News is breaking that bad actors allegedly operating on behalf of a foreign government have breached SolarWinds, and deployed a malware-infected update for its Orion software to infect the networks of multiple US companies and government networks, according to FireEye.
SolarWinds claims that 33,000 companies use its Orion product, and it estimates that 18,000 companies were directly impacted by a malicious update.
With more details emerging regarding the cyberattacks targeting SolarWinds, many are wondering why these activities remain undetected for so long. Today’s attacks that target data and applications do not consist of a single isolated technique taking place on a user endpoint or a single network event. Instead, they can be visualized as a ‘Causal’ kill chain made up of multiple suspicious techniques interleaved with dormant benign behaviors exhibited over multiple hosts spanning across the entire infrastructure, often with varying degrees of time gap between the malicious techniques executed. Some campaigns can be over in minutes. Others like the SolarWinds can be slow and stealthy taking place over several months. When seen in isolation, each technique or action is not compelling enough to take action, but the accumulation of techniques over the lifecycle is what makes the overall progression malicious.
While both infrastructures, as well as attack patterns have evolved over the last few years, security solutions in the detection and response space have remained isolated and point focused. Endpoint based security solutions provide isolated results on user endpoints/hosts while network-based security solutions report isolated suspicious network results. Such isolated results either get lost in the noise of signals generated in an infrastructure of scale, or require human effort for top-down investigation. What is absent is a security fabric that would 1) automatically sequence causal chains of events in activity progressions as they navigate, and 2) rank those chains based on the degree of suspiciousness accumulated. Such a fabric would autonomously surface threat progressions from a plethora of benign signals, similar to the ones reported, and allow the SOC to intercept them at a stage before damages such as data capture and exfiltration.
The fallout of this supply chain attack will not be known for months. It is impossible to determine at this time the true extent of the attack. Given that it is suspected that the attacker is a nation-state actor, government agencies were likely the true target of the attack. Had FireEye not been able to detect this vulnerability and breach, nobody would know that an attack had or was occurred.
Customers of this technology should assume that they are breached, and begin activating their Incident Response plans. In tandem with incident response, customers must begin to threat hunt on their network to look for any signs of persistence. Given that FireEye released countermeasures, they should be immediately put into place on all networks where the Solarwinds product could have touched.