Lessons from the solarwinds breach: there is nothing new under the sun?
In light of recent events, security leaders must accelerate adoption of active defense and adversary engagement strategies to proactively mitigate risk.
A Gut Punch & A Wake-up Call
Closing a year tortured by a deadly virus, economic hardship, and chaos, we recently learned that as many as 18,000 federal agencies and Fortune 500 companies have been thrown into crisis via a SolarWinds cyber-attack. According to S.E.C. filings, the malware was resident on SolarWinds software from March to June of this year, which means the attackers have had free access to victims’ networks for nearly a year. According to the Cybersecurity & Infrastructure Security Agency (CISA), “This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
There is Nothing New Under the Sun
“What has been will be again, what has been done will be done again; there is nothing new under the sun.” – Ecclesiastes 1:9
The techniques used in the recent advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations were advanced, but they were not new. The success of those attacks, rather than signifying a jump in the adversary’s capabilities, indicates that defenders have fallen behind in the cyber arms race.
Security programs cannot continue to fight tomorrow’s war with yesterday’s weapons and hope for a positive result. It is our belief that in light of those recent events security leaders must accelerate adoption of active defense and adversary engagement strategies to mitigate such risks.
Blow-by-Blow Rundown of the Attack
Early evidence points to Russian state actors known for their advanced tradecraft. But we also know that supply chain attacks are not new. Neither are many of the TTPs utilized in the attack.
The initial vector was a modified SolarWinds Orion plug-in (SUNBURST) which was distributed during platform updates. The trojanized component is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.
Once in the network, the actors gained privileged access to and management of both cloud and on-premise resources. How they achieved that is detailed here. One of the techniques used was to compromise on-premise, federated SSO infrastructure and steal the credentials or private keys used to sign SAML tokens (TA0006, T1552, T1552.004). Using the private keys, the actors then forged trusted authentication tokens to access cloud resources.
After a dormant period of up to two weeks, the attacker retrieved and executed jobs that included the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
FireEye reported that the backdoor was used to deliver a new malware dropper called TEARDROP that loads directly in memory and does not leave traces on the disk. Attackers used temporary file replacement techniques to remotely execute their tools. This means they modified a legitimate utility on the targeted system with their malicious one, executed it, and then replaced it with the legitimate one.
A similar technique involved the temporary modification of system scheduled tasks by updating a legitimate task to execute a malicious tool and then revert the task back to its original configuration.
SUNBURST also used multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, perhaps because they used DLLs versus executables, and the DLLs were signed by SolarWinds certificates.
Malware network traffic runs under Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plug-in configuration files allowing it to blend in with legitimate activity.
What Can We Learn? It’s Not If, But When.
This is a wake-up call for cybersecurity. It’s time we admit that the enemy has their opponent’s playbook. They’ve figured out how to dance around conventional defenses. Yes, the techniques were advanced, but they were not new, and they will become more common. Exploiting a vulnerable supply chain partner has been done before. Malware signed with a legitimate certificate was once considered advanced. Today it’s routine. SAML forgery has been known and used since at least 2017.
Once attackers enter the network with legitimate credentials and escalate to privileged access, they will use legitimate, common utilities and make little, undetectable moves. They will be indistinguishable from well-behaved insiders doing ordinary things, moving quietly until they reach “the crown jewels.”
“Insanity is doing the same thing over and over and expecting different results.”
– maybe Albert Einstein
It took eight months to discover this attack. It’s clear that conventional defenses aren’t sufficient. With a breach like this, one may think that it’s nearly impossible to keep pace with attack techniques, but one thing never changes: the attacker’s objectives. We can reduce our exposure by populating the attack surface with traps. The network is the battleground. It’s time to plant landmines, and not just a few, but as many as possible.
Using Active Defense and Deception Technology to Mitigate Advanced Attacks
As outlined in a recent Wall Street Journal article, our customers have been able to transform their security program by leaning forward and adopting Active Defense and Deception technology.
This new method, unlike firewalls, doesn’t try to bar intruders from getting in. Instead, Deception technology scatters fake information, such as false credentials that can be used to access vital information throughout a company’s network to lure attackers. Then, when the false information gets hacked, the company is alerted and can either kick out the bad guys or isolate them from the rest of the network to study their methods and better identify them in the future.
In fact, CSO Magazine recently predicted that new use cases, MITRE Shield support, and greater awareness will drive new market growth and penetration, making 2021 a big year for Deception technology.
Below are some examples that we’ll cover and elaborate on further in a later blog post:
- With proper deployment, TrapX decoys divert attackers away from real assets, allowing the attacker to perform its techniques against our deceptive components.
- While the attack sat dormant to evade products like EDR, including the use of signed certificates and non-binary code, it was clearly designed to look legitimate and evade detection. With Deception, lateral movement is exposed when it encounters a trap, regardless of how “undetectable” it is.
- With our built-in partner ecosystem, TrapX can immediately isolate an attack upon detection.
Adopting Active Defense: Find the Right Partner
Let’s not be naïve. Reducing the risk of advanced threats is a complex task. Think of it as a journey involving people, process, and technology, rather than deployment of a tool.
At TrapX, we pride ourselves in leading this new wave with the most public case studies, the most customers, and a depth of experience gained by partnering with some of the world’s largest organizations to build their active defense program.
If you’re looking to adopt active defense or even just learn more, I invite you to get in touch with us.