacks we’ll continue to see in 2021 and beyond. There is no question that cybercriminals will continue to exploit network vulnerabilities, so it’s up to organisations to stay one step ahead by not overlooking the importance of DNS security in protecting their own, and their customers’, entire IT infrastructure.