Attivo Networks Blogs

SolarWinds Supply Chain Attack: Automating Incident Response to Detect Lateral Movement

Reading Time: 4 minutes  |  Published: December 15, 2020 in Blogs, Cyber Breach, Uncategorized

Author: Attivo Research Team – SolarWinds issued an advisory on 13 December 2020 informing users of a sophisticated attack on its Orion Platform, an application that monitors and manages IT environments. FireEye analyzed the SolarWinds Orion Platform code compromise and shared further post-analysis details in a recently released blog. It is critically important to understand that sophisticated adversaries utilizing this compromised software method of entry into an organization would likely create other beachheads inside the environment outside of SolarWinds. This likelihood means detection inside the enterprise is the key to containing and eradicating the threat actor.

Though it is too early to assess the likely significant impact of the attack across the industry and within every organization, it is clear that sophisticated attackers utilizing this method of entry into an organization would target critical and sensitive information within the enterprise. They can use this access to conduct discovery, move laterally, credential theft, privilege escalation, and data collection activities. Attackers use stealthy and slow reconnaissance to evade detection using traditional methods. Clearly, conventional endpoint and network detection products like EDR, EPP, and IDS/IPS products are not in a position to detect these activities.

Given enough time, skilled attackers can compromise the crown jewels within an enterprise after establishing a beachhead. These crown jewels could be file servers, file repositories, customer data, intellectual property, or anything else that could be of value.  Attackers reportedly used this specific attack to breach FireEye and exfiltrate their Red Team tools for security assessments.  They also compromised email servers to monitor internal email traffic at the US Treasury and Commerce departments, and likely, many more organizations. In fact, the compromised software possibly impacted around 18,000 organizations.

The Attivo Networks ThreatDefend platform and Endpoint Detection Net (EDN) Suite use various strategies, including deception, to detect and prevent such evasive attacks at very early stages. These strategies are designed as a failsafe to catch attackers by surprise once they infiltrate the organization and attempt to move laterally. The solution assumes that attackers are already inside the network, so it looks for specific activities they would conduct as they move deeper into the environment. The MITRE Corporation has periodically evaluated security solutions against known APT tactics and published results for over 20 products. Attivo Networks conducted an internal assessment and published how it can improve endpoint security, as shown by MITRE ATT&CK DIY evaluations. Hence, they would prove successful for detecting advanced and evasive attacks like those on the SolarWinds Orion Platform.

MITRE has now even created an Active Defense structure titled MITRE Shield as a supporting counter to MITRE ATT&CK, which focuses on Active Defense and Deception as the strategy’s foundation. MITRE designed it specifically to detect and support an “Assumption of Breach” mentality. This thinking can help organizations detect the adversaries already inside the enterprise by focusing on several factors, most importantly, lateral movement. Automating this detection and feeding that data to the incident response team can dramatically shrink attacker dwell times. It can also help identify other beachheads that the adversary may have created outside of the SolarWinds software.

Because many US government organizations use SolarWinds Orion, the US Cybersecurity and Infrastructure Security Agency published Emergency Directive 21-01 that covers mitigation and required actions federal agencies should take regarding the SolarWinds Orion code compromise.  Attivo recommends that customers follow the emergency directive, and the ThreatDefend platform can help implement some of the actions listed below.

  • Forensically image system memory or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service accounts, privileged or otherwise.

The Attivo ThreatDefend platform supports running memory forensics on endpoints and provides a detailed analysis of the results.

  • Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.

The Attivo ThreatPath component of the Endpoint Detection Net suite of products can provide visibility into user accounts, local admin accounts, and credentials persisted on the endpoints. Customers should deploy the ThreatPath solution and monitor for new accounts created on endpoints.

  • Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.

Customers who have deployed the Attivo ThreatPath solution on systems running SolarWinds can check various credentials persisting on endpoints. Reset the passwords of all credentials where SolarWinds products are present.

Finding all persisted credentials on endpoints can be challenging. The ThreatPath solution can help identify persisted credentials by various applications on endpoints.

  • Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:

Replace the user account with Group Managed Service Account (gMSA).

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview and Implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.

The Attivo ADSecure solution protects Active Directory from attackers querying to discover service accounts or other high privilege accounts. The solution protects both Managed Service Account and Unmanaged Service accounts by hiding them from attacker queries and replacing them with deceptive service accounts.

Apart from the actions mentioned, Attivo would recommend the following methods to accelerate and automate incident response in their organizations. IR teams can use the Attivo ThreatDefend® platform to detect attackers moving laterally inside the network.

  • Look for events originating from servers where SolarWinds® Orion Platform was present
  • Deploy authentic decoys mimicking critical assets and breadcrumbs to these assets. FireEye has attributed their stolen tools breach to the SolarWinds SUNBURST backdoor. Attackers have pivoted from compromised SolarWinds system to fileservers or code repositories hosting these tools.
  • Deploy authentic decoys of critical IT systems that an adversary might target. Specifically, deploy decoys in the VLAN’s where SolarWinds® Orion products exist to detect lateral movement and attempts to locate C&C server using DGA queries to DNS
  • Regularly assess for unauthorized devices connecting to the network and domain controllers (The Attivo BOTsink server’s Network Summary alerts on newly discovered devices and VLANs )
  • Analyze the presence of new user accounts, privilege accounts, or service accounts (The Attivo ThreatPath solution provides a view into these accounts and alerts when they get created)
  • Take steps to remediate kerberoasting attacks (The ADSecure solution hides the service accounts, thereby mitigating and preventing the possibility of kerberoasting attacks and silver ticket attack)
  • Analyze the presence of attackers on endpoints connected to the domain discovering privileges in Active Directory. ADSecure can detect and prevent further attacker movement from a domain-connected system.
  • Deploy the ThreatDefend® Deflect function to detect network reconnaissance. Deflect turns every endpoint into a decoy and engages attackers as they fingerprint and discover network services

References:

Active Directory discovery and enumeration post initial compromise:

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

The SolarWinds Orion supply chain attack stresses the need for early detection of threats that evade perimeter detection. During this time of widespread industry awareness of the issue, the adversary may have created additional beachhead accounts and gone dormant to evade detection. The Attivo Networks ThreatDefend platform and EDN suite provide advanced defensive capabilities to protect organizations from attacks like these and many others. For additional information, please visit www.attivonetworks.com.

No Comments

Post a Comment

sixteen − fifteen =