Organizations use thousands of 3rd party applications on a daily basis. As a reverse engineer, vetting all of these applications by hand pre-deployment is impossible. With the frequency of attacks, the SolarWinds supply-chain attack doesn't surprise me, after all, myself and a co-worker at RSA discovered the Kingslayer supply-chain attack targeting the EvLog3 service in 2016.
Exploit & Attack
In case of the compromised SolarWinds DLL imported by the service was creating a backdoor. The backdoor used itself is unremarkable. A service executable with a DLL that allows covert, bi-directional communication over known protocols and hands control to the actor with system level privileges. Pretty standard stuff. From there, any actor's next CoA (Course of Action) is also fairly predictable. Recon the local machine and escalate privileges in combination with lateral movement and execution. This usually includes dropping tools, or in this case, temporarily replacing built-in tools, and some cleanup. The problem is, and has been, trust. We have been here before and this is and has been the world we live in, but we're now forced to acknowledge it more. It has always been the case that behavior belies intent, whether it is a trusted service or something recently compiled, untrusted and downloaded from the Internet.
Automate the hunt process
Enterprises are collecting and storing an increasing amount of data generated by endpoints and applications in an effort to extract a stronger signal from the noise. Traditional analytical methods are still seeking a singular, atomic detection capability that delivers a boolean result. Instead, we should be using our resources to increase situational awareness and leverage the relationships already found in existing data to intelligently follow interesting tracks throughout the network. By using automated systems that can follow these tracks at machine speeds, describing it using the vernacular of the Mitre ATT&CK matrix and grouped into storylines/narratives that are universally understood by analysts, detection and recognition speed of a threat can be greatly reduced.