April 9, 2021

What the Titans of Industry Reveal about SolarWinds Sunburst attack

It’s been approximately 100 days since the disclosure of the attack on the SolarWinds Orion platform, and we are in a better place to understand what happened.  It’s been pretty eye-opening to learn how ill-equipped prominent industry players, including cybersecurity experts, were when it came to finding, preventing and defending themselves against an attack like this. 

The CEOs from FireEye, Microsoft, SolarWinds, and CrowdStrike appeared in front of a U.S. Senate panel to layout the unfolding of events, defend their conduct in the data breach (blamed on Russian hackers) and sought to shift responsibility elsewhere.  Notably missing was Amazon, even though its AWS cloud platform was a contributing factor in how the cyber attack was executed and spread.

During the testimony, it was outlined how the SolarWinds software was hijacked and used to break into a host of other organizations, and that the hackers had been able to read Microsoft’s source code for user authentication.  This exposure and subsequent manipulation of the source code led to the hack of about 100 U.S. companies and nine federal agencies. CrowdStrike went so far as to say of Microsoft’s antiquated and complicated approaches - “The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network” and that “if a different methodology had been used this particular threat vector would be eliminated.”

Even if the Senate panel pushed for a security solution for future prevention they wouldn’t have gotten one.  These organizations are too ingrained in what they know and the tools/systems they have designed, or use.  In this blog we’ll recount details of the hearing, but at the end, we’ll lay out why with our ARIA ADR solution, why the attack on Orion never would have happened; thus we would not have the cascading consequences that are coming to light in its wake.

Enjoy and see you at the end….


Your vendors and partners may be your biggest cybersecurity risk

The attack was discovered by FireEye and only by chance, as they noticed simultaneous log-ins. He spoke that his company had pen test tools stolen as a result of being a stage two victim in this supply chain attack, which means that system infiltration came through an outside partner or provider. 

In this case, FireEye and Microsoft were infected due to the backdoor placed in the Orion platform code. Mimecast, another example of a supply chain victim of Sunburst, recently revealed that their production environment was also accessed because of stolen keys and inaccurate Microsoft 365 authentication. With this, the attackers were able to retrieve email addresses and download tools.

Threat actors were skilled, patient, and committed

FireEye’s experience in data breach investigation and remediation services made it clear to them the level of sophistication and that it was likely a multi-decade campaign. After much analysis to find the malicious code, an effort that consisted of searching through one million lines of assembly code, FireEye discovered that one year earlier the threat actors had conducted a trial run with innocuous code to ensure that their plan would work. Microsoft supported FireEye’s view and said many of the techniques used have not yet come to light and that up to a dozen different means of getting into victim networks occurred.  They also hypothesized that it would have taken at least a thousand engineers to bring a hack of this level to fruition. Imagine that, an adversary that is willing to invest so much into executing a hack.

The goal of the data hack was threefold:

  • The first was upon entry to grab keys and tokens, which are nearly impossible to detect as the only IOC is employees logging into devices. 
  • Thus, the cyber attackers could easily bypass multi-factor authentication protections and gain access to critical data and devices. 
  • They had access to the entire network and grabbed emails, documents and tools from FireEye servers.


IT is sorely in need of modernization

Unfortunately for Microsoft, and strongly pointed out by CrowdStrike, the data hackers took advantage of well-known vulnerabilities in their Windows authentication and active directory federation services. This allowed the attackers to move laterally within every victim’s network between the enterprise and the cloud.  CrowdStrike noted that these weaknesses had been around since 2017 - clearly enough time for Microsoft to address if they had chosen to. 

Brad Smith, CLO of Microsoft, didn’t address this point and used his time to speak to how this attack has placed a spotlight on several areas, the first being the need for better security in software development platforms especially with 500 million software applications estimated to be developed in the next three or four years by nearly every organization in nearly every industry across the country. 

CrowdStrike spoke to how some companies are behind the times, up to 20 years, in securing themselves. Microsoft took it up a level and said that the industry at large, IT infrastructure, and security best practices need to be modernized. He cited that it was only when the attack surfaced within the Azure cloud was it visible to Microsoft. This is an interesting observation as Microsoft has been criticized for just how hard it is to run Azure ID securely, and that this complexity introduces the opportunity for cyber attackers to escalate privileges or hide access.  Further proving the set-up challenges, Microsoft allowed that the lateral movement found in victim systems was due to “poor configurations and other controls” on the customers part.


More investment in cybersecurity is needed

Upon becoming aware of the attack, SolarWinds engaged CrowdStrike’s incident response services. During his Senate testimony, George Kurtz, CrowdStrike’s CEO, reinforced many aspects of the attack noted by FireEye, but he went on to list out six essential concepts and emerging technology that the industry must invest in and adopt for improved cybersecurity. 

  1. Threat hunting: Even though the largest companies have experienced breaches - those with sizable resources - continuing to utilize skilled cybersecurity analysts to analyze and find attacks is needed.
  2. Machine learning and artificial intelligence: Novel threats will not be found through threat hunting and other means, which means that leveraging ML and AI are essential. 
  3. Speed: Seconds counts, and pre-planning IR is crucial.
  4. Identity protection and authentication: As the threat surface becomes larger and more porous (due to cloud services and work from home expansion), the reliance on traditional authentication techniques are not adequate, and especially puts legacy technologies and architectures at risk. 
  5. Zero-trust: SSO and MFA are no longer effective, organizations should instead require end-users to authenticate themselves for each device or resource they wish to access in order to reduce lateral and privilege escalation.
  6. Extended detection and response (XDR): IT resources demand contextual access and awareness across the enterprise spanning from the enterprise to the cloud to ephemeral workloads.


ARIA ADR - it’s time to get off the merry-go-round 

This is a lot to unpack, but what’s clear is:

  • The Orion attack marks a sizable shift in the extent malicious actors will go through to execute a hack.  
  • That the advice, best practices and tools aren’t working - even for the cybersecurity leaders in the industry. 

So, why are we still riding this merry-go-round?

Our ARIA ADR and CloudADR solutions were purpose-built to address errors in cybersecurity best-practices and tools. With ARIA ADR, organizations can stop 99% of the most harmful network-borne threats including ransomware, malware, DDoS, intrusions, brute force attacks, insider threats, compromised credentials, policy violations, and data exfiltrations. 

How does it do this? It’s a fully automated, AI-SOC that uses behavior-based ML threat models to identify attacks by their signature behaviors.  It also the ML gives it the ability to identify attacks based upon suspicious, never before seen network or devices activities 

ARIA ADR provides complete visibility into the network, generating enhanced analytics for every packet traversing (even laterally) the network. With this information, along with the supplied 60+ threat models, it detects attacks as soon as they become active on the network and stops them before any harm is done.  The attacks can’t hide since ARIA ADR leverages ML and AI and doesn’t rely on current-day tools that require manual efforts and cumbersome log-based techniques that only can help detect future attacks, it does nothing for zero-day

The ARIA ADR solution is a unique, powerful and comprehensive platform housing the capabilities of seven security tools:

  • SIEM
  • UEBA
  • NTA
  • EDR
  • Threat Intel
  • IDS/IPS 
  • SOAR

No longer will organizations have to manage and correlate information from disparate tools or write complex log algorithms to update their security tools. Unlike other threat detection solutions, it delivers the benefits of “a single pane of glass solution,” with insightful dashboards and actionable information—think of it as a one-monitor SOC. 

It can be operated remotely, from anywhere, and because it’s fully automated, it does not rely upon or require a highly-trained analyst and operates around the clock for complete coverage. 

ARIA ADR is forward-thinking and a whole different animal when it comes to stopping cyberattacks.  It’s the solution that SolarWinds needed to prevent this whole mess from happening.

Tags: cyber attack, data breach, cybersecurity, data protection