ExtraHop reveals methods used by attackers in SUNBURST breach
In the wake of the discovery of the SolarWinds SUNBURST breach, ExtraHop has released a report detailing the specific methods used by cyber-criminals involved in the incident to evade detection.
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.
The use of these tactics meant more traditional detection methods, like endpoint detection and response (EDR) and antivirus, were not as effective. Attackers evaded these tactics either by disabling them or by redirecting their approach before they could be detected, according to ExtraHop.
“Unfortunately, what we found when investigating SUNBURST is that the activity was actually detected on the network,” says ExtraHop deputy CISO Jeff Costlow.
“But because other detection methods weren’t alerting on the activity, it largely went ignored. In this case, the attack was strategically designed to evade those detections, and we can expect more similar attacks to follow. It’s an important reminder that the network doesn’t lie.”
In its report, ExtraHop also revealed that significant increases in ‘suspicious’ network activity went largely unnoticed due to SolarWinds’ privileged and trusted status within the IT environment.
The report also found that many ExtraHop customers investigated and remediated the exploit within their own environments. The case studies include details on how customers were able to use historical metrics to determine the duration of the compromise, as well as which systems and data may have been impacted.
As part of the report, ExtraHop also released an expanded list of over 1,700 SUNBURST indicators of compromise (IOCs) as observed across affected environments protected by Reveal(x), critical information that can help organisations determine if and to what extent they’ve been compromised.
The report follows a significant announcement from ExtraHop: the opening of the company’s newest data centre facilities in Sydney, a move the company says was motivated by its desire to host its security offering locally.
“Organisations around the world are rethinking their approach to security as advanced threats like APTs and software supply chain attacks take a financial and reputational toll,” says ExtraHop Asia Pacific and Japan vice president David Sajoto.
He says the company provides machine learning-backed detection and response capabilities. These are delivered through ExtraHop Reveal(x) 360.
“[Our] commitment includes investing in the markets we serve to ensure that our customers have access to high-availability, low-latency security capabilities that meet local standards for data sovereignty and protection. This investment affirms our commitment to the region and our customers.”