blog-header-image
| 3 min read
| Dec 16, 2020
| by Bruce Potter, Jon Hencinski, Anthony Randazzo and Mary Singh

The SolarWinds Orion breach: 6 ideas on what to do next and why


Well, 2020 is really going out with some fanfare, isn’t it?

The revelation of SolarWinds’ Orion monitoring product being compromised by nation state intelligence is keeping a bunch of people very busy heading into the holidays. “Bah humbug” to that.

With a few days hindsight, we wanted to take a breath and offer some observations on how things are going, what we can expect going forward and how organizations everywhere should be thinking about detecting post-compromise malicious activity.

Before we dive into the “here’s what we’re seeing and how you should plan for the long haul,” let’s take a minute to applaud the leadership shown by FireEye, Microsoft and CISA.

These orgs continue to be transparent on the technical and mission aspects of this attack. That transparency helped the entire cybersecurity industry understand the technical nature of the attack and begin to wrap our arms around the broader business impact to our customers.

In turn, that helps our customers and any impacted businesses, in general, better understand their own risk as they navigate their way through this mess.

Now let’s dig into some observations and recommendations:

  • You’ll need to rewind the clock as you search for evidence of compromise as a result of the SolarWinds Orion breach. We’ve seen instances of the backdoored SolarWinds Orion signed DLL, known as SUNBURST in many organizations, as have our peers. SolarWinds indicated up to 18,000 organizations may be vulnerable to this exploit, so it’s hard to overstate the potential impact this backdoor could have on a broad set of industries. One of the challenges we’re facing in scoping these incidents is the need to rewind the clock sufficiently to see when the earliest potential malicious actions could have taken place. In this case, SolarWinds indicated their software was implanted nine months ago, so ideally we’d like to look through nine months of evidence to see signs of attack activity.

  • Data retention policies might make this difficult. Unfortunately, retention policies can get in the way of this kind of look back and we may only get a few weeks or months worth of data to review. Data retention is a hard scale to balance; limiting cost and improving performance while maximizing historical accuracy means some organizations have the data they need in the wake of this breach but others do not.

  • But vendors are (thankfully) jumping in and creating detections that’ll help security teams everywhere identify and mitigate related attacks in the future – so ask your vendors what detections they’re working on. Thanks to the turbo-charged @andrew__morris observation that the backdoored software was still on SolarWinds’ website on Monday, December 14th, we continued to see new instances of the malicious DLL created on disk as customers attempted to upgrade their installation. Why is this good news? Because at least by that time most security vendors had detections in place so we saw it land and were able to immediately remediate. A big shout out to the vendor community at large for getting those detections created and pushed out in a timely manner. It makes a huge difference to operators when the cycle between news breaking and having functional detections in place is as short as possible.

  • There’s more good news: We haven’t seen any evidence of recent SUNBURST command and control. This is a great sign for our customers. We do however have limited telemetry for our customers and this breach dates back to March 2020.

  • This kind of event underscores the importance of having a fully functional EDR solution. In particular, you need one that supports robust remote forensic examination of a system. Being able to investigate endpoints at scale in an automated fashion to assess impact and risk to an organization as quickly as possible is incredibly important in an event like this. The bummer with these tools is that they really shine when the situation is the darkest. On a normal day when everything is normal you don’t think, “Gosh! I wish I had a better EDR tool.” But when things go totally sideways like they did this week, the quality of your EDR can change (or destroy) the game. With that said, sometimes a historical compromise like this can only be addressed with a good ol’ fashioned incident response engagement.

  • Be on the lookout for the long tail of compromise. The tail of these kinds of attacks can be quite long, and adversaries who entrenched themselves inside your org can be difficult to fully root out. Moving forward, we’re focused on finding post-compromise activity observed during this global threat campaign. In particular, we’re building detections and hunts for events such as Azure AD PowerShell behavior, modification of domain federation trust settings, and researching ways to discover forged SAML tokens, anomalous logins, Azure lateral movement, and privilege escalation activity. While many of these are events we’re looking for anyway, we’re turning the dials on orgs that may be compromised via SUNBURST to surface more of these events and correlate them in new ways based on the TTPs that were published as part of this attack.

That’s it for now.

Thank goodness … IT and security folks everywhere don’t need any more to deal with.

In the coming weeks, we’ll have even more visibility on both the technical and business shifts that are happening in both the cybersecurity industry and the economy at large.

We’ll keep you posted as we learn more. As always, we’d love to hear from you if you have thoughts to share.


Subscribe

Introducing a mind map for AWS investigations

Over this past summer, our SOC team remediated quite a few incidents in Amazon Web Services (AWS). Some of these were surprise attacks from red teams, while others were live attackers in our customers’ cloud environments. When running these incidents…
Read More