Secureworks Offers and the SolarWinds Supply Chain AttackIntersecting Cybersecurity Software Solutions, Services and Threat Intelligence By: Kyle Falkenhagen
Current Status of SolarWinds Research
The SolarWinds supply chain compromise was just one component of a sophisticated cyber espionage campaign that was active during mid-2020. The intent and narrow focus of the threat actor meant that, while thousands of organizations were impacted through the download of the trojanized SolarWinds code, only a very small number were ultimately targeted. However, new threat actors may use some of these tactics and techniques in the future, and as revelations around this campaign continue to emerge, we want our customers to be assured that our cloud-native security platform and services have their back.
What We Observed Across Our Customer Base
Since mid-December, we have described the actions we were taking and the key issues that stand out from what we have learned, and provided opportunities for customers to ask questions directly to our Secureworks Counter Threat UnitTM (CTU) and Chief Information Security Officer. This level of response is in our DNA: Proactive Incident Response, ongoing context through CTU threat intelligence reporting, rapid updates of new indicators and countermeasures to our platform(s), and data analysis across multiple sources; endpoint, cloud, and network.
We continue to add coverage in the following areas of research, noting observations from our Incident Response and SOC teams’ investigations across both current and historical customer data. Our observations are consistent with industry comments on the narrow focus of the attack.
- FireEye tools - we deployed countermeasures but have seen no evidence of these tools being used against our customers
- SolarWinds supply chain attack – many of our customers downloaded the trojanized SolarWinds code containing the SUNBURST backdoor, but we have seen no evidence of this access being leveraged by the threat actor to conduct further exploitation activity or deploy the Raindrop or TEARDROP malware.
- Other activity from the same actor - the supply chain compromise was just one (albeit very noisy) part of a broader campaign. We did identify evidence of credential abuse in cloud environments that likely leveraged on-premises intrusions where SolarWinds was not the route in.
- SUPERNOVA web shell activity - we have seen very limited evidence of targeting across our customer base, which we have assessed to be the work of a different threat actor leveraging vulnerable internet-facing SolarWinds servers rather than a supply chain attack.
Secureworks’ deep understanding of threat actor behavior and intent allowed us to leverage the data retained by the platform to help customers quickly assess any potential impact. Experts on our teams took what we were learning about the threat actor behaviors and conducted proactive threat hunts to look for these new behaviors across all Taegis™ XDR customers. For our ManagedXDR customers, those threat hunting playbooks are now baked-in to our standard service offering, and new detectors will be automated in the platform. And through timely access to applicable research and open Q&A, all customers were able to meter their own responses to this highly public news event. Secureworks CISO, Ken Deitz, also contributed to best-practice discussions for managing least-privilege and managing supplier responses to security events.
The importance of the management of identity and cross-domain trust is further underscored in our recent CTU TIPS (Feb 2, 2021), which references an interview with Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), in which he states that approximately 30 percent of the victims linked to the SolarWinds supply chain compromise did not run the SolarWinds Orion software. Organizations should now add hardening Azure and other cloud implementations to their list of fundamental good security practices.
How Our Cloud-Native Platform Protects Customers
- Secureworks Taegis™ ingests and retains telemetry for one year, applying indicators of compromise and countermeasures out of the box and updated periodically throughout each day.Specifically:
- Data from Microsoft 365, and Azure Active Directory in particular, was at the center of our investigations. The platform already ingests events from Azure AD, the Office Management API, and the Graph Security API.
- Endpoint, network, and other cloud data sources enabled a broader view.
- The ability to look back across the raw event and alert data for the last 365 days enabled our teams to review our customers’ data during the period of the attack.
- SOC users can disable a user in Azure AD directly from our platform in response to an alert.
- Threat Advisories are included to provide context of Threat Actor Intent and behavior, and are linked directly from alerts that have applicable indicators of compromise
Activity related to this attack abused legitimate tools and escalated the privilege of illegitimate users rather than exploiting specific CVEs. VDR's risk-based prioritization helps customers stay focused and on track and respond to the vulnerabilities that create the highest risk in their environment. The heightened public interest in these vulnerabilities is automatically factored into prioritization, but the risk is always subject to each organization's internal context, from which VDR continuously learns.
How Incident Response Protects Customers
- As in the example of the SolarWinds disclosures, Secureworks Incident Response assists customers in understanding their risk, answering executive queries and pragmatically resuming normal business operations.
- Secureworks quickly adapted IR toolsets to include learnings about SolarWinds-related tradecraft.
- Lessons learned from SolarWinds have been applied to proactive Incident Response capabilities, such as learning how identity management impacts resilience, and testing with an Active Directory Security Assessment to help customers validate that their identity management practices are secure.
Secureworks Has Your Back
As retrospective analysis emerges across the industry, rest assured that Secureworks will continue to put its unique combination of Security expertise at your fingertips via our cloud-native security platform, Consulting Services, and Threat Intelligence. Keeping you ahead of the threat is what we do best, and SolarWinds is just one more example.
Additional resources on this topic:
- View the on-demand webcast, our Director of IR and CTU experts discuss insights and key takeaways from the Solarwinds incident.
- Secureworks’ Response to Recent Nation-State Cyberattacks
- Update on SolarWinds Threat: Identity is the New Perimeter