Even in a year as eventful as 2020, the SolarWinds supply chain breach is making headlines around the world due to the organizations that were compromised and the number of organizations put at risk, as a result of being customers of SolarWinds and utilizing their popular Orion® IT monitoring and management software. This incident was discovered and revealed by the cybersecurity firm, FireEye, while investigating how their own Red Team tools had been stolen. This saga continues to unfold as additional information comes to light. But even as the story evolved and other companies rushed to comment, eSentire quietly went about what we always do: ensuring that our customers are prepared and protected.
In fact, within just a few hours of FireEye’s initial announcement on December 8th, we had already rolled out new esNETWORK detection rules and we were running esENDPOINT and esLOG queries against the CVEs targeted by FireEye’s stolen Red Team tools.
In this post we want to quickly run through:
- The importance of operationalizing threat intelligence
- How we responded to the FireEye and SolarWinds announcements
- What we have observed so far
- The broader threat that seems to be taking a backseat to the headline news
Operationalizing threat intelligence is an everyday reality
Safeguarding our customers means keeping up with an endless stream of threat intelligence and turning that information into tangible assets and meaningful actions.
Sometimes that intel comes from threat feeds, sometimes it comes from advisories and often, it is gathered and processed automatically by our sensors and observed directly by one of our security analysts…you get the idea.
All day, every day, cybersecurity providers must grapple with new attack tools, new proof-of-concept (POC) exploits, new indicators of compromise (IOCs), and so on, and only a tiny fraction of these ever make the news.
Keeping up with this stream of information is a challenge—in fact, it is one of the biggest challenges all organizations and security service providers face —and doing so requires a synthesis of people and technology within a framework of operationalized processes. We have been doing Managed Detection and Response (MDR) for 20 years, and in that time, we have invested heavily in creating the necessary platform.
We were able to take such quick action because responding to events like this is what we do, all day, every day. Our Atlas Extended Detection and Response (XDR) Cloud platform, working in concert with security experts in our 24 x7 Security Operations Centers (SOC) and with members of our elite Threat Response Unit (TRU) security research team, detects and responds to the most mundane threat to the most lethal. And, we have two decades of muscle memory upon which to draw.
Detecting and containing threats requires keeping up with an endless stream of operational threat intelligence and turning it into meaningful action: in this case, FireEye’s initial announcement was reflected in esNETWORK, esENDPOINT, esLOG, and eSentire’s Managed Vulnerability Service (MVS) service—
within only a few hours
A quick recap: how we responded to the FireEye and SolarWinds news
By this point, responding quickly and effectively to an event like the FireEye breach or the SolarWinds Orion Trojan is reflexive.
And unfortunately, it is also all-too-common: for instance, it was only a few months ago that the Zerologon vulnerability took center stage. Notably, the behavioral detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools; this is a subtle-but-important difference that speaks to our ability to consume information, augment it with our own research and leverage our understanding to make a real difference in the security posture of our customers.
esNETWORK detection launched within four hours of FireEye breach notification
Why operationalize threat intelligence? Within four hours of FireEye revealing on December 8th that their Red Team tools had been stolen, eSentire’s customers were running new detection rules in esNETWORK.
- esENDPOINT hashes were being queried and checked against the IOCs provided by FireEye
- Our security analysts were examining additional esLOG and esENDPOINT rules for new and refined detection opportunities
- eSentire Managed Vulnerability Service (MVS) customers had coverage for 15 of the 16 CVEs provided by FireEye—MVS customers could also review their own scan reports in the eSentire Insight Portal
We also scheduled a webinar for December 17th (which is available on-demand) in which we reviewed the situation with customers and allowed them to pose questions to several of our cybersecurity experts, including members of our elite Threat Response Unit (TRU) team. All this information was communicated in a Threat Intelligence Advisory on December 9th, along with recommended actions and links to additional information.
Behind the scenes, we were coordinating with our own partners, including CrowdStrike, Microsoft, Sumo Logic, Tenable, and VMware Carbon Black.
Keeping customers informed
On December 11th, we issued a second Threat Intelligence Advisory as we continued to monitor the situation. By this point, we had observed numerous routine penetration testing instances using FireEye’s Red Team tools (all of which alerted appropriately), but no malicious activity was detected, and MVS covered all 16 of the FireEye CVEs.
The story evolves into a supply chain attack
On December 13th, FireEye disclosed a widespread global intrusion campaign that exploited vulnerabilities within the SolarWinds® Orion® Platform. Essentially, the threat actors created a Trojan that masqueraded as an Orion software update and took advanced measures to evade detection.
We added new detection and protection content for this specific threat based on information and countermeasures disclosed by SolarWinds, the Cybersecurity & Infrastructure Security Agency (CISA) and FireEye, and we updated our customers in a third Threat Intelligence Advisory which also included a new list of actions pertaining to managing the SolarWinds risk.
Information sharing and live Q&A with customers
Threat intelligence is also about keeping customers informed. On December 17th, we hosted our webinar, which of course was now about both the FireEye breach and the SolarWinds exploitation. More than 200 customer attendees tuned in to hear a presentation by five of our threat intelligence security experts and ask important questions.
What we have observed so far
To this point, based both on active scans and retroactive examination of IOCs dating back many months (FireEye suggested that the attack might have begun as early as Spring 2020):
- We have observed multiple customers who have the Trojanized dll—note that this does not mean they have been compromised (more on this, below)
- We have observed the use of FireEye’s Red Team penetration testing tools
- We have not observed any successful malicious exploitation
- More than 50% of eSentire MVS customers have at least one of the 16 CVEs published by FireEye; in many cases, they have several
Looking ahead: the broader risk
The SolarWinds breach is significant and is deserving of the attention it has received. Part of the reason it has received so much attention is because of the nature and identity of the organizations that were compromised including government agencies and cybersecurity companies.
However, it must be dually noted that:
- These organizations were specifically targeted—as FireEye says, perhaps going back as far as Spring 2020
- Estimates put the total number of organizations who installed the Trojan dll at more than 18,000
And herein lies the broader risk of not operationalizing threat intelligence: now that the main damage has been done (i.e., surreptitious access to sensitive information for many months) and the cat is out of the bag (i.e., the exploits and IOCs are known), there is a very real chance that access to many of those 18,000+ organizations—perhaps hundreds or even thousands—will be listed and sold on the dark markets that serve as the hub of the cybercrime economy.
As we explored in our recent Threat Intelligence Spotlight, Defending Against Modern Ransomware: Lessons from the SunWalker Incident, a well-structured and highly specialized cybercrime ecosystem has emerged in which Initial Access Brokers sell computer access to organizations.
In doing so, they have lowered the barrier to entry for others in the value chain, as no exploitation skills are required to gain access even to high-value targets (just think of the organizations named so far in the SolarWinds revelations). The average price to purchase such access runs between $1,000 to $10,000 USD, but access to high-value organizations can sell for upwards of $500,000. The buyer—often a ransomware gang—is then free to do whatever they want, unless and until they are detected.
The importance of multi-signal detection
Faced with such threats, multi-signal detection is an absolute requirement to threat intelligence. Just to drive home this point, here are a few other facts from the FireEye situation:
- FireEye’s investigation found that “this threat actor(s) likes to maintain a light malware footprint, preferring to use legitimate credentials and remote access into a victim’s environment”—meaning the opportunities for detection are limited
- FireEye’s investigation also found that “Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access”
- While eSentire introduced new esNETWORK detection rules mere hours after FireEye’s announcement, many endpoint protection providers lagged (but not for lack of effort on their part, the nature of the IOCs simply favored network-based detection) and many new Managed Detection and Response (MDR) entrants focus on endpoint at the expense of other signals
And, as noted earlier, the specifics of these incidents are unique, but the general nature is familiar. Many security professionals will recall the Citrix Netscaler vulnerability from December 2019, which also required network-based signals for detection.
Detecting the FireEye IOCs and performing retroactive analysis employs signals across endpoints, logs, and network traffic
In summary: protect what you can, detect what you cannot protect
eSentire is the leader in Managed Detection and Response (MDR). In fact, this type of incident is why we invented MDR.
We have been here before —that’s part of what you get when you become an eSentire customer: a security partner who responds quickly, effectively and communicates often.
We see an evolving story like the FireEye and SolarWinds saga as a powerful validation of MDR.
But in a way, we also see it as a bit of a distraction. This is one of those 1 in 10,000 events that really makes everyone sit up and take notice, but it is important not to overlook the 9,999 that are quietly out there—that is the reality we deal with on behalf of our customers.
We know from experience that there is a good chance that access to compromised networks will turn up for sale in cybercrime markets; we know from experience that adversaries continually tweak their tools, techniques and procedures (TTPs).
That is why we never let down our guard and why we continually— 24x7—operationalize threat intelligence and put it into action.
That is also why it is so important that organizations protect what they can—but some things cannot be sufficiently protected (whether because of zero-day attacks, resource limitations or simply the practical trade-off of security versus convenience). That is where detection and rapid time to containment becomes so critical, and where eSentire’s TRU team shines.
If you are not an eSentire customer, then we invite you to read about the SunWalker incident and ask yourself how you would have detected and responded to that attack—it is a worthwhile exercise that may prevent future disaster.
We encourage everyone to take this developing story as a reminder about:
- Detection, investigation and response capability across your eco-system is as important as protection in an incident like this
- Multi-signal coverage is needed to defend against this type of attack. Being able to detect and respond to threats across your network, endpoints and cloud instances is essential when protecting your organization against this type of attack, as well as most advanced attacks
- Beyond signals, monitoring them and having the capability to respond rapidly is key
- The value of IT credentials (they were leveraged extensively and expertly in these successful breaches) and ensuring your team members are kept up to date about phishing, vishing and other social engineering techniques