topic Re: Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV? in Threats https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41780#M172 Definitely an important question. Whitelisting should be done carefully,<BR />particularly with applications which require pervasive permissions, and, in this<BR />case, it still would have been extemely difficult to detect the attack, since it was<BR />properly signed and authenticated.<BR /><BR />====================== (quote inserted randomly by Pegasus Mailer)<BR />rslade@gmail.com rmslade@outlook.com rslade@computercrime.org<BR />Great spirits have always encountered violent opposition from<BR />mediocre minds. - Albert Einstein<BR />victoria.tc.ca/techrev/rms.htm <A href="http://twitter.com/rslade" target="_blank">http://twitter.com/rslade</A><BR /><A href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">http://blogs.securiteam.com/index.php/archives/author/p1/</A><BR /><A href="https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413" target="_blank">https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413</A> Fri, 18 Dec 2020 19:07:19 GMT rslade 2020-12-18T19:07:19Z Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV? https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41766#M169 <P>I had always been wondering if it is a good idea allow whitelisting of certain third party application and folders at anti-malware platform so that it can run smoothly without interference from AV scanning.&nbsp; With whitelisting a requirement for the solarwind onion platform, whitelisting would had prevented the anti-malware from detecting malicious activities originating from the compromise software.&nbsp; So should be put a stop to all such whitelisting?&nbsp; Is there a good reason and guidelines to allow whitelisting safely?</P> Fri, 18 Dec 2020 03:23:23 GMT https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41766#M169 CY 2020-12-18T03:23:23Z Re: Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV? https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41767#M170 <P>Not necessarily. I put many of these types of software on a bit higher scrutiny. WAF, outer ring before the next protection zone, higher degree of logging etc. as a matter of best practice beginning after the Target fiasco. Have I found the magic bad packet? No, eventually I will or someone will get lazy and miss something stupid.</P><P>&nbsp;</P><P>I am just waiting for the final forensics on this and FireEye before jumping to any conclusions, though.</P><P>&nbsp;</P><P>Happy reading!</P><P>&nbsp;</P><P>b/eads</P> Fri, 18 Dec 2020 03:40:04 GMT https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41767#M170 Beads 2020-12-18T03:40:04Z Re: Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV? https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41770#M171 <P>Early this week, FireEye said that the hackers were infecting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.</P> Fri, 18 Dec 2020 06:10:47 GMT https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41770#M171 Carleton 2020-12-18T06:10:47Z Re: Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV? https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41780#M172 Definitely an important question. Whitelisting should be done carefully,<BR />particularly with applications which require pervasive permissions, and, in this<BR />case, it still would have been extemely difficult to detect the attack, since it was<BR />properly signed and authenticated.<BR /><BR />====================== (quote inserted randomly by Pegasus Mailer)<BR />rslade@gmail.com rmslade@outlook.com rslade@computercrime.org<BR />Great spirits have always encountered violent opposition from<BR />mediocre minds. - Albert Einstein<BR />victoria.tc.ca/techrev/rms.htm <A href="http://twitter.com/rslade" target="_blank">http://twitter.com/rslade</A><BR /><A href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">http://blogs.securiteam.com/index.php/archives/author/p1/</A><BR /><A href="https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413" target="_blank">https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413</A> Fri, 18 Dec 2020 19:07:19 GMT https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41780#M172 rslade 2020-12-18T19:07:19Z Re: Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV? https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41835#M173 Very valid question, the direction is Zero Trust and SDP. Mon, 21 Dec 2020 10:35:58 GMT https://community.isc2.org/t5/Threats/Solarwinds-supply-chain-attack-still-a-good-idea-to-whitelist/m-p/41835#M173 manickamk 2020-12-21T10:35:58Z