Expert Comment On New Malware Strain Found In SolarWinds Hack

The significance is there is incredible diversity in tools and tactics the attackers will use to create a beachhead. We believe that organizations, in addition to investigation/remediation activities, need to start operating and planning as if beachheads are inevitable and focus more on detecting and preventing the attacker activities after the beachhead has been established. It's way too easy for attackers to harvest credentials, move laterally, and escalate privileges once they're inside. Developing, and investing in, an Active Defense strategy to preemptively clean up credential and pathway information, reduces the attack surface and forces detections by transforming endpoints into a network of deceptions, necessary to create an environment that is hostile to attacker activities once they've established a beachhead.  

So we are now getting into the semantics of minutia of how different malware worked so they can be named and detected with a signature. This is all great after the fact once we already know the attack occurred, but it did not help when it mattered most.

While the malware strains might slightly vary, and I’m sure more will be exposed, the fact is the behaviours related to the malware has been consistent – network reconnaissance for user accounts and passwords (primarily AD) followed by lateral movement to targeted systems with privilege escalation.

Attackers can modify code and find different ways to execute the attack lifecycle, but no matter what they do the behaviours stay the same and are surprisingly consistent. During an attack, it does not matter who is responsible or how they are executing commands. It only matters that it is happening right now and what they are doing so that the organisation can mitigate it. This is where behaviours are strong with no prior knowledge of malware.