What the Coronavirus Can Teach Us about SUNBURST


Posted on by Matt Radolec

Think back to January 2020. As COVID-19 cases ticked upward, the world watched and waited. Few predicted that as the months passed, we would be looking at millions of cases, countries on lockdown and supply shortages as businesses adjusted distribution models. Similarly, with SUNBURST, we’re at the beginning of what will be a very long road.

As we prepare for what lies ahead, it might be helpful to compare the attack to something we are all familiar with by now—the coronavirus pandemic.

First, it’s important to understand that every case is different. In a strange twist, the coronavirus wreaks havoc on many victims’ immune systems while leaving others asymptomatic. Similarly, with the SolarWinds SUNBURST attack, the attackers got in and established a foothold the same way, through a backdoor. But what they did (or didn’t do) afterward—from lateral movement, privilege escalation, stealing data and establishing further persistence—is different for every victim. Government agencies discovered they had been actively victimized for months, while others uncovered no evidence of further exploitation.

COVID-19 has been tricky, avoiding detection for several days after exposure to the virus. Like COVID-19, people must watch for unusual symptoms. With SUNBURST, affected organizations did not know if they’d been hit for months. Even if there’s no outward sign of attack, security pros must watch for subtle signs—unusual connections, domain changes or file system activity by SolarWinds service accounts. All should be investigated, especially anything related to sensitive data or systems.

Early missteps in COVID-19 mitigation included a lack of reliable and accurate testing—and as we now know, testing is critical. Just like testing reveals if they’re infected, they must examine their network’s health to determine which devices may have been compromised and how they may be at risk. Risk assessments provide a snapshot of current risk and can be a valuable tool to prioritize critical security issues and track progress. Follow-up risk assessments can help ensure people stay on track with their security milestones while making it easy to report progress to the management team. 

Throughout the COVID-19 crisis, lockdowns weren’t popular—but lockdowns work. When people quarantine in their homes and limit unnecessary trips and social activities, infections drop. Likewise, organizations may be quarantining their SolarWinds accounts and services—which is a good idea, but there may be nodes that are asymptomatic. They must also quarantine their most vulnerable—and sensitive—data. When organizations lock down their data to least privilege, damage is also limited because there’s less information for attackers to grab and steal.

Public health workers help track the spread of the virus by mapping anyone who has been in close quarters with an infected person. Contact tracing is a valuable tool to fight a pandemic. When it comes to cybersecurity, organizations can map and track user activity to understand which users may have been compromised by watching for suspicious activity, like an HR rep who starts logging in from a new IP address in the middle of the night when they typically stick to a nine-to-five schedule.

The coronavirus infects victims who typically go on to exhibit at least some of the signs from a long, but known, list of symptoms. Public health officials have told us to watch for known indicators. Similarly, attackers—who are almost always after data—will typically trigger a variety of alarms throughout the cyber-kill chain. No matter what techniques attackers use to gain access to an environment, establish persistence and perform reconnaissance and beyond, watching for suspicious end-user activity will tip the attacker’s cards in the security team’s favor.

Amid a crisis, it typically makes sense to leverage and build on existing resources and infrastructure. In the wake of SUNBURST, there has been speculation about whether organizations should burn down their networks and rebuild from scratch. But just as we wouldn’t burn down a hospital (after relocating all the patients, of course), and build it back brick by brick, destroying IT networks and systems isn’t practical. Backdoors can remain on files and folders in the network for months or years, like a ticking time bomb waiting to detonate and destroy anew.

In 2020, we were hit by two very different but devasting attacks—one in the physical world and one in the cyber realm. With SUNBURST, organizations will be unraveling the threads and uncovering details on victims, methods and motivations throughout 2021 and beyond. For security and IT pros, this will be a long road ahead. Old assumptions will be thrown out. Let’s travel with our eyes open.


Contributors
Matt Radolec

Vice President, Incident Response and Cloud Operations, Varonis

Hackers & Threats

hackers & threats application security endpoint security supply chain

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs