The cyber attack that took place against Solarwinds and the resulting compromises that took place should be a wake up call to all businesses that they need to look beyond traditional solutions for securing their data and make a move to solutions that can protect their data at all times, even if networks or endpoints are compromised.
Let’s take a high level look at what happened and why this isn’t just another run of the mill malware attack.
On December 8th, 2020 Fireye, one of the worlds largest Cybersecurity companies, reported the unauthorized access and exfiltration of their red team tools-the tools that their penetration testers and other offensive cyber operators use to break into and keep access to customers networks while emulating real adversaries. This is a big deal, as these tools are usually kept close to the vest and by giving a real adversary access to these tools, they can be modified to create novel and hard to detect attacks that can be used in the wild.
Fireye is also one of the leading incident response companies in the US and as such started an investigation on their own breach. 5 days later on December 13th it was announced that the breach they suffered was caused by a supply chain attack against a vendor that they, and many, many US Government and Fortune500 businesses use to manage their IT infrastructure called Solarwinds Orion. An adversary was able to infiltrate the Solarwinds Orion codebase and insert “malware” that allowed access to any system running Solarwinds Orion by the adversary.
How is it that one of the world's leading cybersecurity companies was not able to detect this rouge software running on their networks for months and months (early reports are that this code has been in place for seven months or even longer)? Let’s look at some traditional ways something like this would normally be detected and why they failed in this case.
Since Solarwinds Orion is deployed to manage network infrastructure at scale, firewalls would be configured to allow traffic to and from on-premise and cloud bases instances of Orion and it’s many modules across the enterprise network.
Furthermore-the adversaries utilized IP addresses for their command and control servers that originated from the same country as the victims, by utilizing Virtual Private Server instances or VPS’s. Firewalls configured to utilize geo-blocking would have failed in this case.
Even though this was a trojan, there were no antivirus programs that detected this as a virus. Solarwinds is a well known software company, and the programs are digitally “signed” by Solarwinds, so as far as the antivirus is concerned, this program was legitimate and allowed to run.
Since the piece of Solarwinds Orion that was compromised (SolarWinds.Orion.Core.BusinessLayer.dll) was digitally signed by Solarwinds, application whitelisting programs would let the program run, especially if it had been whitelisted before, which would have had to be done for any company that runs Orion.
Again, since Orion is a network management platform, and the binaries were digitally signed by Solarwinds, EDR platforms would allow it to run. In addition, Orion is mostly designed for servers, network and cloud management, places where EDR programs are not widely used.
These evasion techniques made it difficult for defenders to detect and stop the adversaries. To add even more variability to the attack, the trojan would not “activate” until two weeks after it’s installation, making detection and forensic efforts even more difficult.
As you can see from above, these 5 fails are where most businesses put the bulk of their cyber defenses, and none of them would have prevented the adversary from stealing any and all important data from your endpoints and network. One of the largest cybersecurity companies in the world, with every defense you can imagine (almost) was breached, and their prized tools stolen by advanced cyber adversaries.
Sometimes, the bad guys are smart too. Luckily for you, we here at Cigent think differently.
Given the sophistication of these attacks, we at Cigent feel that you need to assume that you will be compromised, and add layers of post breach network and endpoint security that limit the damage and protect sensitive data, regardless of the sophistication and/or the detectability of an attack.
Cigent Data Defense provides a new layer of defense, one that places protection as close to your data as possible. The solution features Cigent Secure SSD,™ the first and only storage with cybersecurity built into the firmware itself, and Cigent D3E,™ zero-trust MFA file access controls that protect unencrypted and encrypted data at all times, even when your network or endpoint has been compromised and your security software disabled or bypassed.
Cigent’s Data Defense is designed with Zero Trust as a fundamental component, not allowing access to sensitive data unless the user validates via step-up authentication that they are who they say they are, and that the process trying to access that data is the process the user is using. Protection of your most critical data with Cigent Data Defense does not rely on detection of an attack (or lack thereof). It matters not how sophisticated, how stealthy or how deep an attacker is embedded in a network, your data stays locked until you, and only you need access to it.
No hackers, no ransomware, no supply chain hacks. Regardless of the attack, Cigent has your back!
There are few absolute truths in information security, but one is that packets do not lie. Remote adversaries that have compromised your network must send and receive network packets to exfiltrate data and to perform command and control. There is no way around this absolute.
The fact that the adversary must send and receive packets swings the pendulum of defense towards solutions such as Cigent for Networks (C4N). C4N is a managed Network Detection and Response Platform, designed to detect and block attacks at the network layer.
In the case of the Solar Winds attack, Network Detection and Response solutions such as C4Nstood the best chance of detecting this attack, as the trojanized DLL made HTTP calls to domains controlled by the attackers. This traffic was highly obfuscated and masked to look like normal Solarwinds API calls, making detection difficult, but still possible. Machine learning algorithms used in the C4N platform to detect malware beacons (the repeating signals sent to the adversaries command and control servers) could have been used to detect the anomalous network traffic generated by the trojan.
In addition, once the attack was detected in the wild, the C4N managed NDR platform was uploaded with signatures and Indicators of Compromise (IOC’s) from our Security Operation Center (SOC) that allowed our customers to detect this attack within an hour of the news of it being released. The advantage of having a managed NDR with the backing of a SOC cannot be understated in a scenario such as this.
Benefits of C4N: Detection and Response at the network layer, regardless of the device, regardless of the attack. Monitored by security professionals. Affordable, scaleable, effective.