Now is the time for XDR - Extended Detection & Response
On January 26th, during his first conversation with Vladimir Putin since taking office, President Biden raised the topic of the massive SolarWinds cyber-attack, often blamed on Moscow. The intent according to the white house spokeswoman was to make clear that the US will act firmly in defence of national interests in response to malign actions coming from Russia.
Still fresh in our minds is the image of the US Capitol building assaulted by a mob of Trump supporters, who’s intentions, while not entirely clear, were obviously malicious. The fall-out of that incident is far from over, as stronger security measures, more prosecutions, and new legislations will ensue for years yet.
But why should President Biden be more concerned with Cyberattacks and issue a warning to those that support or sponsor attackers? First, we should recognise that cyberattacks are not as impressionable as insurrections; there is no live footage during the breach and no selfies once the offenders are within the premises. Nonetheless, the damages from the SolarWinds cyberattack are potentially far greater than those of the Capitol Hill riot. The backdoor installed by the Sunburst malware during a SolarWinds update has given the hackers months of access to internal email accounts in at least a dozen U.S. federal agencies, including the Treasury, Homeland Security and Commerce departments.
Similar to the Capitol Hill riots, the intentions of the SolarWinds attackers are not entirely clear. They were in a position to launch massive disruptions to public and private sectors, and they can surely still make use of exfiltrated data to the advantage of states of few scruples or for financial gain. Was it only a warning shot, a mere indication of the havoc to come? Or were they in awe of their feat, much like the rioters on Capitol Hill seen gawking at the surroundings while roaming the hallways of power following their breach of the police lines.
At an international level, this incident should be a bolt of lightning, a stimulus to action to adopt a more effective and global strategy to protect against cyberattacks, a collective response that ensures such serious violations incur tangible penalties. The blog of Microsoft’s president Brad Smith puts this need to act most clearly:
Apart from recognizing that such assaults are alarming and advocating for a global response, what can you do concretely to protect your company’s data and systems? Clearly the attack surface is more extensive and more amorphous than we picture. The tools and techniques at the disposal of attackers are more sophisticated than we thought possible. The patience, stealth and determination of the attackers is most disconcerting. The Sunburst backdoor was used very selectively, even though it could be used to download any binary that the hackers wanted.
Our advice is the following: start by accepting that breaches are guaranteed to happen. Your focus should be on detection and response, not in erecting a supposedly unbreachable wall. Traditional security solutions aren’t enough and can, in fact, be manipulated by attackers. We know that Intrusion Detection Systems depends on signatures, which means security analysts must know about and have a signature for the attack in order to see and stop it. Similarly, Endpoint Detection and Response systems works great for endpoints, but only covers that specific vector. Because the SolarWinds breach was a network-based attack, EDR alone could not adequately address that threat.
Detection inside your network is required: this detection can’t be based on signatures, nor can it use off-the-shelf ML techniques. It must include learning behaviour models that understand both hosts and identities, using metadata from the network. The network must include the entire ecosystem of hybrid, on-premise, and cloud connectivity. Second, you should be collecting and analysing more information about the identity base attacks and anomalies related to the use of credentials with a regular baseline.
The Vectra platform collects, detects and prioritizes high-fidelity alerts in real time and responds with automated enforcement or alerts to security personnel. Security teams use this information for threat hunting and retrospective investigations via a subscription service. To build customized security analytics, Vectra enriches and streams the data to SIEMs and data lakes. Although the malware strains will vary, the behaviours related to attacks have been consistent: network reconnaissance for user accounts and passwords, followed by lateral movement to targeted systems with privilege escalation.
Crowdstrike’s EndPoint Protection offering allows customers to view the overall health of an endpoint with a single metric. Administrators easily drill down to view Falcon sensor and OS configuration settings on specific endpoints along with recommendations to improve security posture. Falcon Identify Threat Protection reduces time to detect by viewing live authentication traffic, which expedites finding and resolving incidents. Falcon ITD provides continuous multi-directory visibility into the scope and the impact of access privileges for identities across Microsoft Active Directory (AD) Azure AD, and cloud single sign-on (SSO) solutions.
The offering can be augmented with Falcon OverWatch, an elite team that hunts relentlessly to halt the stealthiest, most sophisticated threats, or a service that includes incident response and forensic analysis services that are designed to help your organization understand whether or not a breach has occurred, and to respond and recover from a breach with speed and precision to remediate the threat. CrowdStrike’s team of experts can work with your security staff to simulate attacks that test your organizational readiness and provides detailed feedback and improvement suggestions to enhance your security posture. CrowdStrike has been supporting SolarWinds in its investigation and root cause analysis of the events that led to the inclusion of unauthorized malicious code into its build cycle.
Together Vectra Cognito and Falcon Insight integrate two authoritative views of a cyberattack – the network and the endpoint. Cognito analyses all network, cloud, and IoT traffic to automatically detect attack behaviours and compromised accounts and prioritizes each one based on the risk they pose. Host identifiers and other host data from Falcon Insight are shown automatically in the Cognito UI to enrich Vectra’s detection information from the network perspective. A single click allows security teams to easily pivot between the Cognito UI and the Falcon Insight UI for the same host or to securely connect directly to the host using the Falcon Insight response capability.
Undeniably the Corona virus will be with us a while, and we must learn to live with it. Similarly, security breaches are inevitable and we must learn to live with this ongoing threat. Forget the notion that we can prevent all intrusions; but instead adopt the attitudes and the tools that will help detect and remediate attacks. WIRD provides next generation XDR solutions from Vectra AI and CrowdStrike that are an important step in that direction.
Latest evidence of the source of the SolarWinds attacks. https://www.wired.com/story/solarwinds-russia-hackers-turla-malware/
Crowdstrike analysis of the SunBurst malware: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
Vectra analysis of the exploit: https://www.vectra.ai/blogpost/solarwinds-what-you-need-to-know-about-it-and-what-you-can-do
US cybersecurity agency response: https://www.politico.com/news/2020/12/14/massively-disruptive-cyber-crisis-engulfs-multiple-agencies-445376