FireEye CEO Kevin Mandia recently testified in front of a United States Senate subcommittee about the SolarWinds attack. Take the time to listen to the presentation, especially Mandia’s chilling description of how the attackers went after FireEye’s Microsoft Windows identity tokens and valid credentials. The only reason they detected the intrusion was because the attackers happened to target a tool that was also being used by a pen-testing firm.
Here’s are what I believe are the key points regarding supply chain attacks that security and IT admins should take away from that hearing.
Potential supply chain attack victims lack access to the right tools
Brad Smith of Microsoft said in his testimony that they saw the attacker’s behavior only when they entered cloud services. The attackers went after on-premises computers, so Microsoft was unable to see the attacks.
This points out a problem with many of Microsoft’s best security tools. While they are available to even on-premises computers, they are gated behind Microsoft’s most expensive E5 license plan. If Microsoft customers had Microsoft Defender Advanced Threat Protection (ATP) enabled, Microsoft would have seen that key data much earlier.