Navigate Aftermath of SolarWinds Attack With On-Demand Resources 

The SolarWinds cybersecurity breach, also known as Sunburst, has made global headlines for its duration, impact, and high-profile targets. After going undetected for months, the news in December 2020 of the nation–state attack was the holiday surprise no one wanted. 

CRITICALSTART takes a closer look at the SolarWinds breach through two January information sessions, both available on demand: 

• Threat Briefing: What to Know and Do About the SolarWinds Attack. Travis Farral, Chief Information Security Officer – MDR at CRITICALSTART, walks through details of the attack and provides recommended actions not only for SolarWinds customers, but any organization that wants to detect and prevent such attacks.  

• SON OF A BREACH! Cybersecurity Podcast. Hosted by CRITICALSTART CTO, Randy Watkins, this first episode looks at both the technical aspects of the SolarWinds attack, as well as broader policy implications of these types of nation-state attacks. Adding expert commentary, are guests: Ben Johnson, CTO and co-founder of Obsidian Security, and Quentin Rhoads-Herrera, director of Professional Services and leader of TEAMARES at CRITICALSTART.  

Podcast Guest Ben Johnson: ‘Internet Is a War Zone’ 

In the SON OF A BREACH! podcast, Watkins describes Sunburst, at a high level, as a supply chain attack against SolarWinds to use their software and update mechanism to distribute a backdoor DLL file. 

“The compromised DLL was distributed to about 18,000 SolarWinds customers, of which we have 40 to 50 confirmed post-compromise activity breaches. Of those organizations, a lot of them are government entities, so this definitely points toward nation–state sponsored activity,” Watkins says. 

Calling the attack a “very significant lesson,” guest Ben Johnson goes further, stating, “The internet’s a war zone, and we need to call it that. …We just have to make sure people understand what the risks are, and how to better protect (themselves), whether it’s personal or professional.” 

Johnson says the implications of Sunburst are waking people up to several key questions to ask, including how to monitor, respond, and triage for these types of attacks.  

“It’s creating a recognition around monitoring, change control, the complexity of the environment, and vendor risk,” Johnson says. He urges organizations to take these considerations much more seriously while building out initiatives or adding new vendors. 

Johnson believes we will continue learning about the scope of this type of supply chain attack for the next several months. “We’re going to have to step back and really consider how we segment or compartmentalize risk. ...It’s hard enough to do for a startup or a small company, let alone a massive, complex enterprise. I think we’ll see a bigger consideration around those ideals of segmentation and compartmentalization.” 

He calls for better partnership between the government and the private sector, saying, “Companies need better support in defending their environments, better intelligence, better guidance, maybe some subsidization of fees or tax breaks if they have better cybersecurity. …I think there can be a lot of opportunity here.” 

Rhoads-Herrera: ‘This Was a Slow, Methodical Attack Process’ 

CRITICALSTART’s Rhoads-Herrera calls the SolarWinds attack extremely complex, noting, “This one was a very slow, methodical attack process, which we usually see with nation–state type of attackers.”  

Discussing the techniques, the SolarWinds attackers used, Rhoads-Herrera says, “The type of targets they went after, the skill level that was used, the type of implementations of bypassing certain things, looking for processes running to ensure their malware didn’t get caught – those are all indicative of highly skilled attackers.” 

In the podcast, Watkins also asks him what approaches customers can use in their own environments to help prevent future such attacks from impacting them.  

“One of the most popular controls I’ve seen used by some of our customers…is being able to baseline metrics,” Rhoads-Herrera says. “Understanding what is happening within your infrastructure, what’s going out of your infrastructure, is critical. And you don’t need a new tool to do that.” 

Rhoads-Herrera and TEAMARES are helping customers who want to learn more about the SolarWinds attack or any breach in general. The Blue Team has provided services including threat hunting and compromise assessment to several customers who have the backdoored SolarWinds product.  

“We found most of them have the backdoor DLL, but nothing actually happened post that,” Rhoads-Herrera says. “But we did find…a few of them do have other compromises that have happened in the past and that nobody noticed. We’re offering advice to pretty much anybody who reaches out to ensure they understand the best practices they can follow.” 

Threat Briefing: SolarWinds Attack Likely Holds More Twists and Turns 

CISO-MDR Travis Farral, highlights several aspects of the SolarWinds breach in our January Threat Briefing, noting the attackers went to great lengths to be stealthy. Their techniques included a two-week dormancy period, adopting SolarWinds naming conventions and coding standards to make their added code blend in, and using encoding and other techniques to conceal malicious activities in the code. 

Impacted organizations include FireEye, US Treasury Department, US Commerce Department, Department of Homeland Security, and several other government entities. 

Farral notes most organizations with the SolarWinds Orion backdoor haven’t observed activity using it, but “there are likely twists and turns that remain ahead in this.” He summarizes three services CRITICALSTART offers for customers concerned about the attack: 

• Compromise Assessment Service – Targets specific indicators of compromise to find any evidence of a breach. 
• Incident Response Service – Responds to any signs of malicious activity, whether or not related to Sunburst. 
• Managed Detection and Response – Designed to detect and resolve every alert.  

“We’re there to be those eyes on glass, 24/7,” Farral says. “The attackers may have been very stealthy in the way they got in, but once they get hands on keyboard, they’re going to be doing things internally that are abnormal and aren’t going to look right. … That’s where managed detection and response can help.” 

Want to learn more about the SolarWinds attack or breaches in general?  Contact us today. 

Additional Resources: 

• How To Reverse Engineer the SolarWinds Hack 
• Sunburst: A Week in Review 
• Learn more about CRITICALSTART‘s TEAMARES 
• Dive into Infosec Reborn, a new playbook to understand, adapt, and overcome in the hyper-sophisticated threat environment of today’s world. 
• See how Managed Detection and Response services boost the value of a traditional Security Operations Center. https://www.criticalstart.com/buy-vs-build/