On December 13, 2020, IT infrastructure management provider SolarWinds issued a Security Advisory regarding their SolarWinds Orion Platform after experiencing a “highly sophisticated” supply chain attack. The activity is reported to have begun as early as Spring 2020, as reported by researchers from security firm FireEye.
The Cybereason Defense Platform provides multi-layered protection and is designed to block advanced threats like the SolarWinds Supply Chain attack at multiple points during the attack sequence. The following blog explains how our platform will block the attack based on the Indicators of Compromise (IOCs), but more importantly how it can also block the attack based on the more subtle Indicators of Behavior (IOBs).
These attacks represent a new challenge for defenders. We have entered an era of continuous incident response where we cannot rely on prevention alone, especially when confronted with advanced attacks designed to bypass those defense approaches. It is no longer enough to block individual aspects of an attack and assume the entire attack has been disrupted. Today’s Malops (malicious operations) are multi-stage and often employ evasion and persistence capabilities at one or more of those stages.
Blocking a known threat is the very least one should expect from their endpoint protection solution. The trick with these more advanced attacks is to be able to detect and block an unknown threat, particularly one that the system recognizes as a legitimate software update.
So, if there were no IOCs available to leverage in detecting and blocking a novel threat as we see in this case with the SolarWinds campaign, traditional antivirus will fail to spot the threat. This is where signature-based protections alone fail to protect targeted systems, and why the next layer of protection offered by the Cybereason Defense Platform is superior Machine Learning (ML) for detecting unknown threats that traditional signature-based tools miss.
When the malware attempts to execute in memory, Cybereason recognizes the malicious properties of the code and quarantines the malware before it can cause any harm. This is an extra layer of necessary protection, but this is as far as most nextgen antivirus tools go in blocking advanced threats.
The Cybereason Defense Platform is purpose-built to detect and prevent the most advanced attacks techniques, such as those leveraged in these recent attacks. When the malware attempts to initiate the Domain Generation Algorithm (DGA) stage to establish communications with the C2 servers, Cybereason recognizes this behavior as malicious and immediately blocks the threat.
Despite the fact that the malicious code appears to be part of a legitimate software update signed by a valid digital certificate, Cybereason recognizes the less obvious behaviors the code attempts to engage in and blocks it based on a deeper understanding of how Malops actually work, even if the threat is advanced enough to circumvent traditional signature AV and nextgen ML-based detections.
This capability is what makes the Cybereason Defense Platform truly future-ready: when attackers develop new techniques that evade other security solutions, Cybereason’s operation-centric approach and unparalleled visibility into complex Malops allows our solution to block threats at multiple stages of the attack and provide the most comprehensive endpoint prevention, detection and response on the market.
Furthermore, the Cybereason Defense Platform does not stop at just detecting and blocking known and unknown threats; every Malop the platform analyzes adds deeper context and new correlations that inform one or more of the detection layers to improve efficacy against new and complex attack techniques.
As with the SolarWinds Supply Chain Attacks, the threat actors can evolve their approach to assure they evade other security vendors’ defenses, but they cannot mask the malevolent nature of their Malop, which is quickly recognized by the Cybereason Defense Platform and neutralized with automated or one-click remediation options.
Cybereason is the champion for today's cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry's top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop. Learn more about how to protect your organization against these attacks here.
About the Author
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.