Responding to the SolarWinds Compromise with Nuix Adaptive Security
In this post I’ll describe how a security team could use Nuix Adaptive Security to detect, respond, and recover to a situation like the SolarWinds compromise. The attack on SolarWinds’ code and the information published about it means security teams face a series of questions, including:
- Do I have any of the affected SolarWinds software in my enterprise?
- Are all affected systems either disconnected or successfully upgraded?
- Is there any communication between my network and the known attacker infrastructure?
- If another attack with the same characteristics occurs, will I detect it?
- Did unauthorized actors gain access to my network through this attack? If so, what data did they access, and how do I get rid of them?
Working through all this efficiently requires comprehensive visibility and flexible detection on endpoints.
How Does Nuix Adaptive Security Work?
Nuix Adaptive Security relies on an agent installed on enterprise endpoints. Once the agent is in place, search capabilities and real-time visibility are available to the security team. The agent logs activities on endpoints; passes the log events through onboard processing to decide whether to alert, block, quarantine, or take other actions; and sends the log events back to a central server. About a dozen categories of endpoint activities are logged, including file, process, registry, DLL, session, media, and registry events, as well as a range of insider threat-related behaviors. If a security operator finds a threat, Nuix Adaptive Security gives him or her a set immediate response tools such as killing processes, deleting files, quarantining the host, and initiating a forensic investigation.
In the SolarWinds scenario, this combination of historical event data, real-time detection, and response tools gives security teams the ability to respond quickly and efficiently by determining which systems may be affected by the initial compromise, enhancing detections with newly discovered IOCs, and initiating a comprehensive threat hunt.
Assuming No Endpoint Agent Is in Place at the Time of Initial Compromise
A team responding to SolarWinds with Nuix Adaptive Security post-event could take the following steps after deploying the agent.
Search for the presence of the compromised update package and DLLs on disk
Threat intelligence provides the names and MD5 hashes of these files, so the first step is simply to identify any extant instance of them. If desired, any discovered files can be deleted from the target system by the operator. Affected systems could also be quarantined from the rest of the network or from the internet.
Set up alerts for future arrival or execution of the compromised files
Since the delivery and persistence mechanisms for the compromised applications are likely still only partially understood, alerts should be put in place to detect any instance where the compromised DLL is called, or the update package is detected on disk.
Set up detection for future known command and control
Any future attempt to connect to the domains and IP addresses specified in threat intelligence will be immediately reported to the security team. A Nuix Adaptive Security alert on any query to a domain on a list looks like this:
We've now put in place new detections for the IOCs known to be related to this threat. And we have a framework in place to update detections as new IOCs come out. This is valuable due diligence to protect against similar future threats. But we still must deal with the possibility that attackers have already compromised the network.
Begin a threat hunt for active attackers
Even if the compromised DLL was not discovered, it is possible there are or were compromises in other updates or through other vectors. The security team therefore needs to begin examining systems across the network for evidence of attempts to move laterally, establish persistence, discovery information, stage it, and so forth.
Nuix Adaptive Security gives operators baseline detections for these activities based on the MITRE ATT&CK framework. From that starting point they can customize and build detections based on their unique environment. The existing threat intelligence suggests several things to look for, including known IOCs, behavior of the malware such as changes to specified registry keys, and behaviors of the attacker such as suspicious use of RDP.
One initial step would be to examine the user session events recorded by Nuix Adaptive Security for unusual RDP sessions, such as those originating from the SolarWinds boxes. Suspicious use of administrative tools such as PowerShell should also be examined.
Assuming Endpoint Agent Is in Place at the Time of Initial Compromise
Now let’s look at how our team would respond with Nuix Adaptive Security in place when the compromise occurred.
Detect the initial compromise or subsequent tactics employed by the attacker
Nuix Adaptive Security contains customizable rules to detect malicious code and attacker TTPs. These give network defenders a powerful tool to detect indicators on the host that would otherwise be missed.
Identify current and historical instances of the compromised software
Nuix Adaptive Security logs all file writes, process starts, and DLL loads. A search of file events using the known file names and MD5 hashes would quickly reveal whether the update package or DLLs had been written to disk. A search of process and DLL activity would reveal whether compromised binaries ever executed.
Identify current and historical instances of communication with the known C2
The endpoint agent logs all DNS queries and network connections. A search of the historical events would reveal systems that had made contact with the attacker’s infrastructure. Alerts could be set up on any future communication.
Begin a threat hunt for active attackers
From here, you’d begin the threat hunt as described above.