Nearly One-Third of Attack Targets Weren’t Running SolarWinds

Approximately one-third of organizations affected by the SolarWinds supply chain attacks weren’t actually running the IT management company’s affected software.

Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said in an interview that 30% of victims weren’t running SolarWinds’ Orion platform but suffered a compromise anyway.

Those responsible for the attack “gained access to their targets in a variety of ways,” Wales said, as quoted by the Wall Street Journal. “This adversary has been creative. It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”

Investigators familiar with the matter said that the attackers resorted to exploiting vulnerabilities in other software and guessing online passwords to gain access to some of their victims’ systems. 

In a statement posted online, Malwarebytes confirmed that it too had fallen victim to the SolarWinds attack despite not using the company’s software. Its researchers confirmed “the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”

Malwarebytes was one of seven confirmed security firms that had suffered an intrusion by the SolarWinds attackers at the time of writing this article. 

Vasu Jakkal, Microsoft's corporate vice president of security, compliance and identity, reflected on this revelation and subsequently told ZDNet that the SolarWinds attack “is not an outlier” and that it “is going to be the norm.” 

What Does This All Mean Going Forward?

To find out, I sat down with Lior Div, CEO and co-founder of Cybereason. Here’s what he said:

David Bisson: Gartner forecasted that worldwide spending on information security would grow to reach $123.8 billion by the end of 2020. Do you feel that spending should have prevented what happened with SolarWinds?

Lior Div: If anything, the massive security spend proves two things: first, that it is extremely difficult to prevent data and information breaches; second, it proves that just throwing more money at stopping breaches isn’t working for most companies and that security teams are chasing threats down a never-ending rabbit hole of despair. This is so massive a problem that it should have every C-Suite and Corporate Board across the globe on high alert. 

DB: Let’s dig into something you just said, the part about “chasing threats down a never-ending rabbit hole of despair.” Are you saying something about the way in which adversaries themselves like the SolarWinds attackers are changing?

LD: The adversary has a huge advantage over defenders. Nation-states such as Russia, China, Iran and North Korea employ some of the most skilled individuals in the malicious operations trade. On top of that, there are thousands of other profitable cybercrime groups in all corners of the world. 

DB: Okay, but where does the “never-ending rabbit hole of despair” come in?

LD: Today, traditional security products being used by security analysts are hopelessly alert-centric and generate volumes upon volumes of information that appear seemingly unconnected, lack context and take too much time to investigate to understand how they are related—even when they are part of the same attack. From a defender’s point of view, we can never win our daily battles by spending our time chasing uncorrelated alerts. To truly stay effective, we must quickly identify and respond to malicious operations with surgical precision, finding a path forward by future-proofing tomorrow’s enterprise. We need to detect earlier and remediate faster; to think, adapt and act more swiftly than attackers can adjust their tactics; and to have the confidence as defenders that we can always identify, intercept and eliminate emerging threats in a matter of minutes rather than days or weeks. 

DB: I understand. So, what does that look like in practice?

LD: The SolarWinds supply chain attacks highlight the need to shift away from the old alert-centric paradigm of looking for noisy attacks based on threat intelligence and other Indicators of Compromise (IOCs) alone. This is made clear by the fact that thousands of organizations missed the attacks for several months or longer. Detecting and swiftly ending these highly crafted, low-and-slow malicious operations requires real-time analysis of the more subtle Indicators of Behavior (IOBs). These behaviors on their own may include normal processes and activity we’d expect to see on a network, but in combination, they produce circumstances that produce an advantage for the attacker. Correlating these chains of behavior will reveal even the stealthiest of malicious activity by an adversary on the network, allowing defenders to detect an attack at the earliest stages long before they escalate to a serious breach event.

Embracing an Operation-Centric Approach

Cybereason helps organizations to move beyond alerting and to leverage an operation-centric approach and focus on detecting the earliest signs of the initial attack sequence itself. It does so by providing customers with context-rich and correlated visualizations into chains of behaviors that would reveal a SolarWinds-style attack. To learn more about how Cybereason can help your organization bolster its security defenses and make the shift from detecting IOCs to analyzing IOBs, click here.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson