The Solarwinds Orion SUNBURST attack has been in the news for weeks. We’re starting to get great details into the actual attack, especially after FireEye released the initial set of indicators of compromise. But the question I want answered is why didn’t anyone discover this attack before the breach. What defenses are we missing to detect the next SUNBURST-style attack?
First, let’s start with the fact that this attack was very sophisticated. They were extremely sneaky and used a lot of countermeasures to hide their tracks, most notably evading more traditional methods of security monitoring and detection, like endpoint detection and response (EDR) and antivirus.
Organizations monitoring for signs of initial compromise would have no luck in detecting SUNBURST because, well… there was no initial compromise. The intruders snuck in via a signed and verified source with heightened privileges–the SolarWinds Orion platform. These techniques make traditional signature-based detections extremely difficult, if not impossible. Even some of the most advanced endpoint security solutions didn’t detect the attack until after the indicators of compromise were released. How would anyone have detected this attack?
We recently interviewed Matt Cauthorn, VP of Sales Engineering at ExtraHop, on Business Security Weekly to discuss why SUNBURST was so challenging to detect, and to share some network data-derived insights to shed light on what the attackers were doing post-compromise. The net-net is ExtraHop did see a 150% rise in suspicious behavioral detections during the attack. While the SUNBURST attack made sure to evade other tooling, they had no way of knowing that a network detection and response (NDR) solution was watching, leaving their movement exposed and possible to defend against.