Every enterprise installs/uses software, applications, and agents these days, procured from well-established companies. These agents/apps run in enterprise devices and in the cloud and are implicitly trusted. But sometimes things go wrong – and it’s on the software supply chain side.
The recent Sunburst attack exploited just this premise. Essentially, hackers infected SolarWinds build machines with a trojan embedded in their software, which was then distributed to Solarwinds customers’ networks. You can learn more about this attack via the FireEye blog, but this was the general attack structure:
The signatures and detection mechanisms recommended by FireEye:
- IP Scan history, which shows IPs switching between default (WIN-*) hostnames and victim’s hostnames)
- HX’s LogonTracker module to graph all login activity and analyze systems displaying a one-to-many relationship between source systems and account,
- Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time
Challenges Introduced Due to Third-Party Software
These detection mechanisms, though necessary, are specific to Sunburst – and the Sunburst incident is not original or unique. Similar undetected problems potentially exist both in software products and agents over the last few years.
Every organization should create a program for dealing with software supply chain security, making sure that every app, device, and update has a focus on prevention, detection and fast reaction when a threat is identified. This need is complicated by weak links in defensive strategies or lack of planning, in particular:
- Organizations use many agents/services/devices managed by multiple departments. They need a central mechanism to identify all services/agents and the different devices running them to identify which are affected as the first step of incident response.
- Organizations primarily rely on signature-based detection, which is reactive. To be proactive, organizations should invest in detection focused on grouping devices based on the context to identify anomalies.
- Organizations may not have segmentation in place to quarantine or block devices running services that match the attack/infection. Context-driven policies that automate quarantine, blocking, or restricting access are part of a zero trust architecture.
- Organizations depend on access controls through IAM solutions. Focusing on post authentication behavior with tight context-driven access restrictions can restrict the spread of malware.
Consider the following control points from the earlier diagram.
Wootcloud’s HyperContext®️ with its powerful machine learning algorithms and policy engine can be used to detect and prevent highly evasive malware like the Sunburst and can represent the solution for eliminating weak links inside organizations.
A Single Source of Truth to Monitor Services/Agents
Wootcloud’s HyperContext provides easy-to-configure Mandatory Services Compliance (MSC). This Compliance service provides device discovery and identifies devices which run various services/agents. Wootcloud MSC has a unique device view of these services, and categorizes devices by corporate owned versus unmanaged assets. This lets you quickly identify and isolate devices running compromised services like Orion software, and becomes the central index for emergency response as well as for enforcement of day to day hygiene.
HyperContext for Zero-Day Threat Detection on Group Anomalies
HyperContext provides device fingerprints which include state information from physical, logical, operational, and locational touch points. HyperContext can be used to create custom labels and tags to group devices by functionality or other business use cases, for example grouping all corporate-owned Windows 10 laptops running a specific version of Solarwinds Orion software.
Once the grouping of devices is defined, the Machine Learning algorithm enters a learning phase where it establishes the normal behavior of those devices. For example, all the unique destination IPs originating from a laptop running Orion aggregated in 1 hour intervals. Once the learning is complete, the machine learning will start detecting anomalies. This detection includes generating anomaly scores with respect to the past behaviour of the same device and an anomaly score with respect to the past behaviour of other devices in the same group. Different anomaly events or alerts are generated if the anomaly score is more than a given threshold. WootCloud policy engine acts on these anomaly events to pass alerts and quarante the device using NAC or Firewalls.
Sunburst anomaly detections might be as follows:
- Anomaly detection when the malware attempts to resolve an unknown subdomain.
- Anomaly detection based on the normal time of operation for a group of devices.
- Anomaly detection based on a machine accessing a different machine in another group that it does not normally access, indicating lateral movement.
Policy-Driven Automation to Quarantine Sets of Devices
If Sunburst is detected or informed, the first step of remediation is to quarantine or block vulnerable devices from the rest of the organization. Then, when malware removal is complete, reinstating the former access in an automatic fashion. Continuing the example above, moving all Windows 10 devices that run a specific version of solarwinds into a quarantine VLAN, and back again once scrubbed. Automation is important to avoid the friction that comes with handling devices at a huge scale.
Policy Automation for Access Restrictions and Reinstatement
WootCloud provides a powerful context-driven policy engine that is easy to use, which helps in automation of security measures and remediation at a large scale. The HyperContext® fingerprints each device, then pushes zero trust policy direction to manage those devices to the NAC, firewall, AP, or switches. Automation and Analysis are two of the key pillars of managing a Zero Trust Network and the devices, and WootCloud provides the context and behavioral analysis that static network tools may miss.
Solar Winds estimated that over 18,000 organizations were affected by the Sunburst attack. The challenges of protecting against compromise that starts within your own network were exposed by this exploit are not going away. Many server-side attacks and virtual supply chain compromises have shown all of us that a Zero Trust approach to architecture combined with automated response plans are the right framework to approach security in a cloud-driven world without traditional perimeters.Constant vigilance and maintenance of assets and cyber hygiene is of paramount importance to uphold the pillars of Zero Trust. WootCloud HyperContext® helps organizations get visibility into all devices and services that could be a future vector of attack. With the device fingerprinting and automated containment, grouping and controlled access, organizations can stay current on all device risks and threats, and automate response as part of your recovery plans both during and after incidents.
Arun Kumar Dheena, Director Security and Network Engineering, WootCloud Inc.
Srinivas Akella, Founder, Chief of Products and Technology, WootCloud Inc.