{"id":18146,"date":"2021-02-03T22:44:23","date_gmt":"2021-02-03T22:44:23","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=18146"},"modified":"2023-05-12T16:50:33","modified_gmt":"2023-05-12T16:50:33","slug":"guarding-against-solorigate-ttps-solarwinds-hack","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/","title":{"rendered":"SolarWinds Hack Defenses: Protecting Against &#8216;Solorigate&#8217; TTPs"},"content":{"rendered":"<p>A March 2020 software update of the SolarWinds Orion management platform gave malicious actors unhindered access to key government and enterprise networks. Microsoft has dubbed the infamous <a href=\"https:\/\/www.esecurityplanet.com\/networks\/the-secure-supply-chain-where-security-starts\/\">supply chain<\/a> compromise of SolarWinds as &#8220;Solorigate.&#8221; In December, <em>eSecurity Planet<\/em> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/fireeye-solarwinds-breaches-implications-protections\/\">detailed FireEye&#8217;s initial findings<\/a>, implications for the industry, and how to mitigate similar attacks.<\/p>\n<p>Since then, much has been learned about the tactics, techniques, and procedures (TTPs) deployed and what steps organizations are taking to harden their <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-network-security-tools\/\">network<\/a> and <a href=\"https:\/\/www.esecurityplanet.com\/applications\/application-security-definition\/\">application security<\/a>.<\/p>\n<p>This update touches on the newly detected <a href=\"https:\/\/www.esecurityplanet.com\/threats\/malware-types\/\">malware<\/a>, attack vectors to guard against, and why the targeting of security vendors is a critical development in cybersecurity.<\/p>\n<p><strong>Also Read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/fireeye-solarwinds-breaches-implications-protections\/\">FireEye, SolarWinds Breaches: Implications and Protections<\/a><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 ez-toc-wrap-left counter-flat ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66d6fbc4b5dd4\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66d6fbc4b5dd4\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Brief-timeline-of-findings\" title=\"Brief timeline of findings\">Brief timeline of findings<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Second-Orion-attack-vector-detected\" title=\"Second Orion attack vector detected\">Second Orion attack vector detected<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#The-Solorigate-malware-family\" title=\"The Solorigate malware family\">The Solorigate malware family<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Teardrop-Malicious-Memory-Dropper\" title=\"Teardrop, Malicious Memory Dropper\">Teardrop, Malicious Memory Dropper<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Sunspot-Sunburst-Enabler\" title=\"Sunspot, Sunburst-Enabler\">Sunspot, Sunburst-Enabler<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Raindrop-Loader-and-Spreader\" title=\"Raindrop, Loader and Spreader\">Raindrop, Loader and Spreader<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Orion-Vulnerabilities-Keep-Emerging\" title=\"Orion Vulnerabilities Keep Emerging\">Orion Vulnerabilities Keep Emerging<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Attacker-methodology\" title=\"Attacker methodology\">Attacker methodology<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Compromised-certificates-forged-tokens\" title=\"Compromised certificates, forged tokens\">Compromised certificates, forged tokens<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#The-Rise-of-Golden-SAML-Attacks\" title=\"The Rise of Golden SAML Attacks\">The Rise of Golden SAML Attacks<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Microsoft-Software-Targeted\" title=\"Microsoft Software Targeted\">Microsoft Software Targeted<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Hardening-the-build-environment\" title=\"Hardening the build environment\">Hardening the build environment<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Protections-and-considerations\" title=\"Protections and considerations\">Protections and considerations<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Mitigating-Digital-Certificate-and-Token-Compromise\" title=\"Mitigating Digital Certificate and Token Compromise\">Mitigating Digital Certificate and Token Compromise<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Are-Verified-Reproducible-Builds-the-Future\" title=\"Are Verified Reproducible Builds the Future?\">Are Verified Reproducible Builds the Future?<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Software-Bill-of-Materials-SBOM-for-Greater-Security\" title=\"Software Bill of Materials (SBOM) for Greater Security\">Software Bill of Materials (SBOM) for Greater Security<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Tools-for-Detecting-Solorigate-Vulnerabilities\" title=\"Tools for Detecting Solorigate Vulnerabilities\">Tools for Detecting Solorigate Vulnerabilities<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Cybersecurity-vendor-targets-and-vigilantes\" title=\"Cybersecurity vendor targets and vigilantes\">Cybersecurity vendor targets and vigilantes<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Breached-Organizations\" title=\"Breached Organizations\">Breached Organizations<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Withstanding-Solorigate\" title=\"Withstanding Solorigate\">Withstanding Solorigate<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Vendor-Catch-22\" title=\"Vendor Catch-22\">Vendor Catch-22<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#Building-comprehensive-network-security\" title=\"Building comprehensive network security\">Building comprehensive network security<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Brief-timeline-of-findings\"><\/span><strong>Brief timeline of findings<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The extent of the most recent attacks is still being unraveled. Before jumping into the technical details regarding each new malware detected and proper safeguards, here is a brief look at the events to date:<\/p>\n<table>\n<tbody>\n<tr>\n<td>Sep 2019<\/td>\n<td>APT accessed SolarWinds; injects Sunspot malware<\/td>\n<\/tr>\n<tr>\n<td>Feb 2020<\/td>\n<td>Sunburst compiled and deployed for March update<\/td>\n<\/tr>\n<tr>\n<td>Jun 2020<\/td>\n<td>APT removes build VMs malware to avoid detection<\/td>\n<\/tr>\n<tr>\n<td>Dec 2020<\/td>\n<td>FireEye detects Sunburst; detection and patch solutions deployed<\/td>\n<\/tr>\n<tr>\n<td>Jan 2021<\/td>\n<td>Detection of Teardrop, Sunspot, and Raindrop; SolarWinds not alone<\/td>\n<\/tr>\n<tr>\n<td>Feb 2021<\/td>\n<td>Detection of 2nd APT and additional Orion vulnerabilities published<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Second-Orion-attack-vector-detected\"><\/span><strong>Second Orion attack vector detected<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>On February 2, 2021, <a href=\"https:\/\/www.reuters.com\/article\/us-cyber-solarwinds-china-exclusive\/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUKKBN2A22K8\" target=\"_blank\" rel=\"noopener noreferrer\">Reuters reported<\/a> that a second advanced persistent threat (<a href=\"https:\/\/www.esecurityplanet.com\/threats\/advanced-persistent-threat\/\">APT<\/a>), connected to China, also exploited SolarWinds software, in addition to the previously identified Russia-connected actors. FBI investigators revealed that a federal payroll agency, the National Finance Center (NFC), was breached but has yet to confirm additional exposure to U.S. federal agencies. Former Department of Homeland Security (DHS) officials noted \u201cthis could be an extremely serious breach of security.&#8221; NFC records include social security numbers, phone numbers, banking information, and personal email addresses for thousands of federal employees.<\/p>\n<p>SolarWinds has added that one of their clients was also exposed to the same APT &#8220;in a way that was unrelated to SolarWinds.&#8221; Notably, in late January U.S. Cybersecurity and Infrastructure Security (CISA) director Brandon Wales told the Wall Street Journal that \u201c<a href=\"https:\/\/www.wsj.com\/articles\/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601\" target=\"_blank\" rel=\"noopener noreferrer\">approximately 30%<\/a> of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds.\u201d It\u2019s becoming clear that the attack went much further than just breaching SolarWinds.<\/p>\n<p>Interestingly, findings show the Chinese APT exposed a separate vulnerability in the Orion software from that of Solorigate.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The-Solorigate-malware-family\"><\/span><strong>The Solorigate malware family<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When the SolarWinds news first broke, a malicious backdoor dubbed Sunburst was the primary culprit for the vast compromise. In actuality, the compromised DLL and backdoor that caught FireEye&#8217;s attention had a few friends. Welcome to the unfortunate gathering: Teardrop, Sunspot, and Raindrop.<\/p>\n<p><strong>Also Read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/malware-types\/\">Types of Malware &amp; Best Malware Protection Practices<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Teardrop-Malicious-Memory-Dropper\"><\/span><strong>Teardrop, Malicious Memory Dropper<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In an update to <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/12\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\" target=\"_blank\" rel=\"noopener noreferrer\">their Sunburst findings<\/a>, FireEye touched on the part of an additional malware strain. Teardrop was deployed thanks to the Sunburst backdoor and is distinctly new, with no code overlap with previously detected malware. Presenting itself as a JPG file named &#8220;gracious_truth.jpg,&#8221; Teardrop is a memory-only dropper built to enter a network seamlessly and replace the embedded payload. Teardrop can then execute a customized Cobalt Strike Beacon, emulating various malware and other advanced threat tactics on the network.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Sunspot-Sunburst-Enabler\"><\/span><strong>Sunspot, Sunburst-Enabler<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Now we know how Sunburst initially made its way into SolarWinds. In early January, <a href=\"https:\/\/www.crowdstrike.com\/blog\/sunspot-malware-technical-analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">CrowdStrike published<\/a> its findings on Sunspot. This malware infiltrated SolarWinds in September 2019 with the expert insertion of code to avoid detection. As a malware program, Sunspot would monitor the Orion product&#8217;s running process, and when the time was right, replace the source file to include another backdoor.<\/p>\n<p>Almost six months after Sunspot deployed at SolarWinds, the malware inserted the Sunburst back door into the Orion platform&#8217;s build.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Raindrop-Loader-and-Spreader\"><\/span><strong>Raindrop, Loader and Spreader<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In mid-January, Broadcom&#8217;s Symantec division uncovered <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/solarwinds-raindrop-malware\" target=\"_blank\" rel=\"noopener noreferrer\">the third additional strain<\/a> in the case of Solorigate. Like Teardrop, Raindrop is a loader that can also enable a Cobalt Strike, but the Sunburst backdoor didn&#8217;t deploy it. In Symantec&#8217;s analysis, they noted three examples of how Raindrop behaved:<\/p>\n<ol>\n<li>Enabled the malware to access network computers via the management software, and later extract a copy of the Directory Services Internals. With access to DSInternals, the malware could query the <a href=\"https:\/\/www.esecurityplanet.com\/products\/active-directory-security-tools\/\">AD servers<\/a> and steal data, passwords, and keys.<\/li>\n<li>Executed <a href=\"https:\/\/www.esecurityplanet.com\/threats\/powershell-security\/\">Microsoft PowerShell<\/a> commands to create more instances of Raindrop on network computers.<\/li>\n<li>Executed Cobalt Strike extracted data shows configuration for a network pipe over server message block (SMB), unlike numerous recent attacks that learn towards using HTTP-based <a href=\"https:\/\/www.esecurityplanet.com\/threats\/common-it-security-vulnerabilities-how-to-prevent-them\/\">command and control<\/a> (C&amp;C) servers.<\/li>\n<\/ol>\n<p>Read Also: <a href=\"https:\/\/www.esecurityplanet.com\/cloud\/the-iot-cybersecurity-act-of-2020-implications-for-devices\/\">The IoT Cybersecurity Act of 2020: Implications for Devices<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Orion-Vulnerabilities-Keep-Emerging\"><\/span><strong>Orion Vulnerabilities Keep Emerging<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Though SolarWinds wasn\u2019t the only target, the vendor\u2019s vulnerabilities are being brought to light. On February 3, 2021, threat detection and response vendor Trustwave <a href=\"https:\/\/www.trustwave.com\/en-us\/threats\/resources-to-stay-current-on-security-threats\/blogs\/spiderlabs-blog\/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities\/\" target=\"_blank\" rel=\"noopener noreferrer\">released three additional findings<\/a> on SolarWinds vulnerabilities.<\/p>\n<p>The first involves SolarWinds Collector Service employing the Microsoft Message Queue (MSMQ) \u2013 a program not included in modern Windows systems. Because there are no permissions on private queues, an attacker can send trusted Collector Service messages. Once those messages are processed, the attacker can move to a remote execution code (RCE) attack as LocalSystem.<\/p>\n<p>Martin Rakhmanov of Trustwave\u2019s SpiderLabs added that after the patch, a digital signature validation step on arrived messages ensures that messages not bearing a signature are not processed. This doesn\u2019t resolve the unauthenticated MSMQ allowing anyone to send trusted messages.<\/p>\n<p>The <a href=\"https:\/\/www.trustwave.com\/en-us\/threats\/resources-to-stay-current-on-security-threats\/security-resources\/security-advisories\/?fid=28389\" target=\"_blank\" rel=\"noopener noreferrer\">second identified vulnerability<\/a> is a case of unprivileged access on the web. The Orion backend credentials were discovered on a world readable file. Attackers with access to the filesystem can key-log Orion database login details and use the decrypted information to gain database owner access. With admin-level access, the malicious actor can modify authentication data stored.<\/p>\n<p>Unlike the first two vulnerabilities that were specific to the Orion User Device Tracker, the third vulnerability lies in the SolarWinds\u2019 Serv-U FTP for Windows. Trustwave found any authenticated Windows user could log in and drop files that define new users. The Serv-U FTP program logs this automatically. The attacker can then define an admin account, setting the home directory to the root of C:\\ drive. With login access via FTP, any file on the C:\\ can be read or replaced.<\/p>\n<p>While we are just learning of these vulnerabilities, Trustwave disclosed the vulnerability to SolarWinds in late December and a patch was released in late January. At this time, researchers are unsure of the extent to which attackers exploited each in relation to Solorigate and similar attacks.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Attacker-methodology\"><\/span><strong>Attacker methodology<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the handful of weeks since Solorigate, we&#8217;ve learned plenty about the TTPs (tactics, techniques, and procedures) used by attackers. In a report detailing Sunburst, Teardrop, and Raindrop&#8217;s second-stage activation, <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/01\/20\/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft dove into the OpSec methods<\/a> used. These included:<\/p>\n<ul>\n<li>Avoiding any share indicators for each compromised host<\/li>\n<li>Disguising locations inside folders mimicking existing files<\/li>\n<li>Disabling and re-enabling <a href=\"https:\/\/www.esecurityplanet.com\/products\/siem-tools\/\">event logging<\/a> at their pleasure<\/li>\n<li>Amending <a href=\"https:\/\/www.esecurityplanet.com\/networks\/fine-tuning-firewall-rules-best-practices\/\">firewall rules<\/a> to allow sensitive, outgoing protocols<\/li>\n<li>Moving laterally with caution, only when security services could be disabled<\/li>\n<li>Timestomping, wiping, and DLL-implant obfuscation<\/li>\n<\/ul>\n<p>Microsoft said both the complex attack chain and length of the operation mean organizations need comprehensive real-time visibility and access to months of historical data for related investigations. A primary software target of Solorigate was Microsoft 365. For malware used against Microsoft programs, <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2021\/01\/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html\" target=\"_blank\" rel=\"noopener noreferrer\">FireEye disclosed<\/a> the attack behavior tactics as:<\/p>\n<ul>\n<li>Accessing the AD FS token-signing certificate to forge additional tokens<\/li>\n<li>Changing Azure AD trusted domains to create attacker-control IdPs<\/li>\n<li>Stealing high-privilege user credentials synchronized with Microsoft 365<\/li>\n<li>Adding a backdoor to existing Microsoft 365 infrastructure for remote access<\/li>\n<\/ul>\n<p>In a follow-up to their first Solorigate report, <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-008a\" target=\"_blank\" rel=\"noopener noreferrer\">CISA also published<\/a> their research on the threat actor&#8217;s TTPs. Like FireEye&#8217;s findings, CISA touched on the bypass of federated identity solutions, forged authentication tokens, and <a href=\"https:\/\/www.esecurityplanet.com\/applications\/privileged-access-management-pam\/\">privileged access<\/a> to install persistent <a href=\"https:\/\/www.esecurityplanet.com\/applications\/how-to-control-api-security-risks\/\">API<\/a>-based access.<\/p>\n<p>Also Read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/the-secure-supply-chain-where-security-starts\/\">The Software Supply Chain: Where Security Starts<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Compromised-certificates-forged-tokens\"><\/span><strong>Compromised certificates, forged tokens<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When considering attack vectors, the first concern for code signing is the prospect of stolen <a href=\"https:\/\/www.esecurityplanet.com\/networks\/how-to-secure-digital-signatures\/\">digital certificates<\/a>. However, in the case of the Solorigate breach, attackers targeted the build process. Why steal certificates when you can control the token generator&#8217;s ultimate access to an organization&#8217;s network? As the primary attack vector for Solorigate, we look at how attackers strengthened their attack by manipulating <a href=\"https:\/\/www.esecurityplanet.com\/networks\/two-factor-authentication-sms-vs-tokens\/\">digital tokens<\/a>.<\/p>\n<p>Also Read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/how-to-secure-digital-signatures\/\">How to Secure Digital Signatures<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"The-Rise-of-Golden-SAML-Attacks\"><\/span><strong>The Rise of Golden SAML Attacks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In 2017, CyberArk published findings on a new attack vector related to certificate signing. The<a href=\"https:\/\/www.esecurityplanet.com\/applications\/saml\/\">SAML 2.0 protocol<\/a> serves as the authentication mechanism between an identity provider and service provider for <a href=\"https:\/\/www.esecurityplanet.com\/cloud\/cloud-security-best-practices\/\">cloud computing<\/a>. With the migration from on-premises to cloud services, it&#8217;s no surprise the SAML protocol could be a growing target.<\/p>\n<p>In the case of Solorigate, attackers gained initial network access and then misused X.509 certificates and keys to forging SAML tokens.<\/p>\n<p><a href=\"https:\/\/www.cyberark.com\/threats\/resources-to-stay-current-on-security-threats\/threat-research-blog\/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps\" target=\"_blank\" rel=\"noopener noreferrer\">CyberArk identified<\/a> this tactic as a &#8220;golden SAML.&#8221; While activating the malware requires domain admin access, threat actors get the keys to creating trusted SAML authentication objects if successful. The result: unmitigated access to your network for attackers.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Microsoft-Software-Targeted\"><\/span><strong>Microsoft Software Targeted<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In many cases, the Solorigate compromise led attackers to the host&#8217;s Microsoft Office 365 email services and <a href=\"https:\/\/www.esecurityplanet.com\/products\/microsoft-azure-active-directory\/\">Microsoft Azure<\/a> cloud infrastructure. Like previously mentioned TTPs, the malware involved would manipulate Microsoft 365 and Azure so that its presence would go undetected while it could access and monitor host data. With user account credentials, attackers had a suite of email, documents, and data at their fingertips.<\/p>\n<p>By manipulating the trusted SAML token signing certificate, attackers could create new accounts, escalate privileges, and access sensitive data across the MS software. Cases showed malware added X.509 keys or password credentials to legitimate <a href=\"https:\/\/www.esecurityplanet.com\/mobile\/tips-on-using-oauth-2-0-for-secure-authorization\/\">OAuth applications<\/a> to offer protracted authorized access.<\/p>\n<p><strong>Also Read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/products\/casb-security-vendors\/\">Top CASB Security Vendors<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Hardening-the-build-environment\"><\/span><strong>Hardening the build environment<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Many analysts point to the severity of this supply chain compromise with calls for more robust build environments. The build process is on trial, from <a href=\"https:\/\/www.esecurityplanet.com\/cloud\/the-iot-cybersecurity-act-of-2020-implications-for-devices\/\">vulnerabilities in the supply chain for IoT devices<\/a> to the Solorigate breach. The longest-tenured malware, Sunspot, monitored the build server and seamlessly replaced the source code files in the Orion software with Sunburst-loading files.<\/p>\n<p>David Wheeler, Director of Open Source Supply Chain Security for the <a href=\"https:\/\/www.linuxfoundation.org\/en\/blog\/preventing-supply-chain-attacks-like-solarwinds\/\" target=\"_blank\" rel=\"noopener noreferrer\">Linux Foundation<\/a>, notes, &#8220;Unfortunately, a lot of conventional security advice cannot counter this kind of attack.&#8221;<\/p>\n<p>The Orion update was signed and presented as the latest update, and malware taking root went undetected. Similarly, reviewing the source code when attackers have control of the build process would help little.<\/p>\n<p>A critical fault of SolarWinds was their lack of attention to the build environment. <a href=\"https:\/\/www.savebreach.com\/solarwinds-exposed-ftp-credentials-back-in-2018-says-security-researcher-vinoth\/\" target=\"_blank\" rel=\"noopener noreferrer\">SaveBreach reported<\/a> SolarWinds was &#8220;using [an] unencrypted plain <a href=\"https:\/\/www.esecurityplanet.com\/threats\/\">FTP server<\/a> for their Downloads server in the age of global CDN technologies.&#8221; More frightening, the FTP credentials were available on a mib-importer GitHub repo for well over a year.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Protections-and-considerations\"><\/span><strong>Protections and considerations<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Organizations continue to wonder how they can come out of this moment with stronger security. Given the sophisticated nature of the attacks and what experts report, we offer a few significant considerations for guarding against similar TTPs.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Mitigating-Digital-Certificate-and-Token-Compromise\"><\/span><strong>Mitigating Digital Certificate and Token Compromise<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>With concern surrounding certificate forging and similar attacks to come, the following <a href=\"https:\/\/www.esecurityplanet.com\/applications\/devsecops\/\">DevSecOps<\/a> recommendations are critical:<\/p>\n<ul>\n<li>Enhance visibility into token signing certificates and define strict configurations<\/li>\n<li>Evaluate network resources and privileges to shut down out-dated or unnecessary permissions<\/li>\n<li>Ensure token activity is being monitored and tracked to mitigate misuse<\/li>\n<\/ul>\n<p>As the inherent authentication tool for cloud services, SAML is not going away as an attack vector. Its successful use in Solorigate tells us we can expect similar attacks.<\/p>\n<p>Noted in <a href=\"https:\/\/www.esecurityplanet.com\/threats\/fireeye-solarwinds-breaches-implications-protections\/\">our first update<\/a> but worth restating are some of <a href=\"https:\/\/blog.keyfactor.com\/solarwinds-misused-keys-certificates\" target=\"_blank\" rel=\"noopener noreferrer\">Keyfactor&#8217;s best practices<\/a> to mitigate key and certificate vulnerabilities:<\/p>\n<ul>\n<li>Code-signing keys should be kept in a FIPS 140-2 validated HSM<\/li>\n<li>Create a system of accountability by segregating roles for authorizing, approving, and monitoring code signatures<\/li>\n<li>Monitor all active certificates by location, user, device, and traffic<\/li>\n<li>Enforce a strict certificate issuance policy to ensure all certificates are trusted<\/li>\n<li>Prepare for rapid response by testing issuance and revocation capabilities for certificates<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Are-Verified-Reproducible-Builds-the-Future\"><\/span><strong>Are Verified Reproducible Builds the Future?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In the effort to establish secure builds for the future, <a href=\"https:\/\/reproducible-builds.org\/\">reproducible builds<\/a> are certainly one solution. The idea is simple, organizational software builds should create symmetric input-output results, and technicians should thoroughly define the build process. By developing reproducible build environments, analysts have greater visibility into the existence of vulnerabilities or malware.<\/p>\n<p>Marketwide adoption of verified reproducible builds is a ways off. While plenty of software is reproducible, most organizations aren&#8217;t ready to invest in the project. Reproducible builds will be easier on open-source software (OSS) developers, but proprietary software will benefit as well, considering <a href=\"https:\/\/www.zdnet.com\/article\/out-of-date-insecure-open-source-software-is-everywhere\/\" target=\"_blank\" rel=\"noopener noreferrer\">99% of all commercial software<\/a> includes at least one open-source component.<\/p>\n<p>Wheeler of the Linux Foundation noted that the industry could prioritize more critical software initially, but there&#8217;s no doubt that this is where we&#8217;re heading.<\/p>\n<p><strong>Also Read:<\/strong> IoT Security: It&#8217;s All About the Process<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Software-Bill-of-Materials-SBOM-for-Greater-Security\"><\/span><strong>Software Bill of Materials (SBOM) for Greater Security<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Devices constructed with re-used or out-of-date software can pose an unnecessary risk to your network security. The problem: software can be mighty complex, made up of components, development frameworks, operating system features, libraries, and more. The National Telecommunications and Information Administration (NTIA) offers the concept of a <a href=\"https:\/\/www.ntia.gov\/SBOM\" target=\"_blank\" rel=\"noopener noreferrer\">Software Bill of Materials<\/a> (SBOM) to address this problem.<\/p>\n<p>While offering a SBOM could mean more time spent on technical details, the stress-free full visibility into your software&#8217;s build will be worth it. Both your organization and client base can be confident in the software they&#8217;re employing. As more organizations request the list of ingredients in their software, time will tell how quickly the industry adopts the format.<\/p>\n<p>On the contrary, Rob Graham of AT&amp;T Cybersecurity makes an argument for <a href=\"https:\/\/cybersecurity.att.com\/blogs\/security-essentials\/software-bill-of-materials-sbom-does-it-work-for-devsecops\" target=\"_blank\" rel=\"noopener noreferrer\">why a SBOM isn&#8217;t everything<\/a>. Mandating vendors to publish SBOM could weed out unethical companies and cement transparency. But in its current design, a SBOM isn&#8217;t granular enough to enhance <a href=\"https:\/\/www.esecurityplanet.com\/products\/vulnerability-management-software\/\">vulnerability management<\/a>.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Tools-for-Detecting-Solorigate-Vulnerabilities\"><\/span><strong>Tools for Detecting Solorigate Vulnerabilities<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>To minimize the Solorigate breach&#8217;s impact, several organizations have published <a href=\"https:\/\/www.esecurityplanet.com\/networks\/applications\/-breach-prevention-and-detection-tools\/\">detection tools<\/a> for organizational use. These tools only go so far in identifying potential compromises but can identify similar authentication-based vulnerabilities and Solorigate behavior.<\/p>\n<ul>\n<li>CrowdStrike Reporting Tool for Azure (CRT) (<a href=\"https:\/\/github.com\/CrowdStrike\/CRT\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub<\/a>)<\/li>\n<li>CISA Cloud Forensics&#8217; Sparrow (<a href=\"https:\/\/github.com\/cisagov\/Sparrow\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub<\/a>)<\/li>\n<li>FireEye&#8217;s Mandiant-Azure-AD-Investigator (<a href=\"https:\/\/github.com\/fireeye\/Mandiant-Azure-AD-Investigator\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub<\/a>)<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Cybersecurity-vendor-targets-and-vigilantes\"><\/span><strong>Cybersecurity vendor targets and vigilantes<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Almost two months after the news broke, organizations are still disclosing the impact of the breach. In addition to hitting key government agencies, <a href=\"https:\/\/www.bloomberg.com\/trends\/\/articles\/2021-01-29\/solarwinds-attackers-hit-strategic-targets-cyber-and-tech-firms\" target=\"_blank\" rel=\"noopener noreferrer\">Bloomberg reports<\/a> on how Solorigate targeted cybersecurity firms. The attackers&#8217; goals were to:<\/p>\n<ul>\n<li>Breach cybersecurity vendors responsible for protecting network security<\/li>\n<li>Craft more robust malware to target the vendor&#8217;s client network<\/li>\n<\/ul>\n<p>Vendor compromise has severe implications for clients. Attackers can steal <a href=\"https:\/\/www.esecurityplanet.com\/trends\/open-or-closed-source-code-irrelevant-to-security\/\">source code<\/a>, detection tools, and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing\/\">penetration testing<\/a> technologies built to fend off the best malicious threats in the world. If successful in infiltrating certain vendor network privileges, an attacker&#8217;s remote access to a client&#8217;s network security is a scary possibility.<\/p>\n<p>In the last two weeks of January, cybersecurity vendors Mimecast, Fidelis, Qualys, and Malwarebytes confirmed breaches. Organizations like Palo Alto Networks and CrowdStrike reported being targeted but withstood Solorigate attack efforts.<\/p>\n<p><strong>Also Read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-penetration-testing\/\">Best Penetration Testing Software<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Breached-Organizations\"><\/span><strong>Breached Organizations<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Earlier in January, UK-based email security vendor <a href=\"https:\/\/www.mimecast.com\/blog\/important-security-update\/\" target=\"_blank\" rel=\"noopener noreferrer\">Mimecast disclosed<\/a> to customers that a sophisticated threat actor abused a stolen digital certificate to access 10% of their Office 365 accounts. Mimecast has already informed affected clients, asking organizations to re-establish a new digital certificate. This breach was later confirmed as a result of a trojan SolarWinds Orion app installed on its network.<\/p>\n<p><a href=\"https:\/\/fidelissecurity.com\/threatgeek\/data-protection\/ongoing-analysis-solarwinds-impact\/\" target=\"_blank\" rel=\"noopener noreferrer\">Fidelis Cybersecurity<\/a> also confirmed downloading the trojan app. Upon tracing the download, it remained inside a test system machine isolated enough that attackers couldn&#8217;t move further in-network. Auditing and vulnerability management vendor <a href=\"https:\/\/blog.qualys.com\/qualys-insights\/2020\/12\/22\/qualys-security-advisory-solarwinds-fireeye\" target=\"_blank\" rel=\"noopener noreferrer\">Qualys<\/a> confirmed their breach but downplayed any impact on their production environment or exfiltrated data.<\/p>\n<p>Despite never using the Orion software, <a href=\"https:\/\/blog.malwarebytes.com\/threats\/bytes-news\/2021\/01\/threats\/bytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments\/\" target=\"_blank\" rel=\"noopener noreferrer\">Malwarebytes reported<\/a> being targeted by the Solorigate threat actors. Their incident response team found attackers &#8220;leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails.&#8221; As for TTPs, the attacker deployed a golden SAML attack that enabled them to make API calls to request emails via MSGraph.<\/p>\n<p><strong>Also Read<\/strong>: <a href=\"https:\/\/www.esecurityplanet.com\/threats\/common-it-security-vulnerabilities-how-to-prevent-them\/\">Common IT Security Vulnerabilities and How to Defend Against Them<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Withstanding-Solorigate\"><\/span><strong>Withstanding Solorigate<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>How did organizations fend off Solorigate? The attack was rooted in the Orion software, but targets were not limited to SolarWinds clients. With bigger goals, attackers deployed similar TTPs against other organizations in 2020 but weren&#8217;t always successful. Two that have come forward are Palo Alto Networks and CrowdStrike. Both companies have detailed the TTPs used, but didn&#8217;t reveal everything about how they successfully defended their networks when other organizations faltered.<\/p>\n<p>In September and October 2020, attackers attempted to breach <a href=\"https:\/\/www.paloaltonetworks.com\/solarstorm-rapid-response\" target=\"_blank\" rel=\"noopener noreferrer\">Palo Alto Networks<\/a>. In both instances, the in-house SOC team isolated the targeted server and stopped any malware from taking root, with help from the company&#8217;s <a href=\"https:\/\/www.esecurityplanet.com\/threats\/xdr-emerges-as-a-key-next-generation-security-tool\/\">XDR<\/a> platform. What wasn&#8217;t detected then was the larger issue: using the supply chain for the attack vector. Upon further review, since Solorigate news broke, Palo Alto Networks has found no shared indicators with the malicious attack.<\/p>\n<p>For <a href=\"https:\/\/www.crowdstrike.com\/blog\/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory\/\" target=\"_blank\" rel=\"noopener noreferrer\">CrowdStrike<\/a>, months after the attempted hack, they were first alerted about attempts to read email and abnormal communication between their MS Office licenses and MS cloud APIs. CrowdStrike does not use Office 365 email but did conduct a thorough review of any infrastructure shared with Microsoft, including their Azure environment. Their audit found no evidence of impact.<\/p>\n<p>Specific to Solorigate, CrowdStrike said the following network security solutions can be critical in boosting your defenses:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/edr-solutions\/\">Endpoint Detection and Response <\/a>(EDR)<\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/casb-security-vendors\/\">Cloud Access Security Broker <\/a>(CASB)<\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/zero-trust-security-solutions\/\">Zero Trust Network Access (ZTNA)<\/a><\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/best-iam-software\/\">Identity and Access Management<\/a> (IAM)<\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/best-encryption-software\/\">Encryption<\/a><\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/threats\/email-security\/\">Secure email<\/a> gateway<\/li>\n<li>Mail DNS controls<\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/cybersecurity-training\/\">Cybersecurity awareness<\/a> training and campaigns<\/li>\n<\/ul>\n<p><strong>Also Read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/products\/edr-solutions\/\">Top Endpoint Detection &amp; Response (EDR) Solutions<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Vendor-Catch-22\"><\/span><strong>Vendor Catch-22<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>SolarWinds and their clients weren&#8217;t the only targets, in fact, they made up less than a third of reported breaches. As researchers try to unravel the additional vulnerabilities and targeted vendors, <a href=\"https:\/\/www.wired.com\/story\/solarwinds-hack-china-usda\/\" target=\"_blank\" rel=\"noopener noreferrer\">Wired asks<\/a> how organizations can trust third-party software providers. The truth is that business today requires access to a\u00a0 suite of SaaS products like Slack, AWS, and Google Analytics, to name a few. Widely used software like Microsoft Windows, SolarWinds Orion, and others are targets simply because of their global popularity.<\/p>\n<p>Malwarebytes CEO Marcin Kleczynski noted, &#8220;It&#8217;s a catch-22. Rely on one vendor and you&#8217;re screwed if they get hit. Rely on multiple and all it takes is one. Rely on the big brands and deal with the consequences that they&#8217;re most targeted. Rely on the small brands and deal with the consequences they&#8217;re not yet investing in security.&#8221;<\/p>\n<p>Demands for greater visibility into the software supply chain are clear. But one glaring concern for many organizations in light of Solorigate is insufficient knowledge of their software catalogue. Organizations must be vigilant in monitoring <a href=\"https:\/\/www.esecurityplanet.com\/networks\/181-third-party-vendors-access-the-average-companys-network-each-week\/\">third-party software<\/a> and inspecting the possibility of existing vulnerabilities.<\/p>\n<p>Also Read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/almost-half-of-all-third-party-software-components-are-outdated-insecure\/\">Almost Half of All Third-Party Software Components Are Outdated, Insecure<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Building-comprehensive-network-security\"><\/span><strong>Building comprehensive network security<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Solorigate may well be the most significant supply chain compromise in modern history. Due to the sophisticated nature of the attacks, defending against them isn&#8217;t easy, but there are some lessons and steps organizations can take. While it&#8217;s tempting to dismiss the attack as largely behind us, the TTPs used were widely successful and likely aren&#8217;t going away. Learning from Solorigate means recognizing that advanced persistent threats and malware are constantly evolving to exploit victims better. A straightforward solution is building comprehensive network and application security that can guard your network no matter the danger \u2013 a challenge easier said than met. Constant vigilance is required against an ever-evolving foe, and that means keeping up on the latest defenses and vulnerabilities and taking action to protect against them.<\/p>\n<p><strong>Also Read<\/strong>: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/sase\/\">SASE: Securing the Network Edge<\/a><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6fbc4b3efd-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6fbc4b3efd\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6fbc4b3efd\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6fbc4b3efd\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6fbc4b3efd\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6fbc4b3efd\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6fbc4b3efd\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A March 2020 software update of the SolarWinds Orion management platform gave malicious actors unhindered access to key government and enterprise networks. Microsoft has dubbed the infamous supply chain compromise of SolarWinds as &#8220;Solorigate.&#8221; In December, eSecurity Planet detailed FireEye&#8217;s initial findings, implications for the industry, and how to mitigate similar attacks. Since then, much [&hellip;]<\/p>\n","protected":false},"author":250,"featured_media":17798,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[22,15],"tags":[5735,3790,30797,11623],"b2b_audience":[33],"b2b_industry":[],"b2b_product":[382,395,379],"class_list":["post-18146","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-applications","category-threats","tag-application-security-2","tag-cybersecurity","tag-devsecops","tag-solarwinds","b2b_audience-awareness-and-consideration","b2b_product-application-security-vulnerability-management","b2b_product-firewalls-and-intrusion-prevention-and-detection","b2b_product-threats-and-vulnerabilities"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SolarWinds Hack Defenses: Protecting Against &#039;Solorigate&#039; TTPs | eSecurity Planet<\/title>\n<meta name=\"description\" content=\"The 2020 SolarWinds hack was the most significant cybersecurity event in years. Here&#039;s everything we know - and defenses you can implement.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SolarWinds Hack Defenses: Protecting Against &#039;Solorigate&#039; TTPs | eSecurity Planet\" \/>\n<meta property=\"og:description\" content=\"The 2020 SolarWinds hack was the most significant cybersecurity event in years. Here&#039;s everything we know - and defenses you can implement.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-03T22:44:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-12T16:50:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sam Ingalls\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/SamIngalls\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sam Ingalls\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\"},\"author\":{\"name\":\"Sam Ingalls\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2\"},\"headline\":\"SolarWinds Hack Defenses: Protecting Against &#8216;Solorigate&#8217; TTPs\",\"datePublished\":\"2021-02-03T22:44:23+00:00\",\"dateModified\":\"2023-05-12T16:50:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\"},\"wordCount\":3323,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png\",\"keywords\":[\"application security\",\"cybersecurity\",\"DevSecOps\",\"Solarwinds\"],\"articleSection\":[\"Applications\",\"Threats\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\",\"name\":\"SolarWinds Hack Defenses: Protecting Against 'Solorigate' TTPs | eSecurity Planet\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png\",\"datePublished\":\"2021-02-03T22:44:23+00:00\",\"dateModified\":\"2023-05-12T16:50:33+00:00\",\"description\":\"The 2020 SolarWinds hack was the most significant cybersecurity event in years. Here's everything we know - and defenses you can implement.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png\",\"width\":1200,\"height\":675,\"caption\":\"cybersecurity\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SolarWinds Hack Defenses: Protecting Against &#8216;Solorigate&#8217; TTPs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2\",\"name\":\"Sam Ingalls\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg\",\"caption\":\"Sam Ingalls\"},\"description\":\"Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/singalls\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/SamIngalls\"],\"url\":\"https:\/\/www.esecurityplanet.com\/author\/singalls\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SolarWinds Hack Defenses: Protecting Against 'Solorigate' TTPs | eSecurity Planet","description":"The 2020 SolarWinds hack was the most significant cybersecurity event in years. Here's everything we know - and defenses you can implement.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/","og_locale":"en_US","og_type":"article","og_title":"SolarWinds Hack Defenses: Protecting Against 'Solorigate' TTPs | eSecurity Planet","og_description":"The 2020 SolarWinds hack was the most significant cybersecurity event in years. Here's everything we know - and defenses you can implement.","og_url":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/","og_site_name":"eSecurity Planet","article_published_time":"2021-02-03T22:44:23+00:00","article_modified_time":"2023-05-12T16:50:33+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png","type":"image\/png"}],"author":"Sam Ingalls","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/SamIngalls","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Sam Ingalls","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/"},"author":{"name":"Sam Ingalls","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2"},"headline":"SolarWinds Hack Defenses: Protecting Against &#8216;Solorigate&#8217; TTPs","datePublished":"2021-02-03T22:44:23+00:00","dateModified":"2023-05-12T16:50:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/"},"wordCount":3323,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png","keywords":["application security","cybersecurity","DevSecOps","Solarwinds"],"articleSection":["Applications","Threats"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/","url":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/","name":"SolarWinds Hack Defenses: Protecting Against 'Solorigate' TTPs | eSecurity Planet","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png","datePublished":"2021-02-03T22:44:23+00:00","dateModified":"2023-05-12T16:50:33+00:00","description":"The 2020 SolarWinds hack was the most significant cybersecurity event in years. Here's everything we know - and defenses you can implement.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/11\/hacking-3112539_1920-e1610757696693.png","width":1200,"height":675,"caption":"cybersecurity"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/threats\/guarding-against-solorigate-ttps-solarwinds-hack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"SolarWinds Hack Defenses: Protecting Against &#8216;Solorigate&#8217; TTPs"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2","name":"Sam Ingalls","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg","caption":"Sam Ingalls"},"description":"Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.","sameAs":["https:\/\/www.linkedin.com\/in\/singalls\/","https:\/\/x.com\/https:\/\/twitter.com\/SamIngalls"],"url":"https:\/\/www.esecurityplanet.com\/author\/singalls\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/18146"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/250"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=18146"}],"version-history":[{"count":0,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/18146\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/17798"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=18146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=18146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=18146"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=18146"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=18146"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=18146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}