Webinar takeaway: Discussing Implications of the SolarWinds Breach(es)

My key takeaways

• stop panicking, the Solarwind hack is over. C2 channels are dead. Party is over.
  • don't poke at the IOC's *
  • focus on the fundamentals and how to avoid it happen again
• Fundamentals:
  • DNS most valuable hunting artefacts
  • Know what you have where
  • Know all your software
  • Where are the blind spots? <- detect anomalies
  • Doesn't have to be expensive: SecurityOnion is free
• Should there be a council enforcing higher standards for critical infrastructure or supliers for critical infrastructure?
  • probably to come
  • national software like OS in North Korea or Email clients in Russia indicate how serious other nations take also the suply chain
  • certifing people improved quality incrementaly
  • Software might benefit as well
• Do a due diligence for software to be installed as you would do for a merger
• More "boxes" (security hardware) wont help
• Having a CISO in a company will not avoid being hit from events like Solarburst
• Continous churn of Director of security / CISO -> sign for dumpster fire
• Director of security / CISO stays for 15 years? <- uhuh, probably excuse role
• Don't use it as an excuse to NOT patch!
  • Antivaxer - Antipatcher
• who already practices incident response round tables knows where he stands right now

*) IOC

indictaors of compromise

Env

• Provided by
  • blackhillsinfosec.com
  • renditioninfosec.com/
• Presenters:
  • John Strand
  • Jake Williams
  • Jonathan Ham

additional links

• https://github.com/Security-Onion-Solutions/security-onion
• https://www.cisecurity.org/controls/cis-controls-list/
• https://censys.io/
• https://crt.sh/?Identity=%25&iCAID=7395

Photo by Kym MacKinnon on Unsplash