Was SUNBURST really a Zero-day attack?

498

Most companies affected by the SolarWinds attack learned about it from the Department of Homeland Security. Wouldn’t it have been better for them to have learned from their MSP/MSSP before DHS came calling? With Stellar Cyber, you would have known right away.

The reason this breach was so successful was that the attackers leveraged a trusted source – the software manufacturer – to get their code installed inside the customer’s network on the SolarWinds server, via a product update.  This is not that different from phishing or brute force attacks that compromise trusted servers or users to deploy their tool kits.  Once the code is installed inside the network, the attackers carefully scan it for additional devices.  Next, they begin to exploit the additional assets they find during the scan. Their ultimate goal is to find a database that contains sensitive data that they can stage for exfiltration.

Taken individually, many of these actions would either
1) not trigger an alert at all or
2) create multiple unrelated alerts.
What was missing was the correlation of events from many different data sources, to piece it all together into a complete event.

Once the SUNBURST attack was made public, Stellar Cyber simulated it in our lab within 12 hours of the announcement.  What we found is that our Open XDR intelligent SOC platform identified the event immediately, leveraging our native machine learning-based detections to correlate and detect this specific threat.  We also utilized the existing tools in the environment to detect all of the lateral movement and other significant actions taken by the attacker.

Another issue that made this event even more threatening was that the SolarWinds tool set keeps a complete record of all of the devices in the environment and their patch level. Once it was compromised by the update, it provided the attackers with a roadmap to the other devices, so they knew exactly which exploits would load successfully.  It is the same strategy that attackers used to target other RMM manufacturers last year.

This use case illustrates that for your service to move beyond manual rules-based detection, not all machine learning solutions are created equal.  Stellar Cyber does not simply ingest logs and attempt to make sense of them.  We very carefully extract the security metadata from the original log source, add in multiple sources of threat intelligence on every relevant aspect of the metadata, and create a single record format before it is analyzed. Next, we leverage supervised, unsupervised, and adaptive ML models to detect variances from normal, and correlate them into actionable security events, enabling you to protect your customers BEFORE they hear from Homeland Security.