We’re still learning the full extent of the SolarWinds supply chain attacks. On January 11, for instance, researchers published a technical breakdown of a malicious tool detected as SUNSPOT that was employed as part of the infection chain involving the IT management software provider’s Orion platform.
That same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that the list of federal agencies affected by the attacks was likely to grow beyond just the U.S. Departments of Commerce, Energy, Treasury and Justice.
“The number [of federal victims] is likely to grow with further investigation,” said CISA Acting Director Brandon Wales. “That being said, we do believe that the number will remain extremely small because of the highly targeted nature of this campaign. And that is going to be true for both government and private-sector entities compromised.”
A Shifting Attack Landscape
The fact remains that despite targeting hundreds or even thousands of organizations, the attackers were able to remain completely undetected for up to a year or longer. This begs the question: how can an operation that is so widespread remain under the radar for so long?
“The attackers appear to have been active on multiple systems at numerous customers of SolarWinds simultaneously. These attacks exemplify the fact that despite many indicators of compromise being available for discovery, the attacks remained undiscovered because the context and correlations necessary to connect the dots and reveal the full picture of the malicious operations probably were buried in a barrage of alerts that required manual investigation,” said Sam Curry, CSO at Cybereason.
“The security professionals monitoring the networks of the compromised organizations were no doubt busy trying to triage, prioritize and follow up on individual, isolated events but were unable to detect the related activity across multiple devices, platforms and users at the same time to reveal the attack.”
These challenges reflect the extent to which the network has changed in the past few years. Mobile devices, cloud computing, the Internet of Things… all of these have expanded the network’s boundaries. Gone are the days when a few laptops and servers sat in a well-defined perimeter. The network is much more complex and porous today.
Such complexity has contributed to a rise in the number alerts received by security teams. Some of these alerts might correspond to benign network activity - when investigated, security professionals would ultimately find a false positive. Some might pertain to legitimate security issues, but because they lack context they’ll point to only one facet of the issue and not provide security teams with a holistic view of the problem. Subsequently, security pros might identify a security incident but fail to understand its full scope and not uncover the larger malicious operation.
That’s not the only issue, either. Years ago, security professionals relied on indicators of compromise (IOCs) to help protect organizations against digital attacks. They analyzed any malware files, associated domains, and other forensic artifacts that they found over the course of their investigation of an attack. They then used those IOCs to update their signature-based databases in an effort to protect organizations against that attack.
It’s all very different now. Sure, security researchers are still leveraging IOCs associated with “spray-and-pray” attack campaigns and similarly generic attack attempts but that’s not the case with attacks like SolarWinds that are more sophisticated and targeted.
“IOCs typically do not exist for advanced attacks, as nefarious individuals devise unique elements specifically for those operations. They’re using techniques like Living-off-the-Land that leverages native system components like PowerShell or WMI to perform their malicious functions,” Curry explained.
“In those cases, there is no malicious code to detect. Key to detecting and remediating this type of threat is the practice of leveraging the more subtle IOBs (indicators of behavior). These actions may resemble legitimate activities, but they nonetheless raise suspicions because the activity is extremely rare (low probability), the activity is potentially highly valuable to an attacker, or the activity is detected along with other rare or unlikely events on the network.”
Where This Leaves Organizations
Div says that the outdated security approach of relying on context-less alerts can’t keep up with today’s sophisticated threats, and that from a defender’s standpoint, we’ll never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts.
“We need to arm security analysts with tools to make the connection between disparate indicators of compromise—and, more importantly, the more subtle indicators of behavior associated with an attack—so that they can quickly detect and respond to malicious operations with surgical precision,” Curry said.
“That’s the only way to reverse the adversary advantage: detecting earlier and remediating faster; thinking, adapting and acting more swiftly than attackers can adjust their tactics; and having the confidence as defenders that we can reliably intercept and eliminate emerging threats before an attack escalates to the level of a costly breach event.”
Organizations are well advised to adopt a different approach to security - an Operation-Centric approach that begins with assuming a post-breach mentality. This approach combines endpoint telemetry powered by contextualized intelligence from across the network based on behavior analytics, and it extends this blend of detection and response capabilities across the endpoint, the enterprise and to the entire network.
“In doing so, it makes the task of understanding the full attack story behind any incident significantly easier. Context gives security teams what they need to figure out what’s going on in the network. That holds true even if the activity doesn’t come with any IOCs,” Curry noted.
“An Operation-Centric approach leverages correlations between IOBs across devices and users as well as allows for the detection of attacks more quickly than traditional approaches. Faster detection means faster remediation, thereby ending attacks before they become breach events.”
More information about Cybereason’s Operation-Centric approach to security can be found here.