The Cybersecurity and Infrastructure Security Agency (CISA) issued Eviction Guidance in its ongoing response to the cyber intrusion campaign impacting SolarWinds Orion and Microsoft Office365 environments. The guidance will help organizations reduce the likelihood that a threat attacker may retain a foothold in their networks, and will help organizations evict the adversary from compromised on-premise and cloud environments to build more secure and resilient networks.
“Responding to and recovering from the SolarWinds and Active Directory/M365 campaign continues to be a whole-of-government effort, and our work continues. We will continue to provide guidance, develop tools, and offer assistance to support organizations in managing complex cybersecurity risks,” CISA said in its advisory last Friday. “We will continue to work with individual agencies as they secure and modernize their networks, including by implementing President Biden’s Executive Order on Improving the Nation’s Cybersecurity. And we will expand our capabilities to detect, protect against, and respond to future intrusions.”
Since December, many public and private sector organizations have taken urgent steps to understand their exposure, undertake incident response activities, and implement mitigations. Recognizing the highly sophisticated and persistent nature of this adversary, attributed by the U.S. government to the Russian Foreign Intelligence Service (SVR), the Guidance is intended to provide an additional level of due diligence to secure impacted networks.
An advanced persistent threat (APT) actor added malicious code to multiple versions of SolarWinds Orion and, in some instances, leveraged it for initial access to enterprise networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations. Once inside the network, the threat actor bypassed multi-factor authentication (MFA) and moved laterally to Microsoft Cloud systems by compromising federated identity solutions.
The remediation plans for dealing with malicious compromises are necessarily unique to every organization, and success requires careful consideration, CISA said. The security agency laid out three phases for removing the cyber attackers from the network with hosts that share either a logical trust or any account credentials with affected versions of SolarWinds Orion. Agencies should not assume they are not compromised by this APT actor solely because they have never used affected versions of SolarWinds Orion, it warned.
In the pre-eviction stage, affected organizations must carry out essential actions to detect and identify APT activity and prepare the network for eviction, the advisory said. This can be carried out by identifying trust boundaries, including between Active Directory (AD) forests and domains, and determining the enterprise assets.
Affected organizations must look for the artifacts from known Tactics, Techniques, and Procedures (TTPs) associated with the SolarWinds and Active Directory/M365 compromise, according to CISA. After identifying the TTPs for which the organization has security controls to detect/stop/mitigate, users can make risk-based decisions on how to address visibility and protection strategies for the remaining MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)-based paths.
An audit of all network device configurations stored or managed on the SolarWinds monitoring server for signs of unauthorized or malicious configuration changes must also be executed. Organizations should audit the current network device running configuration and any local configurations that could be loaded at boot time. Users should also assess the current endpoint telemetry collection level and configure endpoint forensics and detection solutions for the aggressive collection, and prioritize this by the value of asset and account.
Agencies must also seek to harden the enterprise attack surface by reviewing and validating perimeter firewall rulesets, reducing the number of systems that are able to access the internet directly, and implementing host-based firewalls to make the work of moving laterally more challenging for the adversary, the advisory said. Users must also deploy application execution control, and enforce enterprise Domain Name System (DNS) resolution for all systems while denying direct access by internal systems to internet DNS servers.
The security agency also identified a federation model for on-premises resources to cloud trust relationships and adversary activity in Microsoft Office365/Azure environment.
Using machine learning and human intelligence, Microsoft 365 looks across global traffic. It can rapidly detect attacks and allow users to reconfigure nearly in real-time. In hybrid deployments that connect on-premises infrastructure to Microsoft Office365 environments, many organizations delegate trust to on-premises components for critical authentication and directory object state management decisions. Unfortunately, if the on-premises environment is compromised, these trust relationships become an attacker’s opportunities to compromise the Microsoft Office365 environment.
The second phase is made up of the eviction phase, where necessary actions are taken to remove the APT actor from on-premises and cloud environments, including rebuilding devices and systems, CISA said. These steps may affect the operations of critical business functions. CISA recommends agencies conduct a thorough risk assessment prior to starting eviction so that potential impacts on critical business functions are documented and understood. Given that these steps are complex, CISA also encourages agencies to use third-party help to support eviction efforts if needed.
The last phase proposed by CISA is the post-eviction phase where appropriate measures are carried out to ensure that the eviction of malicious attackers was successful and the network has a good cyber posture. Users have been advised to create an actionable and accountable plan for integrating the next 60 days of Active Directory privilege credential baselining guidance while establishing and controlling baseline mechanisms for administrators.
Users have also been recommended to integrate detection mechanisms that focus on endpoints and changes to privileged identity sources, the advisory said. Solutions include pervasive use of endpoint security such as the Microsoft Defender Suite of services, including Endpoint and Identity, as well as high-value identity monitoring solutions. The view of user behavior should be unified across all platforms and behavioral analytics should be enabled.
After adopting the necessary post-eviction measures, all Category 3 agencies should report to CISA actions taken, any actions left incomplete, and their assessments of the residual risk. They are also required to submit a report to CISA using the provided reporting template. Department-level chief information officers (CIOs) or equivalents must submit this report attesting agency status to CISA. Agencies must report their status to CISA upon request until all actions have been completed.
Failure to perform comprehensive and thorough remediation activity will expose enterprise networks and cloud environments to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erosion of public trust in their networks, CISA added.