Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CY
Newcomer II
‎12-17-2020 10:23 PM
‎12-17-2020 10:23 PM

Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV?

I had always been wondering if it is a good idea allow whitelisting of certain third party application and folders at anti-malware platform so that it can run smoothly without interference from AV scanning.  With whitelisting a requirement for the solarwind onion platform, whitelisting would had prevented the anti-malware from detecting malicious activities originating from the compromise software.  So should be put a stop to all such whitelisting?  Is there a good reason and guidelines to allow whitelisting safely?

Reply
4 Replies
Beads
Advocate I
‎12-17-2020 10:40 PM
‎12-17-2020 10:40 PM

Not necessarily. I put many of these types of software on a bit higher scrutiny. WAF, outer ring before the next protection zone, higher degree of logging etc. as a matter of best practice beginning after the Target fiasco. Have I found the magic bad packet? No, eventually I will or someone will get lazy and miss something stupid.

 

I am just waiting for the final forensics on this and FireEye before jumping to any conclusions, though.

 

Happy reading!

 

b/eads

Reply
Carleton
Viewer
‎12-18-2020 01:10 AM
‎12-18-2020 01:10 AM

Early this week, FireEye said that the hackers were infecting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.

MyIndigo Card
Reply
0 Kudos
rslade
Influencer II
‎12-18-2020 02:07 PM
‎12-18-2020 02:07 PM

Definitely an important question. Whitelisting should be done carefully,
particularly with applications which require pervasive permissions, and, in this
case, it still would have been extemely difficult to detect the attack, since it was
properly signed and authenticated.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Great spirits have always encountered violent opposition from
mediocre minds. - Albert Einstein
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
0 Kudos
manickamk
Viewer II
‎12-21-2020 05:35 AM
‎12-21-2020 05:35 AM

Very valid question, the direction is Zero Trust and SDP.
Reply