Editor’s note: In response to these recent events, we have removed the registration page from our supply chain white paper. Learn about the 6 most common supply chain entry points for cyber attacks, and the 5 most common attacks and how to defend against them.
If you haven’t yet caught wind of the presumed Russian attacks on the reputable and respected security firm FireEye, the U.S. government, and the IT software group SolarWinds, now is the time to take notice.
What could a security firm, the U.S. Commerce and Treasury Departments, and an IT software company possibly have in common? The answer most likely is this: a backdoor inadvertently left open, in this case via an IT monitoring platform update. The recent and unfolding news is a sobering reminder of the relentlessness of nation-state cyber attack campaigns. Throw in the added widespread vulnerabilities created by supply chain backdoors, and the risk exposure suddenly escalates from a singular corporate incident to a global attack with potentially unsettling consequences.
The shift is this: adversaries are moving from tightly secured enterprises to weaker points of entry along the supply chain. In fact, Accenture Security reports that “Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches.”
What do we know so far?
Here is our understanding of the situation:
- The FireEye, SolarWinds and government agency hacks appear to be connected.
- According to The Washington Post, the attack began with the IT vendor SolarWinds. SolarWinds CEO Kevin Thompson said that SolarWinds had been compromised via software updates that it sent to users of its Orion IT monitoring platform between March and June. (SolarWinds’ government customers include the Department of Justice; the Census Bureau; several national laboratories; and state, local, and foreign customers such as the European Parliament and Britain’s National Health Service.)
- Late Sunday evening, FireEye confirmed that the recent cyber attacks all stemmed from the compromised SolarWinds Orion software update.
- Nation-state hackers also broke into multiple federal agencies — including the U.S. Departments of Treasury and Commerce — in a campaign that appears to be linked to the recently disclosed hack of security firm FireEye. Hackers broke into the National Telecommunications and Information Administration’s (NTIA) office software, Microsoft Office 365. Staff emails at the agency had been monitored by the hackers for months prior to the attack.
- The Office of the Director of National Intelligence and U.S. Cyber Command are involved in the investigation.
APT29, aka “Cozy Bear,” assumed actor
The Russian advanced persistent threat (APT) group known as APT 29, or Cozy Bear, is the assumed instigator of this attack. You can read about its typical techniques here.
In July 2020, cybersecurity agencies from the U.K., Canada, and the U.S. jointly attributed a campaign targeting pharmaceutical companies and academic institutions involved in COVID-19 vaccine development to APT29.
Why are APT attacks so difficult to detect? Techniques by adversaries such as Cozy Bear are challenging to detect with traditional cybersecurity tools. These tactics, techniques, and procedures (TTPs) are at the apex of what security researcher David J. Bianco calls the threat hunting framework “Pyramid of Pain.” But when you can detect and respond at this level, you are operating directly on adversary behaviors, not just against their tools. So from a pure effectiveness standpoint, this level is your ideal. If you are able to respond to an adversary’s TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors. That’s not an easy task for even the most egregious of bad actors.
How do you detect threats that have infiltrated your network?
Network Behavior and Response systems built on behavioral analytics can “see” these TTPs on the network. The NY Times reports that in the FireEye attack, for instance, “the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.” This onslaught of new domain creation is something that behavioral analytics can detect during this crucial network dwell time.
Stopping hackers in their tracks at the reconnaissance phase of intrusion (or as “left of boom” as possible in the MITRE ATT&CK Framework, for example) is critical. Once an adversary moves along the intrusion path, being able to map detected observables to threat techniques is also essential for better determining the best and fastest course of remediation.
These are the threats by adversaries who have managed to slip past your firewall and/or taken advantage of an insecure endpoint to get inside your network. Once inside, adversaries often lurk there to determine the best way to steal money or data, including personally identifiable information (PII) or intellectual property. They may then move laterally across networks from their entry point to find the systems or data they are targeting. The earlier the detection by assessing Indicators of Behavior (instead of just known IoCs), the lesser the risk
Organizations need to implement a security-in-depth strategy with detection capabilities geared towards detecting behavioral TTPs from the MITRE ATT&CK framework.
The role of behavioral analytics
There are techniques for detecting nation-state activity earlier using behavioral analytics and an Expert System, which can anticipate the actions of nation-state threat actors. In the case of the SolarWinds attack, IronNet analysts learned about indicators that IronNet analytics and its Expert System are designed to detect, including:
- Post compromise activity included lateral movement and data theft. Our analytics and sensors are designed and positioned to detect movement within the network, especially when large amounts of data are exfiltrated.
- SolarWinds’ Orion software framework contains a backdoor that communicates via HTTP to third party servers. IronNet’s analytics specifically focus on HTTP for domain analysis, periodic and consistent beaconing, and extreme rates.
- Multiple trojanzied updates were digitally signed from March through May 2020 and posted to the SolarWinds updates website. IronNet analytics examine certificates to detect unusual activity.
- IronDome’s threat sharing platform would have communicated correlated actionable activity between the private sector and government agencies.
Actions and recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert indicating that SolarWinds Orion Platform software is being actively exploited by malicious actors, and the Department of Homeland
Security (DHS) has issued an emergency directive instructing U.S. federal agencies to immediately disconnect all SolarWinds Orion products.
Security researchers at FireEye have published technical details indicating that a software supply chain compromise occurred earlier in 2020 and resulted in a trojanized version of SolarWinds Orion being distributed to customers, which they have dubbed SUNBURST.
SolarWinds has additionally published a security advisory recommending customers upgrade to the latest version of Orion Platform and indicating that the company plans to release an additional hotfix later this week.
In response to these recent events, we have removed the registration page from our supply chain white paper. Learn about the 6 most common supply chain entry points for cyber attacks, and the 5 most common attacks and how to defend against them.
*** This is a Security Bloggers Network syndicated blog from IronNet Blog authored by IronNet. Read the original post at: https://www.ironnet.com/blog/analysis-solarwinds-supply-chain-attack