• Watch
  • Listen
  • Live Stream
Security Weekly
Security Market Validation
  • Listeners
    • Subscribe
    • Insider List
    • Suggest a Guest
  • Shows
    • Paul’s Security Weekly
    • Enterprise Security Weekly
    • Business Security Weekly
    • Application Security Weekly
    • Security & Compliance Weekly
    • Security Weekly News
    • Tradecraft Security Weekly
    • Secure Digital Life
  • Series
    • CISO Stories
  • Webcasts/Trainings
    • Registration
    • On-demand
  • Articles
  • Partners
    • Become a Partner
    • Landing Pages
    • Bookings
      • Approved Interview Form
      • Approved Interview Form – Returning Guest
      • Conference Collection Form
  • Hosts
  • Company
    • About
    • Contact
    • Careers

Articles/ Asset Management/ Blue Team/ Incident Response/ Intrusion Detection/ Network Traffic Analysis/ Security Operations/ Threat Intelligence

How Behavioral Detections Actually Discovered the SolarWinds Orion SUNBURST Attack

Matt Alderman February 8, 2021

The Solarwinds Orion SUNBURST attack has been in the news for weeks. We’re starting to get great details into the actual attack, especially after FireEye released the initial set of indicators of compromise. But the question I want answered is why didn’t anyone discover this attack before the breach. What defenses are we missing to detect the next SUNBURST-style attack?

First, let’s start with the fact that this attack was very sophisticated. They were extremely sneaky and used a lot of countermeasures to hide their tracks, most notably evading more traditional methods of security monitoring and detection, like endpoint detection and response (EDR) and antivirus.   

Organizations monitoring for signs of initial compromise would have no luck in detecting SUNBURST because, well… there was no initial compromise. The intruders snuck in via a signed and verified source with heightened privileges–the SolarWinds Orion platform. These techniques make traditional signature-based detections extremely difficult, if not impossible. Even some of the most advanced endpoint security solutions didn’t detect the attack until after the indicators of compromise were released.  How would anyone have detected this attack?

We recently interviewed Matt Cauthorn, VP of Sales Engineering at ExtraHop, on Business Security Weekly to discuss why SUNBURST was so challenging to detect, and to share some network data-derived insights to shed light on what the attackers were doing post-compromise. The net-net is ExtraHop did see a 150% rise in suspicious behavioral detections during the attack. While the SUNBURST attack made sure to evade other tooling, they had no way of knowing that a network detection and response (NDR) solution was watching, leaving their movement exposed and possible to defend against.  

To see how ExtraHop and NDR can detect the next advanced attack, watch the interview on Business Security Weekly here or visit securityweekly.com/extrahop for more information.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related Posts

linux security

Articles /

How to Defend Linux from Attacks

tea leaves

Asset Management /

Reading the Application Security Tea Leaves – How to Interpret the Analyst Reports

abstract-technology-science-concept-brain-digital-link-binary-hi-tech-blue-background_36402-92

Blue Team /

Selecting the Right Brain for Your Sensors

‹ Selecting the Right Brain for Your Sensors › Reading the Application Security Tea Leaves – How to Interpret the Analyst Reports

About Security Weekly

Security Weekly is the security podcast network for the security community, distributing free podcasts and media since 2005. We connect the security industry and the security community through our security market validation programs.

More Than Just A Sponsor

We view our relationships with the security industry as partnerships, not sponsorships. Security Weekly works closely with each partner to help you achieve your marketing goals and gain traction in the security market. Interested in becoming a partner? Please visit our partnerships page.

Back to Top

Subscribe To The Blog:

RSS Feed RSS - Posts

Search

Follow Us On Twitter

→ Follow Us
© Security Weekly 2021
Powered by WordPress • Themify WordPress Themes