Attivo Networks Blogs

Sunburst and Breaking the Kill-Chain

Reading Time: 4 minutes  |  Published: March 2, 2021 in Active Directory, Blogs

Written by: Tony Cole, CTO – Sometime in early 2020, the SolarWinds Orion software build process had malicious code injected into it. Enterprises around the globe widely deploy this network management and monitoring software. Unsuspecting companies did their regular patch and update cadence when SolarWinds provided an Orion update. Unfortunately, this action embedded a backdoor into a critical system within their enterprise, providing an attacker initial access to multiple endpoints. In this case, doing the right thing, updating systems, ended up causing major issues and became one of the most impactful breaches to date where it could have impacted approximately eighteen thousand companies if the adversary had targeted them all. It didn’t matter if the server was fully patched or not, and the attackers didn’t need a zero-day exploit in this case. We have too much trust in our supply chain today, even though we know its security is a significant issue and an area neglected for decades. We must change that now if we are going to counter a growing threat. Assumption of breach mentality is required, and instrumentation to detect threats inside the enterprise is a key factor in mitigation.

Gartner recently released a blog titled 8 Controls to Thwart Sunburst and Other Supply Chain Attacks,which contains some insightful information. As the author Thomas Lintemuth states: “Supply chain software attacks are a difficult and growing problem.  While it is true there is no amount of vulnerability management that can prevent these attacks, there are security controls that can assist in detecting and shutting down the attack before an attacker can exfiltrate data.” It’s clear that the author feels that we can stop these attackers from accomplishing their goals in the vast majority of cases by detecting them inside the enterprise and preventing data exfiltration. There are naysayers that state these types of attacks will always be successful. Here at Attivo Networks, we don’t concur, and many notable experts agree with us. There’s a reason Gartner, NIST, and MITRE are all talking about detection inside the wire as a critical component to detecting and slowing the adversary. In this blog, let’s talk about what Gartner says and dive a little deeper.

Gartner provides the twelve steps of the SunBurst Attack in the diagram below along with the columns for the ‘Purpose’ of each step, the ‘Activity to Detect,’ and the ‘Control’ to detect the adversary. Although there are some great suggestions in this blog, there are some missing pieces we can look at as well. Those missing pieces can help strengthen your security posture and help your team defend against these sophisticated attacks, regardless of origin.

It’s essential to look at this breach from the supply chain company and breach victim perspective. Obviously, the initial supply chain company that had the malicious code inject is also a victim; however, they too can put controls in place that could potentially stop this activity from ever happening. It doesn’t matter if the attack came in via a trusted software update, a zero-day exploit, or a spearphishing email. Attackers will get in sooner or later, and we should all take an assumption-of-breach mentality. Of significant note, mitigation should focus on how quickly you can detect intrusions inside your enterprise for the benefit of eliminating any real impact on your company. Let’s look at what Attivo can do in each of the Gartner-defined steps below.

Again, since we know that it doesn’t matter how the adversary gets in, let’s change Step 1 to simply ‘Breach.’ Yes, there are tools that we all have to prevent that activity; however, as we know, they sometimes fail or are evaded, and this can have a dramatic and significant impact.

When we look at Step 2, we’ll change this to ‘Malicious code activates’ simply because this applies to any attack, not just the SolarWinds breach. EDR and Whitelisting are important and can certainly help for some attacks, just not this one (in general). However, it ignores one significant area here – protecting Active Directory.

Let’s look a little closer in the diagram below. The Attivo Network’s ADSecure solution hides the service accounts, thereby mitigating and preventing the possibility of kerberoasting attacks or silver ticket attacks. It analyzes endpoints connected to the domain attempting to discover AD privileges while providing visibility into attempted domain enumeration. This function allows for the detection and prevention of attacker lateral movement from a domain-connected system.

When you look at the entirety of the Attivo Networks ThreatDefend platform, it provides ample other coverage as well across Step 3, DNS lookups to avsvmcloud.com, with our BOTsink feature – ‘Domain Generation Algorithm detection.’ It covers Step 4, C2 outbound HTTPS tunnel, via BOTsink again, this time with – ‘Network decoy sinkhole access.’ Stage 6, Domain reconnaissance, is another area covered with ADSecure – ‘LDAP query awareness and misinformation.’ Stage 7, Access other systems on network, is covered with the ‘ThreatDefend Platform (Network decoys + EDN).’ Stage 8, Move to ADFS server to obtain SAML signing certificate, is also covered with ‘ThreatDefend Platform (Network decoys + EDN).’ We go ever further with Stage 10, coverage of ‘Attackers add trusted domains to Azure AD,’ expanding Active Directory protection with ADAssessor.  The solution allows defenders to discover and remediate exposures in AD before the breach takes place.  Finally, Stage 12, Access Email, is covered with ‘Cloud Account Monitoring + EDN (ThreatStrike).’

So, in this case, as you track the attackers’ path through the enterprise, detection would occur:

  • as they move laterally across devices
  • when they attempt to use credentials stolen from endpoints
  • when they perform LDAP enumeration
  • if they perform a DCSync attack
  • if they attempt to escalate to Domain Admin credentials or steal SAML signing keys

As you can see, there are ample opportunities with Attivo technology to find and remove potential lateral movement paths and clean up Active Directory issues before the attack. If the attacker does get into the enterprise, you can stop privilege escalation, prevent lateral movement, and detect the adversary quickly, thereby break the attack kill-chain in numerous places.

Gartner has done an excellent job of providing information to cyber defenders that they can use to defend their businesses against a supply chain attack. This blog adds a bit more color to what defenders truly have available for suggested controls and for being able to answer the question about how well they are prepared to combat a similar supply chain attack. Learn more at attivonetworks.com

No Comments

Post a Comment

three × four =