{"id":242453,"date":"2020-12-30T09:00:35","date_gmt":"2020-12-30T09:00:35","guid":{"rendered":"https:\/\/onsystemlogic.com\/?p=242453"},"modified":"2023-10-28T16:20:21","modified_gmt":"2023-10-28T16:20:21","slug":"what-did-the-solarwinds-hack-reveal-about-edr-solutions","status":"publish","type":"post","link":"https:\/\/onsystemlogic.com\/blog\/what-did-the-solarwinds-hack-reveal-about-edr-solutions\/","title":{"rendered":"What Did the SolarWinds\u2019 Hack Reveal About EDR Solutions?"},"content":{"rendered":"
[et_pb_section fb_built=”1″ _builder_version=”4.11.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.11.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.11.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.11.4″ _module_preset=”default” header_2_font=”Roboto|700|||||||” header_2_text_color=”#252525″ header_2_line_height=”1.2em” background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” custom_margin=”||20px||false|false” sticky_enabled=”0″]<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.11.4″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n
SolarWinds acknowledged that hackers had inserted malware into a service that provided software updates (\u201cpatches\u201d) for its Orion platform, a suite of products broadly used across the U.S. federal government and Fortune 500 firms to monitor the health of their IT networks. The hacking operation began at least as early as March when SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have.<\/p>\n
We learned early on from SolarWinds<\/a> that 18,000 organizations had downloaded the updates, exposing them to the malicious code. We have since learned through an unpdate from Microsoft President Brad Smith<\/a> that a tiny sliver\u2014possibly as small as 0.2 percent\u2014of those organizations received a follow-on hack that used the backdoor to install a second-stage payload. The largest populations receiving stage two were, in order, tech companies, government agencies, and think tanks\/NGOs. The vast majority\u201480 percent\u2014of these 40 chosen ones were located in the US.<\/p>\n From others, we have learned about the work Microsoft has since done to stop further attacks and damage from this specific hack. We learned that Microsoft removed the digital certificates that the Trojaned files<\/a> used to get into SolarWinds and, in so doing, literally overnight told all Windows systems to stop trusting those compromised files. As well, Microsoft updated Defender, the anti-malware capability built into Windows, to detect and alert if it found the Trojaned file on any system. They also sinkholed the domains<\/a> that the malware uses for command and control (C2), thus cutting off communications to the command center, rendering the malware useless. Finally, they changed Defender\u2019s default action for Solorigate<\/a> from \u201cAlert\u201d to \u201cQuarantine\u201d, which may cause complete systems failure but will kill the malware in the process. We are led to believe that Microsoft, in the words of Steve King, \u201csupplied the kill switch and took control over the malware\u2019s infrastructure from the attackers.\u201d A good thing, for now.<\/p>\n While it\u2019s true that there is much more to learn about both the hack itself and the impact of it on systems far and wide, and also true that we should be careful about diagnosing the problems and prescribing the fixes, it is certainly true that every Endpoint Detection and Response<\/a> (EDR) solution deployed by each and every organization impacted FAILED TO DETECT AND RESPOND TO THE ATTACK! <\/em><\/p>\n Before focusing below on the why and how of this EDR failure, I want to note that none of the endpoint protection solutions deployed by the hacked organizations did what they claim they can do. They claim they can detect and respond to ANY type of attack via use of their extensive previous knowledge of attacks and their use of AI and other behavioral tools. Well, they ALL FAILED! None of them detected the attack, and none of them responded to it. That\u2019s the news we must focus on to learn to do better.<\/p>\n Well, unsurprisingly, the first response to how to prevent this kind of hack from happening again is to argue to \u201cdo more of the same.\u201d It\u2019s what we do. We double down. In the cybersecurity world we respond to being compromised, to failing, by pointing out that we need to do more blocking and tackling. We need to do more user education and more monitoring, deploy more resources to fight back, etc. But these responses are not the full answer. And they do not address the catastrophic failure of EDR solutions to protect our applications and systems from the kinds of \u201cobfuscated code<\/a>\u201d we saw here. It\u2019s this failure to detect and respond to this type of attack that must be addressed asap.<\/em><\/p>\n Why do I believe the above? Well, I used to be responsible for the most widely used endpoint security <\/a>software in the world, at the largest security company in the world. In my opinion, Microsoft Defender is arguably the best AV\/EDR (Anti-virus\/Endpoint Detection and Response) software on the market today. But, if Microsoft\u2019s AV\/EDR capabilities could and would STOP an attacker from exploiting their application software in the way we saw this week, they wouldn\u2019t need to deploy a \u201cDeath Star\u201d worth of weapons, as Steve King put it, to fight back. They would have simply said \u201cyes, we see it, but we rendered it benign.\u201d Turns out, they can\u2019t say that, and in fact none of the market leaders in the AV\/EDR space can say that. They all suffer from the glaring hole of being blind to what is happening INSIDE OF APPLICATIONS, which is where the majority of today\u2019s successful security attacks are occurring and thriving, and exactly how this hack was deployed. As a customer of AV\/EDR vendors, you are running multiple antivirus or EDR products on your organization\u2019s endpoints but they ALL have this glaring hole. What you\u2019re using today, regardless of the vendor you\u2019ve chosen, while absolutely necessary, is unfortunately also absolutely insufficient, tragically insufficient, as we can now all see for ourselves. <\/em><\/p>\n Why haven\u2019t the AV\/EDR vendors been successful in closing this most important protection hole in their products? Because the technology required to stop these attacks is very complex and has not been a top priority for many of them. In addition, these antivirus companies derive much of their revenue by performing cleanup for their clients, after clients have suffered a cybersecurity event. They have simply lacked the incentive to solve the problem, but we\u2019ve solved it! And now I need to tell you about it. And now, maybe, you are ready to listen.<\/strong><\/em><\/p>\n None of the endpoint security products you are familiar with or using today provides adequate protection against well-known or benign-looking applications doing operations they should never be doing.<\/p>\n NOTE: THE MECHANISM THROUGH WHICH THE ABOVE MALICIOUS SOFTWARE WILL GET ON A SYSTEM IS NOT OF IMPORTANCE TO THIS DISCUSSION. Bad\/misbehaving software could have gotten on the endpoint because of Phishing attacks<\/a>, credential stealing, pictures, links, or other data files containing its bad payload, malicious Microsoft Office macros, or any other method. What is important, is to make sure that bad\/misbehaving software CANNOT execute its damaging instructions no matter how hard it tries. This is the problem we have solved.<\/em><\/p>\n Windows Endpoints (workstations, servers, physical, virtual, containerized or not) are the number one path through which sophisticated security products are fooled and bypassed today. The goal of any security system should be to STOP an attack at the earliest point instead of trying to, potentially, detect it and deal with it at some future time AFTER the damage has been done. So, given that ALL Windows endpoints run one or more next-gen antivirus and\/or Endpoint Detection and Response products, why are successful attacks on the rise? Why aren\u2019t your vendors successfully defending your endpoints? The answer is found here: ALL current next\/current-gen AV\/EDR products have an Achilles heel.<\/p>\n If they have not seen a particular attack mechanism or variation of it, they cannot contain a good application (e.g. white-listed, from reputable sources, etc.) if it has been compromised, or if it\u2019s a bad one that may look benign but has bad intentions not visible outside of the application.<\/p>\n Everyday. And we are all left asking, again, \u201cgiven that ALL Windows endpoints run one or more next-gen antivirus and\/or Endpoint Detection and Response products, why are successful attacks on the rise?\u201d And remember, you don\u2019t hear about most successful attacks. Many of them are simply not publicized. But now, SolarWinds has us all listening!<\/em><\/p>\n EVERY good application on your system needs to self-defend and EVERY benign-looking application needs to be contained. A system that doesn\u2019t do that will continue to suffer from this Achilles heel.<\/p>\n Most importantly any technology\/product that claims to provide application self-defense<\/a> and containment must have the highest level of self-protection, otherwise, the protection it provides to applications can and will be defeated by attackers.<\/p>\nWhat Went Wrong and What Must We Learn from It?<\/h3>\n
Why did every EDR solution fail to detect and respond to the attack? And why isn\u2019t this a big part of the news story?<\/h3>\n
Hello SolarWinds!<\/h3>\n
Regardless of the AV\/EDR claims, they DO NOT protect against:<\/h3>\n
\n
The concepts of self-defending software<\/a> and contained applications must be applied, now.<\/h3>\n
The defenses of ALL current next\/current-gen AV\/EDR products are built based on:<\/h3>\n
\n
Does the above happen? YES.<\/h3>\n
Which applications are we talking about? ALL of them.<\/h3>\n