Lessons learned from 2021 network security events

It’s the end of 2021, a time when you expect to see security pundits predict security issues for the coming year. I’d rather look back at the security issues we’ve been tracking to ensure that we’ve learned all the necessary lessons from them.

SolarWinds attack: Know your vendors’ security posture

It’s been literally a year since the SolarWinds software supply chain attack hit the news and we are still trying to fully understand the potential of this type of attack. The attackers were stealthy and were discovered only because one of the firms impacted, FireEye, had elite capabilities to monitor and detect intrusions.

I wonder in these situations if my firm would have the tools and resources to know if such an attack was occurring. My guess is that not only would I not be aware of this intrusion, many of you would not have the resources to do so, either. According to Microsoft, the attacker was able “to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.” It should make us all consider the source of software we install and ask if we can trust our vendors and their security processes, let alone our own security processes.

Lessons learned: Review with your software vendors their security processes. Look for abnormal behavior especially in highly privileged accounts. Review when new federated trusts are created or adding credentials to processes that can do such actions as mail.read or mail.readwrite.  You’ll also want to block known C2 endpoints in your network perimeter firewall.

Exchange Server attack: Protect legacy systems