Written by: Tushar Kothari, CEO
SolarWinds develops and sells IT monitoring and management solutions that are deployed widely across the globe. Sometime in 2020, attackers compromised their build process and embedded malicious code into an update of their Orion software, impacting a subset of their eighteen thousand customers that downloaded the software. The full impact still isn’t known and may not be for the foreseeable future due to limitations of much of the existing preventative-focused security software in place at the impacted companies.
Once the impacted companies downloaded the Orion update, which contained the malicious software with a backdoor, it contacted a command-and-control (C2) server, executing scheduled tasks to gain remote network access. Once the attackers completed the initial compromise, they moved laterally through the network and stole SAML token keys to access the organization’s critical assets.
Was this Attack Truly Undetectable?
The press and experts have been claiming this attack was undetectable. That simply isn’t true. Although well-resourced adversaries will attempt new and innovative methods to compromise targeted enterprises, there are ways to detect these compromises quickly and impose costs for the adversaries during their attacks. In fact, Gartner just published a blog titled: ‘8 Controls to Thwart Sunburst and Other Supply Chain Attacks’ where they laid out lateral movement detection, privilege escalation detection, suspicious Active Directory activity detection, and several other areas as a method of identification and the path for quick remediation. When an adversary compromises the supply chain, attack detection is challenging since the adversary comes in via a trusted route, an update that we frequently do and typically trained to accept. Thus, identifying the adversaries through quick detection once they get inside the enterprise is the key to mitigating impact.
How Important was this Attack?
On February 23rd, the United States Senate Intelligence Committee held a public hearing on the SolarWinds breach. Testifying at the hearing was FireEye CEO Kevin Mandia, Microsoft President Brad Smith, CrowdStrike CEO George Kurtz, and SolarWinds CEO Sudhakar Ramakrishna. The Committee requested testimony from these individuals because FireEye was the first to find the breach inside their enterprise via their use of the Orion software. FireEye then notified SolarWinds since they were the initial breach vector and Microsoft since the attack also impacted them. CrowdStrike participated in the hearing since they conducted incident response for SolarWinds. For any cyber defender, the testimony from these witnesses is a fascinating view from four different perspectives. Kevin Mandia stated some significant points from their internal breach incident response. First, the adversary was active in the Orion software from at least March of 2020, meaning in most cases, the attacker had access for at least nine months, if not longer, to these compromised companies since cleanup and even identification continues unabated. Kevin breaks the attack into stages, with stage one – the Orion malicious software update download – as “the attacker has not done anything more than crack open the window into a company.” Stage two – “they went for your keys and tokens and stole your identity architectures so they can access your networks the same way your people did, and that’s why the attack was hard to find.” George Kurtz talks about the need to counter these attacks through enhancing identity protection and authentication. One of George’s primary points really hits home on how the pandemic has also had an impact. “The work from anywhere models, enterprise boundaries have continued to erode, this trend increases the risk of relying on traditional authentication methods and further weakens legacy security technologies. One of the most sophisticated aspects of the campaign was how skillful the threat actor took advantage of the Federation Service. The Golden Attack allowed them to jump from customer on-premise environments and then from cloud-to-cloud applications, bypassing multifactor authentication.”
What Can We Do About Sophisticated Supply Chain Attacks?
Kevin Mandia and other witnesses mention the critical points in their testimony. We must protect identities, detect and prevent privilege escalation, and prevent and detect lateral movement. Some of you are thinking, would this type of technology have stopped this supply chain breach if my company had downloaded this malicious update? No, it would have still happened; however, you could have identified the breach and mitigated the impact. More importantly, if software companies were all working diligently to protect identities, detect and prevent privilege escalation, and detect lateral movement, it’s entirely possible that the initial software supply chain breach wouldn’t have happened in the first place. Those capabilities exist today. So how do we detect it?
The Attivo Networks ThreatDefend platform provides early and accurate detection of in-network threats, regardless of attack method or surface, using deception and concealment technologies. It provides a comprehensive fabric that blankets the network with deceptive decoys, credentials, shares, bait, and other misdirections while hiding sensitive or critical data to derail adversaries early in the attack lifecycle. Automated intelligence collection, attack analysis, and third-party integrations accelerate incident response.
The ThreatDefend Platform creates an active defense against attackers using its many modular components. The Attivo BOTsink® deception servers provide decoys, the Informer dashboard for displaying gathered threat intelligence, as well as the ThreatOps® incident response orchestration playbooks. The Endpoint Detection Net suite includes the ThreatStrike® endpoint module, ThreatPath® for attack path visibility, ADSecure for Active Directory defense, the DataCloak function to hide and deny access to data, and the Deflect function to redirect malicious connection attempts to decoys for engagement. The ThreatDirect deception forwarders support remote and segmented networks, while the Attivo Central Manager (ACM) for BOTsink and the EDN Manager for standalone EDN deployments add enterprise-wide deception fabric management.
The ThreatDefend platform enhances existing security controls to give the organization internal network visibility, prevention, and detection for those tactics that attackers use to bypass traditional controls. With native integration to many of these security controls, the platform accelerates incident response and enables efficient information sharing.
ThreatDefend platform customers implement the following measure to protect their organizations.
The platform provides the below functions for visibility into attacker lateral movement across the network:
- Deploy decoys mimicking critical servers, code repositories, databases, file servers, and other deceptive assets.
- Deploy ThreatDirect (TD) forwarders, either TD-VM or TD-EP, across all subnets and expand deception coverage.
- Deploy the ThreatDefend® Deflect function to detect network reconnaissance. The Deflect function turns every endpoint into a decoy and engages attackers as they fingerprint and discover network services
For visibility into credential theft and to protect sensitive or critical data, the platform can:
- Deploy ThreatStrike lures across all endpoints leading attackers to decoys
- Deploy SMB mapped shares to decoys
- Apply DataCloak policies to restrict access to production network file shares, OneDrive mapped drives, or other sensitive storage from attacker tools
- Apply DataCloak policies to restrict access to data documents on endpoints from attacker tools
The following functions can detect credential exposures and improve cyber hygiene:
- Find exposed Lateral Movement Paths using the ThreatPath solution and remediate them.
- Analyze the presence of new user accounts, privilege accounts, or service accounts on endpoints, Active Directory using the ThreatPath solution
The platform also provides the following Active Directory Protection mechanisms:
- The ADSecure solution hides the service accounts, thereby mitigating and preventing the possibility of kerberoasting attacks and silver ticket attacks while alerting in real-time. These steps prevent and detect kerberoasting attacks.
- Analyze attackers’ presence on endpoints connected to the domain discovering Active Directory privileges while getting real-time visibility into domain enumeration.
- The ADSecure solution detects and prevents attacker lateral movement from a domain-connected system.
The SolarWinds Orion supply chain attack stresses the need for early detection of threats that evade perimeter and preventative-focused defenses. During this time of widespread industry awareness of the issue, the adversary has likely created additional beachhead accounts and gone dormant to avoid detection. The Attivo Networks ThreatDefend platform and EDN suite provide advanced defensive capabilities to protect organizations from attacks like these and many others. For additional information, please visit www.attivonetworks.com.