The SolarWinds supply chain attack that came to light towards the end of 2020 was a serious vulnerability that provided attackers with unauthorized access to IT systems worldwide. Most people reading this blog will be aware of the SolarWinds attack and how it has impacted security and security thinking in 2021. This Microsoft microsite has linked overviews for anyone who doesn’t, as does this page on the SolarWinds site.
The SolarWinds supply chain attack provided attackers with admin access to SolarWinds customer’s systems. Managed Service Providers (MSPs) were many of the SolarWinds customers, and they had admin access to IT systems in thousands of downstream organizations.
The SolarWinds attack was used as an entry point to deploy malware on many network systems. Attackers installed malware variants such as Sunburst and Teardrop using the breach. Investigations are ongoing, but other malware variants may have been deployed in some systems using this supply chain attack.
How can organizations defend against this and other supply chain attacks where third-party suppliers can access your systems for legitimate reasons? Removing access is probably a step too far as the disruption to business processes will increase costs and reduce productivity. It’s probably best to assume that cybercriminals will breach defenses at some point and then plan for how to detect them. Using anomaly detection tools such as Flowmon Anomaly Detection System (ADS) is a great way to detect suspicious behavior on your network, whether due to cybercriminal activities or simply due to configuration mistakes or other infrastructure problems.
The Kemp Flowmon Anomaly Detection System is a machine learning-based solution that monitors networks in real-time to detect the anomalous network activity that unauthorized users generate. It uses over 40 detectors for various attack activities and methods, combined with over 200 algorithms that use heuristics, machine learning, and other techniques to analyze the data collected by the detectors. See here for more details about how ADS works.
Kemp ADS includes the known indicators of compromise (IoC) that a Sunburst infection on the network generates. If a supply chain attack, or another entry method, has allowed cybercriminals to deploy Sunburst undetected, ADS will detect its activity and alert systems administrators. The same is true for many other known malware variants.
But what about unknown and new malware and other attack types. Can ADS help detect and mitigate those? Yes it can.
As outlined on the ADS page the solution uses machine learning, baseline heuristics, and more to learn about normal network patterns. When cybercriminals deploy and activate malicious software, ADS will spot the changes in network activity and alert on this. A summary of what ADS can detect when cybercriminals have gained access to a network is listed below.
Discovery activity – attackers use network discovery via Port Scanning, ARP Scanning, or Vertical TCP SYN scans to find other systems when they gain a foothold on a network. ADS detects this activity quickly when it starts.
Lateral movement – attackers often use Remote Desktop Protocol (RDP) to jump to other systems on a network. They often use large password lists to try to guess logons for other systems. ADS includes tools to detect the failed login attempts this process generates.
Data collection – when systems are compromised, attackers often install key loggers and other silent data collection tools to capture all the input to systems. They often hide this data in regular network traffic packets when sending it out to their collection servers on the Internet. ADS detects this anomalous data transfer in packets that don’t usually carry data payloads.
Command & Controldetection – most ransomware attacks, and malware more generally, communicate with command & control servers that belong to the attackers. ADS uses industry-wide reputation lists for servers on the Internet to monitor the destination address of all outgoing traffic and stops any traffic to destinations that are not on the allowed list.
Data exfiltration – in addition to the detection of hidden data in unusual network packet types as outlined above, ADS can also detect outflows of other data that are unusual. For example, large data transfers that are often a prelude to ransomware encryption.
Ransomware encryption in progress detection – ADS can also detect suspicious Samba protocol activity on the network. Raised Samba traffic is an indicator that ransomware encryption is in process.
These are only a subset of what ADS can do. Still, these activities and others outlined on the ADS page will detect anomalous activity on the network and allow investigation and elimination of any cybercriminal activity.
Supply chain attacks like the SolarWinds one will continue to happen. The convenience of providing access to third parties for system administration and line-of-business integration is too convenient. There are mitigating steps that organizations can take to reduce the risks associated with this access. However, it’s best to assume that an attacker will find a way to use the access to breach security at some point. Deploy Flowmon Anomaly Detection System, and you will quickly detect any breaches and can eliminate them before they are damaging.