SolarWinds Attacks Highlight Advantage of Indicators of Behavior for Early Detection

I’ve talked about the SolarWinds Supply Chain Attacks recently more than you'd care to know over the past month or so (just ask anyone who knows me), with key points from a few of the discussions making their way into the public sphere here and here.

Each week has brought new insights into what happened. Most of those updates have confirmed what we already know: whoever perpetrated these attacks were intent on not being detected. The most recent update on the attacks was no exception…

The Many Faces of the SolarWind Attackers’ Evasion Efforts

On January 20, 2021, Microsoft released its latest analysis of the campaign. The purpose of this investigation was to look for the missing link between SUNBURST, the backdoor which malicious actors deployed on networks as part of SolarWinds’ products, and one of several custom Cobalt Strike loaders including TEARDROP and Raindrop

This effort found that those responsible for the SolarWinds attack had attempted to keep SUNBURST separate from the Cobalt Strike loaders as much as possible. As per the tech giant, the attackers wanted to make sure the compromised SolarWinds binary and supply chain attack remained undetected even if security researchers managed to detect the Cobalt Strike implant.

Over the course of their investigation, Microsoft found that the malicious actors had used the SolarWinds process to create an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.ex. This technique enabled the attackers to establish persistence, but it also gave them the ability to execute malicious code when wscript.exe launched. 

That process ran a VBScript file, which in turn activated rundll32.exe. This executable invoked the Cobalt Strike DLL using a parent/child process tree process that was separated from the SolarWinds process. But that’s not all the Redmond-based company found in its analysis. Microsoft also took a look at the attackers’ operational security (OpSec) and found that they had used various tactics, techniques and procedures (TTPs) to evade detection. 

These methods included the following behaviors:

The attack campaign prepared a unique Cobalt Strike DLL implant for each machine and avoided reusing the names for folders, files, export functions as well as other components like command and control (C2) domains and timestamps. 

Malicious actors renamed their tools and binaries and placed them into folders that impersonated native legitimate programs and files that already existed on the compromised machine. 

Prior to engaging in extensive keyboard activity, the threat actors used AUDITPOL to disable event logging. They used the same tool to re-enable it after they were done.

The nefarious individuals similarly prepared special firewall rules to limit outgoing packets for certain protocols while they performed their espionage activities on a targeted network. They then removed those firewall rules once they had concluded the reconnaissance stage of their operation.

The malicious actors carefully planned for each instance of lateral movement by first enumerating remote processes and services that were running on the targeted host. They then moved laterally only after they had disabled some security services.

Finally, the attackers used timestompting techniques to change the timestamps of artifacts along with sophisticated wiping processes to make it more difficult for security researchers to find and recover their DLL implants.

The tech giant noted that it was in the process of working with US not-for-profit organization MITRE to make sure that researchers could add any new techniques observed in this campaign to a future version of the ATT&CK Framework.

A Call for Analyzing IOBs, Not IOCs

Taken together, the techniques discussed above point to how security researchers can’t solely rely upon Indicators of Compromise (IOCs) to detect sophisticated attackers. I explained on Forbes that malicious actors who know what they’re doing and uniquely compile their code to make sure it doesn’t match with any known file hashes or malware signatures out there, rendering IOCs ineffective for detection and impossible for signature-based anti-malware solutions to provide sufficient levels of protection across multiple organizations using the same indicators. 

Not only that, but advanced attackers also commonly inject false artifacts into IOC databases in order to ratchet up the noise and thereby complicate organizations’ response efforts. They do this all while using Living off the Land (LotL) techniques along with fileless malware in an attempt to leave as few traces of malicious activity behind as possible.

The security community is not bound to protecting organizations using IOCs alone, however. They can turn to what’s known as Indicators of Behavior (IOBs). I noted elsewhere on this blog how IOBs describe the approach that malicious actors take over the course of an attack. They are subtle chains of malicious behavior that can reveal an attack at its earliest stages, which is why they are so powerful in detecting campaigns such as the SolarWinds attacks. 

Eventually, attackers do malicious things; their paths diverge from other paths. IOBs are not about anomalies or a key indicator of malice at a moment in time, although that’s part of it. This is about highlighting the paths and chains of behaviors that stand out from the background of other behaviors in an organization.

Instead of focusing on the episodes of the journey, IOBs are orthogonal to that. Behavioral analysis has a chance of spotting processes that are behaving differently, sure, but behavior becomes clearly and demonstrably bad over multiple stages such as those observed in the SolarWinds campaign.

Most systems are collectors of security and related telemetry - and the occasional behavior - but what’s needed is more behavioral instrumentation and analysis if we expect to have the capability to detect advanced attacks like we have seen with the SolarWinds campaign. This operation-centric approach to detecting and remediating attacks early by leveraging key indicators that other solutions miss was key in our development of the Cybereason Defense Platform.

By looking at IOBs, it’s possible to not only gain full visibility of an attack chain that’s already happened, but to also use that same progression of threat behaviors to protect organizations against similar attacks in the future. All it takes is the right solution to show you how. 

Leveraging IOBs for an Operation-Centric Approach

So, let’s take a look at the role IOBs would play knowing there were no IOCs available to leverage in detecting and blocking a novel threat as described above in the Microsoft analysis of the SolarWinds campaign where traditional approaches obviously failed to detect the threat. 

Regardless of the fact that the malicious code appears to be part of a legitimate software update signed by a valid digital certificate, Cybereason recognizes the seemingly innocuous chains of behaviors and detects and blocks it based on a deeper understanding of how Malops actually work:

Malicious actors renamed their tools and binaries to obfuscate them: detection by the Cybereason Defense Platform does not depend upon trusting what the system identifies as “legitimate” files or processes; if the behavior of those files or processes is statistically rare (or inherently bad as in the case of using a DGA), especially when associated with other activity of potentially high value to an attacker, a MalopTM is triggered and the behaviors are correlated across all devices and users to reveal the full sequence of the attack.

Use of AUDITPOL to disable event logging: this tool is used to configure and manage audit policy settings and requires elevated privileges;  the Cybereason Defense Platform recognizes that this behavior is potentially of great value to an attacker and would trigger a Malop to expose the connection between that activity and other rare chains of behavior that together produce favorable outcomes for an attacker.

Addition and removal of firewall rules: similarly, the manipulation of firewall rules on targeted machines would stand out as an aberration in the context of other activity rarely observed that when combined would produce optimal outcomes for an attacker, revealing these key stages in the attack sequence.

Lateral movement on the network after other seemingly benign behavior: aside from the fact that the attackers exited upon encountering Cybereason’s NGAV - as was the case with several other products that have ML-based prevention technology that covers identity, systems and files - the sequence of events to this point colors the whole behavioral chain because of the lateral movement. The behavioral chain itself is the Malop where the unit of escalation and interaction is a chain, not merely a moment on the chain.

Timestomping artifacts: the Cybereason Defense Platform does not simply rely on forensic evidence after an attack has occured. For example, when the attackers attempted to initiate the Domain Generation Algorithm (DGA) stage to establish command and control (C2), Cybereason recognizes this behavior as malicious and presents the activity within the context of other indicators of behavior within the Malop to reveal the full narrative of the attack sequence at the earliest stages, before the attack escalates to the level of a breach.

While this is all great news for Cybereason Defense Platform users, the larger takeaway here is really in demonstrating that the key to early detection of advanced operations as we see with the SolarWinds attacks is in leveraging IOBs As well, the way to assume a future-proof security posture against SolarWinds-style attacks is to move to the behaviors - and that means all behaviors, good and bad - and to make that the toolkit for detection and defense. 

This is critical in defending where attackers develop new techniques that evade IOC-based defenses. This is about having a language in place to understand TTPs as a subset of all user, machine and object code-behavior. This operation-centric approach and visibility into complex Malops allows Defenders to detect and block threats at multiple stages early in the attack, and provides the most comprehensive endpoint prevention, detection and response approach on the market.

As with the SolarWinds supply chain attacks, future threat actors will evolve their approach to assure they evade other security vendors’ defenses and blend-in, but they will not be able to mask the malevolent nature of the behaviors they engage in that create the foundation of the entire Malop. This is key to detecting and remediating faster, before an attack escalates to the level of compromise. Learn how Cybereason can help provide that level of protection.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry