SUNBURST, Supply Chain Attacks and How to Detect Them

February 26, 2021

• The stealth and sophistication of the recent SolarWinds Orion SUNBURST supply chain attack was alarming, in no uncertain terms, but supply chain attacks in general are as well-known as they are formidable.
• This guest post from Sri Sundaralingam of ExtraHop identifies some common supply chain hack elements and explains how to discover and stop them in the early stages.

What is a supply chain attack?

A supply chain attack is a particular type of hack that seeks to gain access to protected information or damage an organization by targeting less secure elements in the supply chain, such as third-party vendors or software.

Supply chain attacks have been used against organizations and government entities for many years. From the high-profile 2010 Stuxnet attack on Iranian nuclear centrifuge control systems to the 2020 SolarWinds SUNBURST backdoor Trojan attack, these highly sophisticated hacks have caused substantial losses and/or setbacks for the victims, as well as significant reputational damage.

Successful, highly damaging supply chain attacks often have many of the following elements in common:

What makes us vulnerable?

Over the past 10 years, much has changed across the IT landscape, yet many basic security challenges stubbornly remain. Cloud adoption has outpaced even some optimistic predictions as organizations choose to outsource their data centers to improve focus on core business initiatives. As opportunities for businesses to innovate in the cloud continue to unfold, they create an equally large number of new targets for attackers to pursue.

As cloud adoption has increased, DevOps has also found ways to accelerate the deployment and development of cloud workloads. In the process, they may neglect security and expose potential attacker footholds.

Finally, widespread use of open source software has ushered in a new era of ease and cost reduction in cloud application development while also increasing the risk of vulnerabilities (unintentional or otherwise) in cloud workloads. Wisely, cloud providers have chosen to “share” responsibility for security in the cloud with their customers.

The SolarWinds SUNBURST exploit

We don't yet fully know the origin and number of attackers involved in the SolarWinds SUNBURST exploit. But we do know their techniques were highly sophisticated, involved a number of steps, used both customized software and tools existing in the environment and resulted in data exfiltration and other damage. More troubling is the nine months or more of dwell time the attackers enjoyed. However, there’s a silver lining. Each step in a multistep supply chain attack offers an opportunity to discover and stop intruders.

Tools that can't be detected

What defenders need is a sophisticated and stealthy security toolset that can adapt and keep pace with the latest attack techniques. Fortunately for them, those solutions are within reach.

For example, network detection and response (NDR) tools tap into the network to mirror packets that can give defenders a covert vantage point and unassailable data source.

Dissecting packets to extract metrics reveals a wealth of useful information, including all connected devices and device types within a data center or cloud environment, attacker lateral movements, new connections, abnormal user behavior, data breach attempts and ransomware.

Look to network data

We know that the SUNBURST attack had both an extensive scope and long dwell time, which increased the potential for damage exponentially. Because of this, organizations are relearning just how important it is to have months of logs and network activity readily available so they can determine how and when they were hacked.

We don’t know what the next big supply chain attack will be or when it will take place, but with heightened awareness and tools that offer network visibility and historical data, organizations have a fighting chance against advanced threats.