cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CY
Newcomer II

Solarwinds supply chain attack - still a good idea to whitelist thirdparty applications at AV?

I had always been wondering if it is a good idea allow whitelisting of certain third party application and folders at anti-malware platform so that it can run smoothly without interference from AV scanning.  With whitelisting a requirement for the solarwind onion platform, whitelisting would had prevented the anti-malware from detecting malicious activities originating from the compromise software.  So should be put a stop to all such whitelisting?  Is there a good reason and guidelines to allow whitelisting safely?

4 Replies
Beads
Advocate I

Not necessarily. I put many of these types of software on a bit higher scrutiny. WAF, outer ring before the next protection zone, higher degree of logging etc. as a matter of best practice beginning after the Target fiasco. Have I found the magic bad packet? No, eventually I will or someone will get lazy and miss something stupid.

 

I am just waiting for the final forensics on this and FireEye before jumping to any conclusions, though.

 

Happy reading!

 

b/eads

Carleton
Viewer

Early this week, FireEye said that the hackers were infecting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.

rslade
Influencer II

Definitely an important question. Whitelisting should be done carefully,
particularly with applications which require pervasive permissions, and, in this
case, it still would have been extemely difficult to detect the attack, since it was
properly signed and authenticated.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Great spirits have always encountered violent opposition from
mediocre minds. - Albert Einstein
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
manickamk
Viewer II

Very valid question, the direction is Zero Trust and SDP.