The recent SolarWinds hack marks an important milestone for the cyber landscape
Not only does it demonstrate the growing sophistication of supply chain attacks – equally, it highlights the urgent need for appropriate and comprehensive combative solutions such as NDR.
Physical security solutions stretch far beyond the perimeter of a building.
While access control systems and security personnel may often be deployed to control comings and goings, other technologies are regularly deployed within the confines of a property as a more holistic way of monitoring activity and ensuring occupant safety. From identification cards and surveillance systems, to automated central locking systems and alarms, you don’t have to look far to find a multitude of measures in place.
The question is, why should this be any different for cyber security?
Data breaches are becoming increasingly hard to spot, the recent SolarWinds supply chain incident being a case in point.
During the attack, hackers successfully imbedded malicious code in an update scheduled for SolarWinds’ Orion software platform, used by many high-profile organisations including Fortune 500 companies and US government agencies. When the update was released, 18,000 firms installed it, providing the hackers with the means to further infiltrate their chosen networks.
The incident has demonstrated the growing sophistication and complexity of cyber attacks. Not only was a trusted software from a major software enterprise leveraged to allow attackers to hide in plain sight, but the dwell time that they achieved is alarming. It is said that Orion updates launched as early as March 2020 had been infected, yet the breach was not publicly reported until December 2020 – nine months later.
Such a lengthy period shows the competency of hackers in staying incognito.
In supply chain attacks, access is typically first gained through phishing techniques, such as an email that has been crafted to look like it’s from a reliable internal or external source.
If successful, the attacker gains access and – unless impeded – can move laterally throughout a network while avoiding detection by exploiting native tools in what is called a “living off the land” strategy. In the case of the SolarWinds breach, the threat actors compromised the firm’s Microsoft 365 environment, for example.
Living off the land is often slow and methodical, so as to not raise suspicion. Investigations into the SolarWinds breach showed that commercial cloud servers were used to mask communications in otherwise monotonous traffic by acting as the command-and-control centres for the attack. Further, signature-based detection solutions, reliant on historical data, did not raise any alarm as newly created malware was used.
The case for network detection and response tools
If nothing else, the Orion compromise has shown the shortcomings of signature-based detection technologies and the need for organisations to adopt a more resolute cyber protection posture.
The acceptance that security breaches occur because of a vulnerability being exploited by attackers is simply outdated. Indeed, the Orion instance demonstrates how breaches may be executed through highly effective insidious engineering techniques.
Old school defence solutions such as signature-based anti-virus software, sandboxing, IDS and firewall are no longer adequate, providing little to no protection beyond a breach. Likewise, security operations centres (SOCs) still focus on identifying anomalies in user activities through logs that are often too simplistic to effectively identify sophisticated lateral movement.
Given the intricacy of the SolarWinds attack, comprehensive detection solutions capable of identifying extremely subtle changes are needed in the modern environment.
So, what is the answer?
There is a strong case to be made for network detection and response (NDR) tools. Powered by cutting-edge artificial intelligence and analytics capabilities, these technologies can flag any sign of suspicious activity by offering holistic oversight of an entire organisation’s IT and cloud network infrastructure.
They can be the difference between shutting down an attack before the exfiltration of data and extensive lateral movement and compromise.
NDR’s use of AI is crucial. Capable of analysing vast amounts of data in a matter of moments, they provide real-time early warning and continuous visibility across the attack progression without any dependency on IoCs, signatures, or other model updates.
They are able to see through evasion tactics and detect the emergence of tunnels immediately, giving SOC teams the best opportunity of tracking and stopping attackers early in the kill chain.
For technology providers like SolarWinds, NDR solutions can provide an effective means of preventing source code from being tampered with. For end-users, meanwhile, they will prevent lateral movement should a Trojanised product slip through the net.
Supply chain attacks remain a challenge. As recently as February 2021, an ethical hacker managed to breach the systems of 35 firms including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber via a novel software supply chain attack.
They are highly lucrative and there is no doubt they will continue to persist through 2021 and beyond. Being proactive with the deployment of appropriate technologies such as NDR is, therefore, critical.
About the Author
Greg Cardiet is Senior Director of Security Engineering at Vectra. Vectra® enables enterprises to immediately detect and respond to cyberattacks across cloud, data center, IT and IoT networks. As the leader in network detection and response (NDR), Vectra uses AI to empower the enterprise SOC to automate threat discovery, prioritization, hunting and response. Vectra is Security that thinks®. www.vectra.ai
Featured image: ©20Twenty