Anatomy of SolarWinds Attack

On Sunday, December 13, 2020, Reuters reported that hackers compromised the private networks of dozens of US companies and government agencies and spied on them for months without being detected. The attack targeted organizations using software licensed by the company SolarWinds, including the US Treasury Department and the Department of Commerce. A similar incident was reported a few days back by cybersecurity firm, FireEye, which coincidentally is investigating the aforesaid incident. While the details of the attacks continue to emerge, I have not yet seen details focusing on why such an attack went under the radar of so many. That’s what prompted me to share my thoughts on this blog. With this incident reaffirming that no organization is immune to these challenges, we must analyze and learn from them.

Let’s visualize this incident through the lens of the MITRE ATT&CK framework, the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks.

1. The lifecycle of the attack started with an “Initial Access” technique of intrusion through malicious code in the SolarWinds Orion product. Through this technique, the hackers gained a foothold in the network.
2. The malware stayed dormant in victims’ networks for a two-week period and then activated, opening ingress backdoors, a “Command and Control” technique.
3. The backdoors enabled hackers to navigate across the network through “Discovery“ and “Lateral Movement” techniques, gain elevated credentials through “Credential Access” techniques, and “Exfiltrated” victims’ files.
4. The lifecycle began as early as March and went unnoticed for months, according to Microsoft and the cybersecurity firm FireEye.

Why did these activities go unnoticed? Today’s attacks that target data and applications do not consist of a single isolated technique taking place on a user endpoint or a single network event. Instead, they can be visualized as a “Causal” kill chain made up of multiple suspicious techniques interleaved with dormant benign behaviors exhibited over multiple hosts spanning across the entire infrastructure, often with varying degrees of time gap between the malicious techniques executed. Some campaigns can be over in minutes. Others like the SolarWinds can be slow and stealthy taking place over several months. When seen in isolation, each technique or action is not compelling enough to take action, but the accumulation of techniques over the lifecycle is what makes the overall progression malicious.

While both infrastructures, as well as attack patterns, have evolved over the last few years, security solutions in the detection and response space have remained isolated and point focussed. Endpoint based security solutions provide isolated results on user endpoints/hosts while network-based security solutions report isolated suspicious network results. Such isolated results either get lost in the noise of signals generated in an infrastructure of scale, or require human effort for top-down investigation. What is absent is a security fabric that would 1) automatically sequence causal chains of events in activity progressions as they navigate, and 2) rank those chains based on the degree of suspiciousness accumulated. Such a fabric would autonomously surface threat progressions from a plethora of benign signals, similar to the ones reported, and allow the SOC to intercept them at a stage before damages such as data capture and exfiltration.

At Confluera, we have built a fabric that autonomously identity and intercepts threats. The fabric is what enables us to build a distributed execution trail as the threat progresses across multiple hosts and over a significant time gap — the very scenario used in the attack involving SolarWinds. That is why I’m so passionate about uncovering the details of these types of attacks. Despite such attacks making the headlines, vendors like Confluera and other cybersecurity solution providers are continuously innovating.

Parting thoughts. I understand many organizations have their hands full today trying to recover from this latest round of attacks but use this incident as a gauge to measure your readiness for the next attack that’s around the corner. Ask yourself the following questions and if you’re not satisfied with the answers, put a plan in place to address them:

1. Do you have the ability to stitch together activities that may appear benign but are parts of the bigger attack?
2. Can you detect attacks that span several months, often eluding common cybersecurity solutions?
3. Perhaps most importantly, can you do the above in real-time to be able to thwart such attacks before it becomes a full-blown incident?

Learn more on how Confluera is trusted with the responsibility of workload threat interception by organizations in healthcare, accounting, manufacturing, and other verticals.