The SolarWinds Breach
and its Case for Network
Detection and Response (NDR)
Each time there’s a major attack or breach, there’s a rush to assign blame. Most often, the blame lands on the shoulders of the security teams who are already doing everything possible with the time and resources at their disposal. Yet, finding fault can be unproductive. Instead, understanding how and why an attack occurred leads to an evolution of how organizations combat and manage security operations.
For example, let’s consider the recent—and ongoing—SolarWinds breach. This breach bypassed all the typical prevention tools like multi-factor authentication (MFA), network sandboxes and endpoint detection and response (EDR). These attackers leveraged legitimate tools to enact malicious actions, effectively rendering all preventative measures moot.
Once breached, the attackers used multiple communication channels, phases, and tools to establish interactive, hands-on-keyboard control. Each phase was designed to minimize the chance of detection, with techniques that defeat intrusion detection system (IDS) tool signatures, EDR, manual threat hunting, and even common approaches to machine learning-based (ML) detection.
For those that like to geek-out on this type of things (like I do), the below visual provides more detail:
Ushering in the era of network detection and response (NDR)
As the SolarWinds breach demonstrates, traditional security solutions aren’t enough and can, in fact, be manipulated by attackers. We know that IDS depends on signatures, which means security analysts must know about and have a signature for the attack in order to see and stop it. Similarly, EDR works great for endpoints, but only covers that specific vector. Because the SolarWinds breach was a network-based attack, EDR couldn’t adequately address that threat. Even additional ML-based detection techniques employed by vendors to check the ML solution box may not help. Of course, these organizations have SIEMs or something similar, yet these tools are still dependent on the data fed into them—if the data itself is not considered compromised, or is simply nonexistent, then the purpose of a SIEM is negated. You need the right data to feed a SIEM.
Altogether, this results in overworked threat hunter teams that can’t keep up even if you add more people. The coverage of the attack, while seemingly robust from end to end, was insufficient.
All of this goes to show that detection inside the network is required: this detection can’t be based on signatures, nor can it use off-the-shelf ML techniques. It must include learning behavior models that understand both hosts and identities. Plus, the network must include the entire ecosystem of hybrid, on-premise, and cloud connectivity.
Though it came at the cost of a massive breach, understanding the SolarWinds hack has exposed the vulnerabilities in security operations that can be addressed through the implementation of new techniques and technologies like NDR.
If you’re ready to change your approach to detecting and responding to cyberattacks like these, and to get a closer look at how Cognito can find attacker tools and exploits, schedule a demo with Vectra today.