However, several security controls specific to the SolarWinds breach are precisely that – specific to SolarWinds. What of the rest of the Managed Service Provider ecosystem? How would you mitigate this threat before the next major supply-chain attack is disclosed?

• Block all internet egress from SolarWinds or other MSP, and servers or other end points with SolarWinds software
• Restrict the scope of connectivity to endpoints from SolarWinds or other MSPs. Especially those that would be considered Crown Jewel assets
• Look for SMB sessions that show access to legitimate directories and follow a : DELETE -> CREATE -> EXECUTE- > DELETE -> CREATE pattern in a short timeframe
• Identify logins from the attackers ASNs (Autonomous System Number) alongside baselining and normalization
• Identify and analyze suspicious logons based on Fireye’s recommendations as part of this attack
• Identify ‘One to Many’ relationships for logons -> use the logon tracker above to graph all logon activity and analyze systems displaying 1:many
• Monitor existing scheduled tasks for temporary updates, and monitor all windows tasks schedules executing new\unknown binaries
• Review SolarWinds (or other managed service provider) network architecture – segment these servers and collectors – ensure all servers are isolated
• Review SolarWinds or MSP permissions – who has access, to what, making sure not to use everyday accounts. Change all passwords including all service accounts
• Review all Domain Administrator accounts
• Review logons – analyze logons sourced from different regions within windows of time which humans cannot feasibly travel
• Review windows logs especially EID 4702