Page 70 - Cyber Defense eMagazine April 2021 Edition
P. 70
Once the Trojanised software has been installed by the customers, the threat actor can execute the
malicious code to continue the next leg of the attack. In the case of SolarWinds, the main objective
appears to be reconnaissance, and it is speculated that the perpetrators used it to gain a critical
understanding of the operations and tools used by the customer companies – in this case primarily US
governmental agencies. While quiet observation was the goal here, supply chain attacks like this could
also conceivably be used to launch large scale, debilitating cyber attacks striking multiple high value
targets simultaneously.
Another significant factor in the attack is the extraordinary dwell time the adversaries achieved. It was
eventually determined that Orion updates between March and June 2020 had been infected with
Sunburst, with the breach not being reported publicly until December 2020. This indicates a timescale of
several months where attackers had free reign in the SolarWinds supply chain, and an even longer period
within SolarWinds’ own systems.
Investigations have noted several tricks used by the attackers to mask their presence of such an extended
period. Commercial cloud servers such as Amazon, Microsoft and GoDaddy were used to host the
command-and-control centres for the attack, making it much easier to hide communications in mundane
traffic. Much of the malware used in the attacks were also newly created, and therefore did not match any
known threat signatures.
Traditional detection tools won’t cut it
The biggest takeaway for any organisation from the SolarWinds attack is that they can no longer rely on
traditional signature-based threat detection to keep up with malicious activity. The SolarWinds attack was
so successful in part because the adversaries left almost no traditional indicators of compromise. The
organisations infected by the Trojanised Orion software were entirely blind to the intruders in their net-
works.
The use of legitimate cloud hosts for the C2 traffic also meant communications were well hidden from
standard detection tools, and this is an approach we are seeing more of in the wild. Even resources like
Dropbox, Twitter and Slack have been subverted into C2 channels.
Similarly, attackers “living off the land” using legitimate capabilities from Microsoft Office 365, including
email, SharePoint, and others such as Power Automate and eDiscovery, are able to hide in plain sight for
extended periods of time.
Detecting this kind of careful and sophisticated attack means going deeper and looking for subtle signs
of suspicious activity that may indicate a compromised account attempting to achieve lateral movement.
One of the most effective weapons to fight against this threat are Network Detection and Response (NDR)
tools powered by AI analytics. These solutions continually monitor the entire environment, spanning both
traditional IT and cloud networks, to rapidly detect signs of compromise.
The power of AI analytics means huge amounts of data can be crunched in moments, accomplishing in a
couple of hours what would otherwise take days of intensive work from human security analysts.
This capability means that, even if threat actors infiltrate the network with a technique as devious and
subtle as a supply chain attack, the security team have a strong chance at identifying and stopping the
attack before it can escalate. Likewise, the software developer being targeted to propagate a supply chain
attack will also have a much better shot at detecting intruders creeping their way through the network
towards their source code. The ability to spot and halt a sophisticated and careful attacker before they can
Trojanise the product will stop a single breach from spiralling into a major incident that impacts thousands
of customers in the supply chain.
70 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.