sb-eu logo
Story image

ExtraHop reveals methods used by attackers in SUNBURST breach

15 Feb 2021

In the wake of the discovery of the SolarWinds SUNBURST breach, ExtraHop has released a report detailing the specific methods used by cyber-criminals involved in the incident to evade detection. 

The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.

The use of these tactics meant more traditional detection methods, like endpoint detection and response (EDR) and antivirus, were not as effective. Attackers evaded these tactics either by disabling them or by redirecting their approach before they could be detected, according to ExtraHop.

“Unfortunately, what we found when investigating SUNBURST is that the activity was actually detected on the network,” says ExtraHop deputy CISO Jeff Costlow.

“But because other detection methods weren’t alerting on the activity, it largely went ignored. In this case, the attack was strategically designed to evade those detections, and we can expect more similar attacks to follow. It’s an important reminder that the network doesn’t lie.”

In its report, ExtraHop also revealed that significant increases in ‘suspicious’ network activity went largely unnoticed due to SolarWinds’ privileged and trusted status within the IT environment. 

The report also found that many ExtraHop customers investigated and remediated the exploit within their own environments. The case studies include details on how customers were able to use historical metrics to determine the duration of the compromise, as well as which systems and data may have been impacted.   

As part of the report, ExtraHop also released an expanded list of over 1,700 SUNBURST indicators of compromise (IOCs) as observed across affected environments protected by Reveal(x), critical information that can help organisations determine if and to what extent they’ve been compromised.

The report follows a significant announcement from ExtraHop: the opening of the company’s newest data centre facilities in Sydney, a move the company says was motivated by its desire to host its security offering locally.

“Organisations around the world are rethinking their approach to security as advanced threats like APTs and software supply chain attacks take a financial and reputational toll,” says ExtraHop Asia Pacific and Japan vice president David Sajoto.

He says the company provides machine learning-backed detection and response capabilities. These are delivered through ExtraHop Reveal(x) 360.

“[Our] commitment includes investing in the markets we serve to ensure that our customers have access to high-availability, low-latency security capabilities that meet local standards for data sovereignty and protection. This investment affirms our commitment to the region and our customers.”

Story image
AppDynamics launches Cisco Secure Application to protect against vulnerabilities
AppDynamics, part of Cisco, has released Cisco Secure Application, a solution designed to simplify vulnerability management, defend against cyber attacks and protect applications.More
Story image
Veeam reports growth as demand for modern data protection increases
“Even with the unforeseen challenges and circumstances that began in early 2020, Veeam continued its rapid growth with its second consecutive year of bookings over $1 billion."More
Story image
Latest Tenable launch provides holistic approach to vulnerability management
Tenable.ep is reportedly the industry’s first, all-in-one, risk-based vulnerability management platform designed to scale as dynamic compute requirements change.More
Story image
Organisations investing significant time modifying web application firewalls to keep ahead of cybersecurity threats
"The sheer amount of traffic and potential threats can ensnare resources and impact the ability to introduce greater precision to those key systems."More
Story image
Cybersecurity spending for critical infrastructure to surpass US$105 billion in 2021
The brunt of security spending is still first and foremost focused on IT networks, systems, and data security from a defensive perspective. More
Story image
Three steps to a security-driven network for a stronger security posture
As the threat landscape continues to evolve and organisations stand to lose so much if they fall victim to an attack, it’s essential to ensure that security measures evolve in line with the network itself.More