computers displaying code

What Did the SolarWinds’ Hack Reveal About EDR Solutions?

Spoiler Alert: They ALL FAILED to do what they CLAIM they can do — detect and respond to any attack!

By TJ Tajalli, CEO, OnSystem Logic LLC

What Just Happened? On Dec. 13, 2020

SolarWinds acknowledged that hackers had inserted malware into a service that provided software updates (“patches”) for its Orion platform, a suite of products broadly used across the U.S. federal government and Fortune 500 firms to monitor the health of their IT networks. The hacking operation began at least as early as March when SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have.

We learned early on from SolarWinds that 18,000 organizations had downloaded the updates, exposing them to the malicious code. We have since learned through an unpdate from Microsoft President Brad Smith that a tiny sliver—possibly as small as 0.2 percent—of those organizations received a follow-on hack that used the backdoor to install a second-stage payload. The largest populations receiving stage two were, in order, tech companies, government agencies, and think tanks/NGOs. The vast majority—80 percent—of these 40 chosen ones were located in the US.

From others, we have learned about the work Microsoft has since done to stop further attacks and damage from this specific hack. We learned that Microsoft removed the digital certificates that the Trojaned files used to get into SolarWinds and, in so doing, literally overnight told all Windows systems to stop trusting those compromised files. As well, Microsoft updated Defender, the anti-malware capability built into Windows, to detect and alert if it found the Trojaned file on any system. They also sinkholed the domains that the malware uses for command and control (C2), thus cutting off communications to the command center, rendering the malware useless. Finally, they changed Defender’s default action for Solorigate from “Alert” to “Quarantine”, which may cause complete systems failure but will kill the malware in the process. We are led to believe that Microsoft, in the words of Steve King, “supplied the kill switch and took control over the malware’s infrastructure from the attackers.” A good thing, for now.

What Went Wrong and What Must We Learn from It?

While it’s true that there is much more to learn about both the hack itself and the impact of it on systems far and wide, and also true that we should be careful about diagnosing the problems and prescribing the fixes, it is certainly true that every Endpoint Detection and Response (EDR) solution deployed by each and every organization impacted FAILED TO DETECT AND RESPOND TO THE ATTACK!

Before focusing below on the why and how of this EDR failure, I want to note that none of the endpoint protection solutions deployed by the hacked organizations did what they claim they can do. They claim they can detect and respond to ANY type of attack via use of their extensive previous knowledge of attacks and their use of AI and other behavioral tools. Well, they ALL FAILED! None of them detected the attack, and none of them responded to it. That’s the news we must focus on to learn to do better.

Why did every EDR solution fail to detect and respond to the attack? And why isn’t this a big part of the news story?

Well, unsurprisingly, the first response to how to prevent this kind of hack from happening again is to argue to “do more of the same.” It’s what we do. We double down. In the cybersecurity world we respond to being compromised, to failing, by pointing out that we need to do more blocking and tackling. We need to do more user education and more monitoring, deploy more resources to fight back, etc. But these responses are not the full answer. And they do not address the catastrophic failure of EDR solutions to protect our applications and systems from the kinds of “obfuscated code” we saw here. It’s this failure to detect and respond to this type of attack that must be addressed asap.

Why do I believe the above? Well, I used to be responsible for the most widely used endpoint security software in the world, at the largest security company in the world. In my opinion, Microsoft Defender is arguably the best AV/EDR (Anti-virus/Endpoint Detection and Response) software on the market today. But, if Microsoft’s AV/EDR capabilities could and would STOP an attacker from exploiting their application software in the way we saw this week, they wouldn’t need to deploy a “Death Star” worth of weapons, as Steve King put it, to fight back. They would have simply said “yes, we see it, but we rendered it benign.” Turns out, they can’t say that, and in fact none of the market leaders in the AV/EDR space can say that. They all suffer from the glaring hole of being blind to what is happening INSIDE OF APPLICATIONS, which is where the majority of today’s successful security attacks are occurring and thriving, and exactly how this hack was deployed. As a customer of AV/EDR vendors, you are running multiple antivirus or EDR products on your organization’s endpoints but they ALL have this glaring hole. What you’re using today, regardless of the vendor you’ve chosen, while absolutely necessary, is unfortunately also absolutely insufficient, tragically insufficient, as we can now all see for ourselves.

Why haven’t the AV/EDR vendors been successful in closing this most important protection hole in their products? Because the technology required to stop these attacks is very complex and has not been a top priority for many of them. In addition, these antivirus companies derive much of their revenue by performing cleanup for their clients, after clients have suffered a cybersecurity event. They have simply lacked the incentive to solve the problem, but we’ve solved it! And now I need to tell you about it. And now, maybe, you are ready to listen.

Hello SolarWinds!

None of the endpoint security products you are familiar with or using today provides adequate protection against well-known or benign-looking applications doing operations they should never be doing.

Regardless of the AV/EDR claims, they DO NOT protect against:

  • Software security flaws that are only visible from INSIDE of affected software.
  • Hidden backdoors in good software.
  • Hidden malicious code inside benign-looking software.
  • Hidden malicious code inside trusted but compromised software.
  • Hidden malicious code inside of trusted software that resides in open source or other code used by that software.
  • General supply chain issues resulting from hidden malicious code inside of trusted software.

NOTE: THE MECHANISM THROUGH WHICH THE ABOVE MALICIOUS SOFTWARE WILL GET ON A SYSTEM IS NOT OF IMPORTANCE TO THIS DISCUSSION. Bad/misbehaving software could have gotten on the endpoint because of Phishing attacks, credential stealing, pictures, links, or other data files containing its bad payload, malicious Microsoft Office macros, or any other method. What is important, is to make sure that bad/misbehaving software CANNOT execute its damaging instructions no matter how hard it tries. This is the problem we have solved.

The concepts of self-defending software and contained applications must be applied, now.

Windows Endpoints (workstations, servers, physical, virtual, containerized or not) are the number one path through which sophisticated security products are fooled and bypassed today. The goal of any security system should be to STOP an attack at the earliest point instead of trying to, potentially, detect it and deal with it at some future time AFTER the damage has been done. So, given that ALL Windows endpoints run one or more next-gen antivirus and/or Endpoint Detection and Response products, why are successful attacks on the rise? Why aren’t your vendors successfully defending your endpoints? The answer is found here: ALL current next/current-gen AV/EDR products have an Achilles heel.

The defenses of ALL current next/current-gen AV/EDR products are built based on:

  • AI,
  • Signatures
  • Behavioral data of previously seen attacks

If they have not seen a particular attack mechanism or variation of it, they cannot contain a good application (e.g. white-listed, from reputable sources, etc.) if it has been compromised, or if it’s a bad one that may look benign but has bad intentions not visible outside of the application.

Does the above happen? YES.

Everyday. And we are all left asking, again, “given that ALL Windows endpoints run one or more next-gen antivirus and/or Endpoint Detection and Response products, why are successful attacks on the rise?” And remember, you don’t hear about most successful attacks. Many of them are simply not publicized. But now, SolarWinds has us all listening!

Which applications are we talking about? ALL of them.

EVERY good application on your system needs to self-defend and EVERY benign-looking application needs to be contained. A system that doesn’t do that will continue to suffer from this Achilles heel.

Most importantly any technology/product that claims to provide application self-defense and containment must have the highest level of self-protection, otherwise, the protection it provides to applications can and will be defeated by attackers.

Is there such a product on the market? Only one: OnSystem Defender. OnSystem Defender does not duplicate the functionality of your current AV/EDR system. It simply removes the Achilles heel of ANY AV/EDR system that you may be running. It solves the problem! OnSystem Defender allows each good application to learn its own most important valid behaviors — behaviors attackers will try to misuse. OnSystem Defender contains each benign-looking application so that it cannot perform dangerous operations from inside of the application in ways not visible to your AV/EDR systems. It does this without any previous knowledge of the application, changes to the application, user-visible behavior, performance impact, or additional administrator workload. In short, it is totally transparent and frictionless.

OnSystem Defender does not care how an attacker does its initial compromise of a system. The attack could have been initiated from:

  • Phishing email
  • Social media
  • Credential stealing
  • Flaw inside of a good/known application
  • Installation of a benign-looking application
  • Hidden backdoors inside of an application
  • Supply chain issue in the application code or one of its open source libraries
  • Any other mechanism

If the attack code cannot run, it cannot do damage. If it can run, it has the ability to:

  • Steal your data (e.g. ransomware)
  • Change your data
  • Move laterally to other systems and infect them
  • Hide in your system for months/years
  • Do an infinite number of other damaging actions

Can we prove OnSystem Defender works?

Yes, we can! OnSystem Defender has been successfully protecting early adopters for over 2 years. It is trivial to deploy and manage. It can run in detection or prevention mode with its complete self-protection always at work.

Frightened by what the SolarWinds hack has revealed? You should be.

The equivalent will happen again and again until you address it. This is why we started down a path to solve for just this weakness and now we want to help. See for yourself what difference REAL endpoint PREVENTION can make in today’s WFH environments and the peace of mind that you can enjoy by deploying the most capable endpoint security enhancement product on the market today. Instead of adding more analysts to handle the load created by an endless number of events created by your current AV/EDR product, add a product that will make your systems an order of magnitude more secure and eliminate the false positives, or after the fact issues, that your current AV/EDR products have or cause for you.