December 18, 2020

What Does the SolarWinds Orion Attack Say about the State of Cybersecurity?

While the reports are still rolling in, we have a pretty good understanding of what occurred with the recent SolarWinds attack.

Malicious actors, possibly Russian state-sponsored hackers, were able to gain access to government agencies, large enterprise organizations and even cyber vendors in the USA through an attack known as an advanced persistent threat (APT) and compromise the software build system for SolarWind’s Orion monitoring platform. 

It was a sophisticated zero-day attack that allowed the delivery of trojan horse malware to those Orion customers that downloaded an infected Windows Installer Patch file between March and June of 2020. Once an end user deployed the patch, it introduced the malware, enabling entry into an organization’s network via access to servers running the Orion supply chain platform. 

Let this sink in for a moment: For more than nine months the malware was active and undetected within the SolarWinds environment, as well as in many other organizations that downloaded a sanctioned executable file.  

During the SolarWinds attack, the hackers also obtained a list of Orion customers, which according to SolarWinds, totals roughly 33,000 organizations, comprising of Fortune 500 companies, the biggest telco firms, and several U.S. government agencies across the military, State Department, DoE, Pentagon, NSA, and the DoJ.  Out of the total customer base SolarWinds believes that only 18,000 were directly exposed to the malware; yet it is troublesome that FireEye and Microsoft, two of the leading cybersecurity providers, as well as the U.S. Treasury and Commerce department, the Department of Energy, and the Department of Homeland Security, were hit.  

With an attack lasting this length of time—at a minimum nine months—the full impact of the attacks is unknown, such as the amount and type of data lost, and may not be for quite some time.  However the immediate fallout is severe; it is documented that the DHS’s internal communications systems were accessed and other agencies were forced to take systems offline completely.  The DHS issued an Emergency Directive to all federal agencies instructing them to conduct full investigations for IoCs, construct complete forensic images, and remediate if necessary.  All extreme, time-consuming and disruptive efforts. 

As mentioned earlier, FireEye was also a victim of the introduced Orion vulnerability.  During the attack, its critical asset Red Team penetration tools were stolen, which are used to assess the strength of a company’s cybersecurity posture.  Since the security tools are based on already publicly available tools and techniques, cybersecurity experts do not expect that the theft will result in the creation of other damaging malware, like how the ShadowBoxer event led to Wannacry and NotPetya.  However, they do find it odd that the clearly talented and sophisticated hackers would spend the time to create new hack techniques only to steal already available information.  Perhaps more exfiltrations will be discovered as FireEye continues their investigation.

So, what are organizations to do to keep themselves safe?

The successful attack against FireEye (and in the past, Kaspersky, Bit9, and Avast) proves that not even an organization with the best defenses and analysts  is safe.  The old adage of it’s only a matter of time before your organization is hacked holds true.  Upon the Orion announcement, cybersecurity leaders started providing guidance on steps organizations should take to better protect themselves.  

It largely was the same guidance as before: 

  • Be vigilant and timely in installing the latest patches, 
  • Have your IDS/IPS/Firewall alerts tuned to be most effective, 
  • Tightly manage network-based assets, and 
  • Educate employees on how to identify and report suspicious events. 

The same old, same old isn’t working

It’s easy to say “use the industry’s best cyber security tools, keep your systems patched, tune your IDS/IPS/SIEM, have a solid response plan, and your employees are your best first line of defense” but we know that isn’t working.  The cunning nature of this particular hack reinforces the fact that organizations were doing the right thing by installing a patch, and in doing so, unknowingly infected their systems. 

The de facto standard in threat detection and response is a suite of individual security tools that organizations need to manually monitor, correlate, interpret data, and take action on it.  Often the heart of these systems are SIEMs and/or IDS/IPS tools, and unfortunately they just aren’t effective at finding zero-day attacks or APTs like this one.  

They use a log-based approach that requires a sizable amount of analyst time to create query strings and develop other code in the hopes of increasing threat coverage and finding cyber threats, as well as make sense of the thousands of intrusion alerts that are generated daily.  Because this approach is based on human knowledge, the tools can only look for what is known— not new threat behaviors found in  zero-day attacks.  

Where do we go from here?

There needs to be a solution that solves the tough problems and isn’t focused on stemming the wound. 

So, what challenges needs to be solved:

  • Not having full visibility into the network to spot threats lurking inside
  • Taking the burden off your analysts, as even the top-notch ones miss threats
  • Having to take systems offline in order to stop an attack, or to protect critical assets
  • Relying on log-based approach that requires time-consuming and complex scripts, tuning, and management
  • Current security tools that can’t evolve with cyberattacks

A smarter approach to cybersecurity

Our ARIA ADR solution was purpose-built to overcome these challenges and more.  It’s a fully automated, AI-SOC that uses behavior-based ML threat models to detect, stop, and contain all types of threats as they move through the network.  With ARIA ADR, organizations can stop 99% of the most harmful network-borne threats including ransomware, malware, DDoS, intrusions, brute force attacks, insider threats, compromised credentials, policy violations and data exfiltrations.

How does it do this?  ARIA ADR provides complete visibility into the network, generating enhanced analytics for every packet traversing (even laterally) the network.  With this information, in addition the 60+ threat models, it detects threats in real time and before harm is done.

The ARIA ADR solution is not only unique, but powerful as in a single platform, it has the capabilities of seven security tools:

  • SIEM
  • UEBA
  • NTA
  • EDR
  • Threat Intel
  • IDS/IPS 
  • SOAR

No longer will organizations have to manage and correlate information from disparate tools.  Unlike other threat detection solutions, it delivers the benefits of “a single pane of glass solution,” with insightful dashboards and actionable information—think of it as a one monitor SOC.  It can be operated remotely, from anywhere, and because it’s fully automated, it does not rely upon or require a highly-trained analyst and operates around the clock for complete coverage.  

With ARIA ADR, the attack on Orion never would have happened; thus we would not have the cascading consequences that are coming to light in its wake.  

About ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.

Tags: cyber attack, cybersecurity, intrusion response, ransomware