sb-nz logo
Story image

ExtraHop reveals methods used by attackers in SUNBURST breach

15 Feb 2021

In the wake of the discovery of the SolarWinds SUNBURST breach, ExtraHop has released a report detailing the specific methods used by cyber-criminals involved in the incident to evade detection. 

The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.

The use of these tactics meant more traditional detection methods, like endpoint detection and response (EDR) and antivirus, were not as effective. Attackers evaded these tactics either by disabling them or by redirecting their approach before they could be detected, according to ExtraHop.

“Unfortunately, what we found when investigating SUNBURST is that the activity was actually detected on the network,” says ExtraHop deputy CISO Jeff Costlow.

“But because other detection methods weren’t alerting on the activity, it largely went ignored. In this case, the attack was strategically designed to evade those detections, and we can expect more similar attacks to follow. It’s an important reminder that the network doesn’t lie.”

In its report, ExtraHop also revealed that significant increases in ‘suspicious’ network activity went largely unnoticed due to SolarWinds’ privileged and trusted status within the IT environment. 

The report also found that many ExtraHop customers investigated and remediated the exploit within their own environments. The case studies include details on how customers were able to use historical metrics to determine the duration of the compromise, as well as which systems and data may have been impacted.   

As part of the report, ExtraHop also released an expanded list of over 1,700 SUNBURST indicators of compromise (IOCs) as observed across affected environments protected by Reveal(x), critical information that can help organisations determine if and to what extent they’ve been compromised.

The report follows a significant announcement from ExtraHop: the opening of the company’s newest data centre facilities in Sydney, a move the company says was motivated by its desire to host its security offering locally.

“Organisations around the world are rethinking their approach to security as advanced threats like APTs and software supply chain attacks take a financial and reputational toll,” says ExtraHop Asia Pacific and Japan vice president David Sajoto.

He says the company provides machine learning-backed detection and response capabilities. These are delivered through ExtraHop Reveal(x) 360.

“[Our] commitment includes investing in the markets we serve to ensure that our customers have access to high-availability, low-latency security capabilities that meet local standards for data sovereignty and protection. This investment affirms our commitment to the region and our customers.”

Story image
Jetstack's new flagship product brings security to cloud native platforms
“With Jetstack Secure our customers can see a detailed view of each cluster and an instant visual status of all workload certificates, including their association with Kubernetes resources."More
Story image
CISOs, don't underestimate the importance of soft skills
There is increasing importance on Chief Information Security Officers (CISOs) having and developing the skill of emotional intelligence, a new report states.More
Story image
Three security essentials for financial services
Financial services organisations must provide the best possible customer experience in terms of mobile and online application availability, performance and security, writes Gigamon country manager for A/NZ George Tsoukas.More
Story image
Millions of email attacks missed by organisations’ cyber security protection
"While organisations have invested in protection against email threats, many of these attacks slip through gateways, landing in users inboxes."More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
Veeam reports growth as demand for modern data protection increases
“Even with the unforeseen challenges and circumstances that began in early 2020, Veeam continued its rapid growth with its second consecutive year of bookings over $1 billion."More