Introduction
With the SolarWinds Orion compromise, supply chain attacks are again in the spotlight as they were previously with products like MeDoc in 2017. They remain a constant threat for companies as the inherent trust placed in third-party vendors is often necessary to accomplish business goals with low friction. As many defenders know, frequently speed and ease are more valued than security when it comes to integrating with suppliers. In addition, we often have no idea how a supplier’s product operates or what their infrastructure looks like.
However, this does not mean that defenders should remain dormant and uninquisitive. In this article, we’ll discuss active defensive measures your team can take to put themselves in a position to spot supply chain attacks targeting your organization. Simply profiling the infrastructure behind the products you introduce can raise your familiarity with them, aid in security, and accelerate your team’s response during an incident. In fact, many of the day-to-day techniques that defenders use to profile adversaries and develop indicators of compromise can be turned on their head and directly applied to spotting our partners, bettering our security posture, and ultimately improving the trust we have in integrating with suppliers in our networks.
Profiling Your Suppliers
In a perfect world, we could ask each vendor in our supply chain what is to be expected of their software and receive a firewall rule set we could plug directly into appliances we already have in place on our networks. The world we actually live in is clearly far from a defender’s utopia. If we examine the SolarWinds Orion compromise, the use of several adversary-owned C2 domains dating back to August of 2019 stand out. Anomalous communication to these domains could have been spotted by several security products, but for many of those compromised, the traffic remained unnoticed or at least unacted upon.
While there are many other articles about anomaly detection and application profiling, not many speak to profiling your suppliers’ properties beforehand. This is critical as it enables defenders to rapidly determine if a new domain or IP address being accessed by a piece of software belongs to the supplier and is being accessed due to an update or if this is a third party exfiltrating your data. In this example, we’ll use SolarWinds since they remain the most relevant.
![Solarwinds[.]com Domain Profile Screenshot in DomainTools Iris](https://domaintools.com/wp-content/uploads/protecting-against-supply-chain-attacks-by-profiling-suppliers-blog-image-1.png)
If we look at SolarWinds.com in Iris Inspect it is clear that there are a number of potential pivots to find other network infrastructure belonging to the company. The registrant organization of SolarWinds Worldwide, LLC is a promising pivot point with 394 domains as well as the SOA (Start of Authority) email of hostmaster@solarwinds[.]com which expands to 437 domains. Looking through the list of domains there one can expand further on a webadmin@solarwinds[.]com which gives us a grand total of 653 domains. However, scrolling through these in Iris it is evident that a number of them are expired and inactive domains no longer in use by the company. I would advise not including this is a list of IoCs as adversaries will oftentimes find a dropped domain from a company to re-register to appear legitimate. Eliminating the inactive domains we reduce our total set to 316 domains.
![DomainTools Iris Pivot Engine Screenshot showing other domains connected to solarwinds[.]com](https://domaintools.com/wp-content/uploads/protecting-against-supply-chain-attacks-by-profiling-suppliers-blog-image-2.png)
This is where the human insight portion has to kick in with our power as an analyst. Taking that set of domains, we should apply the same techniques we would in spotting an indicator of compromise that we would use for profiling an adversary. Perhaps in this case we could say IoC stands for indicator of cooperation. In any case, the stats panel in Iris provides a number of quick-win insights for us in the instance of what to trust from a supplier such as SolarWinds.
![Pie chart and data table of IP's connected to solarwinds[.]com](https://domaintools.com/wp-content/uploads/protecting-against-supply-chain-attacks-by-profiling-suppliers-blog-image-3.png)
![Pie chart and data table of Name Server connected to solarwinds[.]com](https://domaintools.com/wp-content/uploads/protecting-against-supply-chain-attacks-by-profiling-suppliers-blog-image-4.png)
For instance, it is clearly visible in the screenshot above that the vast majority of their domains point to AS20251, which belongs to SolarWinds, and that their domain name servers either point to a solarwinds[.]com domain or to an Akamai name server for content delivery. By examining the other IP ranges, it becomes obvious that they are tertiary products and companies likely acquired by SolarWinds over the course of business and that one would not expect any traffic to be going to those properties from the Orion client. Additionally, while other potential indicators exist outside of ASN and name servers, these two seem to be our most reliable options based upon the data available to us as analysts. Typically analysts are looking for things here that do not represent rapid change as they do not want this to be a rule we constantly have to monitor. ASNs certainly fall into that category and name servers similarly, but with a slightly larger bit of flux for name servers depending on the company. Either way, a change here alerts you to a change your vendor is making and keeps you apprised of their positioning and infrastructure choices.
From this, defenders can make a quick battle card for rapid reference by other analysts when an anomaly does occur or if you are filtering egress traffic this is also a chance to write rules that would scope this application.
| SolarWinds Expected Traffic | |
|---|---|
| IP in range of AS | 20251 |
| NS Domains | solarwinds[.]com akam[.]net |
In the case of an anomaly spotted from the SolarWinds Orion application, an analyst would have been able to see that the IP address behind the malicious acsvmcloud[.]com domain belonged on AS8075, which was outside the previously scoped profile of the application. Since research had already been done to note that SolarWinds did not make use of Microsoft’s Azure, this would be an immediate red flag and an indication to reach out to an account representative.
Conclusion
By using tools we already have as defenders for tracking adversary infrastructure, defenders can quickly profile vendor’s products in our own network to create better-informed analysts and rules. In a perfect world, analysts would have more transparency from the software our companies utilize, but such transparency isn’t always the case. Profiling your suppliers can help you get ahead of any potential supply chain attacks that could be threatening your organization.
