The SolarWinds Breach and its Case for Network Detection and Response (NDR)

January 21, 2021
Marc Gemassmer
Chief Revenue Officer
The SolarWinds Breach and its Case for Network Detection and Response (NDR)

Each time there’s a major attack or breach, there’s a rush to assign blame. Most often, the blame lands on the shoulders of the security teams who are already doing everything possible with the time and resources at their disposal. Yet, finding fault can be unproductive. Instead, understanding how and why an attack occurred leads to an evolution of how organizations combat and manage security operations.

For example, let’s consider the recent—and ongoing—SolarWinds breach. This breach bypassed all the typical prevention tools like multi-factor authentication (MFA), network sandboxes and endpoint detection and response (EDR). These attackers leveraged legitimate tools to enact malicious actions, effectively rendering all preventative measures moot.

Once breached, the attackers used multiple communication channels, phases, and tools to establish interactive, hands-on-keyboard control. Each phase was designed to minimize the chance of detection, with techniques that defeat intrusion detection system (IDS) tool signatures, endpoint detection and response (EDR), manual threat hunting, and even common approaches to machine learning-based (ML) detection.

Unveiling the SolarWinds Supply-Chain Attack: A Stealthy and Sophisticated Breach with Cloud and Office 365 as Key Targets

The solarWinds supply-chain attack was orchestrated with the objective of establishing a covert and reliable Command and Control (C2) channel between the attackers and a trusted, privileged infrastructure component within the datacenter, namely SolarWinds. This compromised channel served as a gateway, granting the attackers initial privileged accounts and a pivot point to advance their assault. To achieve their goals, the attackers employed multiple communication channels, executed various phases, and utilized diverse tools to gain interactive, hands-on-keyboard control. Each phase was meticulously designed to minimize the likelihood of detection, employing techniques that evaded intrusion detection system (IDS) tool signatures, endpoint detection and response (EDR), manual threat hunting, and even common approaches to machine learning-based (ML) detection.

> Read our Threat Report for a more detailed analysis of the SolarWinds Supply chain attack.

Outlined below is the progression of the attack, starting from the initial backdoor and culminating in the establishment of persistent access within cloud environments, with a specific emphasis on targeting Microsoft Office 365/email, which appears to have been a primary objective. Vectra AI's coverage, which does not depend on indicators of compromise (IoCs) or signatures, comes into play as soon as the initial C2 channel is established. The combination of observed behaviors directly on the SolarWinds server prompted its classification as "Critical" even before any lateral movement occurred, enabling early containment measures. If the attack were to advance, additional detections would provide comprehensive visibility into each subsequent phase, even as the assault expands into the cloud and specifically targets Office 365.

Overview of the solarWinds supply-chain attack
Download the HD infographics of the SolarWinds supply-chain attack.

Revealing the Limitations of Traditional Security Solutions: The SolarWinds Breach and the Call for Network Detection and Response (NDR)

The SolarWinds Orion hack, also known as Sunburst or Solorigate, clearly highlights the necessity of AI-powered Network Detection and Response (NDR). While preventive security measures and endpoint controls raise the bar, they are insufficient. Legacy, signature-based Intrusion Detection Systems (IDS) have once again proven ineffective in detecting new attacks where indicators of compromise (IoCs) do not yet exist.

The SolarWinds attackers demonstrated significant effort and expertise in bypassing preventive controls, including network sandboxes, endpoint security, and multifactor authentication (MFA). Their methods involved:

  • Conducting extensive checks to ensure they were not in a sandbox or malware analysis environment.
  • Utilizing code signing and legitimate processes to evade common endpoint controls.
  • Implementing a novel in-memory dropper to avoid file-based analysis while distributing the Command and Control (C2) beacon.
  • Bypassing MFA using stolen Security Assertion Markup Language (SAML) session signing keys.

The level of skill and focus required to circumvent endpoint controls underscores the advancements in Endpoint Detection and Response (EDR). However, it also serves as a reminder that determined and sophisticated adversaries can always find ways to bypass preventive and endpoint controls.

To effectively defend against this type of attack, leveraging network detection and response is crucial. In this context, the network encompasses everything outside of the endpoint. Vectra AI's detection models provide real-time early warning and continuous visibility throughout the attack progression, from on-premise to the cloud. This approach does not rely on IoCs, signatures, or other model updates. Its purpose is to identify and stop attacks like Sunburst/Solorigate/SolarWinds before significant damage occurs.

As the SolarWinds breach clearly demonstrates, traditional security solutions are insufficient and susceptible to manipulation by attackers. IDS relies on signatures, meaning security analysts must possess knowledge of and a signature for the attack to detect and prevent it. Similarly, EDR is effective for endpoints but does not adequately address network-based attacks like the SolarWinds breach. Even additional machine learning (ML)-based detection techniques employed by vendors may not provide adequate protection. While organizations may have security information event management (SIEM) systems or similar tools, their effectiveness relies on the quality and availability of the data they receive. If the data is compromised or non-existent, the purpose of a SIEM is undermined. It is crucial to feed the SIEM with accurate and appropriate data.

If you’re ready to change your approach to detecting and responding to cyberattacks like these, and to get a closer look at how  Cognito can find attacker tools and exploits, scheduled a demo  with Vectra today.