Blog

The SolarWinds supply chain compromise:

We focused on customers first, and this is what we have learned so far

BY eSentire Threat Response Unit (TRU)

December 28, 2020 | 9 MINS READ

Attacks/Breaches

Third-Party Cyber Risk

Threat Intelligence

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Even in a year as eventful as 2020, the SolarWinds supply chain breach is making headlines around the world due to the organizations that were compromised and the number of organizations put at risk, as a result of being customers of SolarWinds and utilizing their popular Orion® IT monitoring and management software. This incident was discovered and revealed by the cybersecurity firm, FireEye, while investigating how their own Red Team tools had been stolen. This saga continues to unfold as additional information comes to light. But even as the story evolved and other companies rushed to comment, eSentire quietly went about what we always do: ensuring that our customers are prepared and protected.

In fact, within just a few hours of FireEye’s initial announcement on December 8th, we had already rolled out new esNETWORK detection rules and we were running esENDPOINT and esLOG queries against the CVEs targeted by FireEye’s stolen Red Team tools.

In this post we want to quickly run through:

Operationalizing threat intelligence is an everyday reality

Safeguarding our customers means keeping up with an endless stream of threat intelligence and turning that information into tangible assets and meaningful actions.

Sometimes that intel comes from threat feeds, sometimes it comes from advisories and often, it is gathered and processed automatically by our sensors and observed directly by one of our security analysts…you get the idea.

All day, every day, cybersecurity providers must grapple with new attack tools, new proof-of-concept (POC) exploits, new indicators of compromise (IOCs), and so on, and only a tiny fraction of these ever make the news.

Keeping up with this stream of information is a challenge—in fact, it is one of the biggest challenges all organizations and security service providers face —and doing so requires a synthesis of people and technology within a framework of operationalized processes. We have been doing Managed Detection and Response (MDR) for 20 years, and in that time, we have invested heavily in creating the necessary platform.

We were able to take such quick action because responding to events like this is what we do, all day, every day. Our Atlas Extended Detection and Response (XDR) Cloud platform, working in concert with security experts in our 24 x7 Security Operations Centers (SOC) and with members of our elite Threat Response Unit (TRU) security research team, detects and responds to the most mundane threat to the most lethal. And, we have two decades of muscle memory upon which to draw.

Threat Intelligence – Cybersecurity – MDR Managed Detection and Response

Detecting and containing threats requires keeping up with an endless stream of operational threat intelligence and turning it into meaningful action: in this case, FireEye’s initial announcement was reflected in esNETWORK, esENDPOINT, esLOG, and eSentire’s Managed Vulnerability Service (MVS) service—
within only a few hours

A quick recap: how we responded to the FireEye and SolarWinds news

By this point, responding quickly and effectively to an event like the FireEye breach or the SolarWinds Orion Trojan is reflexive.

And unfortunately, it is also all-too-common: for instance, it was only a few months ago that the Zerologon vulnerability took center stage. Notably, the behavioral detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools; this is a subtle-but-important difference that speaks to our ability to consume information, augment it with our own research and leverage our understanding to make a real difference in the security posture of our customers.

esNETWORK detection launched within four hours of FireEye breach notification

Why operationalize threat intelligence? Within four hours of FireEye revealing on December 8th that their Red Team tools had been stolen, eSentire’s customers were running new detection rules in esNETWORK.

In parallel:

We also scheduled a webinar for December 17th (which is available on-demand) in which we reviewed the situation with customers and allowed them to pose questions to several of our cybersecurity experts, including members of our elite Threat Response Unit (TRU) team. All this information was communicated in a Threat Intelligence Advisory on December 9th, along with recommended actions and links to additional information.

Behind the scenes, we were coordinating with our own partners, including CrowdStrike, Microsoft, Sumo Logic, Tenable, and VMware Carbon Black.

Keeping customers informed

On December 11th, we issued a second Threat Intelligence Advisory as we continued to monitor the situation. By this point, we had observed numerous routine penetration testing instances using FireEye’s Red Team tools (all of which alerted appropriately), but no malicious activity was detected, and MVS covered all 16 of the FireEye CVEs.

The story evolves into a supply chain attack

On December 13th, FireEye disclosed a widespread global intrusion campaign that exploited vulnerabilities within the SolarWinds® Orion® Platform. Essentially, the threat actors created a Trojan that masqueraded as an Orion software update and took advanced measures to evade detection.

We added new detection and protection content for this specific threat based on information and countermeasures disclosed by SolarWinds, the Cybersecurity & Infrastructure Security Agency (CISA) and FireEye, and we updated our customers in a third Threat Intelligence Advisory which also included a new list of actions pertaining to managing the SolarWinds risk.

Information sharing and live Q&A with customers

Threat intelligence is also about keeping customers informed. On December 17th, we hosted our webinar, which of course was now about both the FireEye breach and the SolarWinds exploitation. More than 200 customer attendees tuned in to hear a presentation by five of our threat intelligence security experts and ask important questions.

What we have observed so far

To this point, based both on active scans and retroactive examination of IOCs dating back many months (FireEye suggested that the attack might have begun as early as Spring 2020):

Looking ahead: the broader risk

The SolarWinds breach is significant and is deserving of the attention it has received. Part of the reason it has received so much attention is because of the nature and identity of the organizations that were compromised including government agencies and cybersecurity companies.

However, it must be dually noted that:

And herein lies the broader risk of not operationalizing threat intelligence: now that the main damage has been done (i.e., surreptitious access to sensitive information for many months) and the cat is out of the bag (i.e., the exploits and IOCs are known), there is a very real chance that access to many of those 18,000+ organizations—perhaps hundreds or even thousands—will be listed and sold on the dark markets that serve as the hub of the cybercrime economy.

As we explored in our recent Threat Intelligence Spotlight, Defending Against Modern Ransomware: Lessons from the SunWalker Incident, a well-structured and highly specialized cybercrime ecosystem has emerged in which Initial Access Brokers sell computer access to organizations.

In doing so, they have lowered the barrier to entry for others in the value chain, as no exploitation skills are required to gain access even to high-value targets (just think of the organizations named so far in the SolarWinds revelations). The average price to purchase such access runs between $1,000 to $10,000 USD, but access to high-value organizations can sell for upwards of $500,000. The buyer—often a ransomware gang—is then free to do whatever they want, unless and until they are detected.

The importance of multi-signal detection

Faced with such threats, multi-signal detection is an absolute requirement to threat intelligence. Just to drive home this point, here are a few other facts from the FireEye situation:

And, as noted earlier, the specifics of these incidents are unique, but the general nature is familiar. Many security professionals will recall the Citrix Netscaler vulnerability from December 2019, which also required network-based signals for detection.

Threat Intelligence – Cybersecurity – MDR Managed Detection and Response

Detecting the FireEye IOCs and performing retroactive analysis employs signals across endpoints, logs, and network traffic

In summary: protect what you can, detect what you cannot protect

eSentire is the leader in Managed Detection and Response (MDR). In fact, this type of incident is why we invented MDR.

We have been here before —that’s part of what you get when you become an eSentire customer: a security partner who responds quickly, effectively and communicates often.

We see an evolving story like the FireEye and SolarWinds saga as a powerful validation of MDR.

But in a way, we also see it as a bit of a distraction. This is one of those 1 in 10,000 events that really makes everyone sit up and take notice, but it is important not to overlook the 9,999 that are quietly out there—that is the reality we deal with on behalf of our customers.

We know from experience that there is a good chance that access to compromised networks will turn up for sale in cybercrime markets; we know from experience that adversaries continually tweak their tools, techniques and procedures (TTPs).

That is why we never let down our guard and why we continually— 24x7—operationalize threat intelligence and put it into action.

That is also why it is so important that organizations protect what they can—but some things cannot be sufficiently protected (whether because of zero-day attacks, resource limitations or simply the practical trade-off of security versus convenience). That is where detection and rapid time to containment becomes so critical, and where eSentire’s TRU team shines.

If you are not an eSentire customer, then we invite you to read about the SunWalker incident and ask yourself how you would have detected and responded to that attack—it is a worthwhile exercise that may prevent future disaster.

We encourage everyone to take this developing story as a reminder about:

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire