Last week, the United States Cybersecurity & Infrastructure Security Agency (CISA) advised on initial steps to take in response to the SolarWinds software that was compromised by advanced persistent threat actors. While federal agencies were under a deadline to complete certain actions, this issue will require continued clean-up and longer-term efforts to mitigate the threat.

Staying the course, organizations will want to scan their environments for the presence of the compromised SolarWinds software. There may be places you forgot to look. In addition, backdoored versions of the software may be lurking on offline systems. In today’s reality of remote work, there could be systems and devices with the software that simply haven’t been detected yet because they weren’t connected to the network. You will want to monitor for that.

Here’s what you want to include in your continued clean-up efforts.

Multiple scanning methods for vulnerabilities, IoCs associated with SolarWinds breach

Look at the rest of your security toolset to complement your malware detection capabilities. You want to scan for the malicious version of the software in multiple ways. To be safe, scan local, remote and network-based.

Tripwire Enterprise and Tripwire IP360 can both find malicious versions of the software on your systems, complementing your other endpoint scans and broadening the search across your greater environment. Tripwire IP360 will find the vulnerabilities associated with the SolarWinds breach. Tripwire Enterprise, while widely known for secure configuration and change detection, will also discover the software, as it looks at file systems and indicators of compromise.

Use the different tools under your belt to ensure an accurate assessment.

Monitor system integrity to prevent reintroduction of malicious software

Baseline your system against a known, good state and check for any changes. There could be downstream effects associated with SUNBURST that we don’t know (Read more...)