Kognos for MSSPs reduces MTTD/MTTR metrics to mere minutes. Learn More.

Case study - SolarWinds

The SolarWinds Supply-Chain Attack

Erik Heuser, Chief Security Research Officer

3rd Party Applications

Organizations use thousands of 3rd party applications on a daily basis. As a reverse engineer, vetting all of these applications by hand pre-deployment is impossible. With the frequency of attacks, the SolarWinds supply-chain attack doesn't surprise me, after all, myself and a co-worker at RSA discovered the Kingslayer supply-chain attack targeting the EvLog3 service in 2016. 

Exploit & Attack

In case of the compromised SolarWinds DLL imported by the service was creating a backdoor. The backdoor used itself is unremarkable. A service executable with a DLL that allows covert, bi-directional communication over known protocols and hands control to the actor with system level privileges. Pretty standard stuff. From there, any actor's next CoA (Course of Action) is also fairly predictable. Recon the local machine and escalate privileges in combination with lateral movement and execution. This usually includes dropping tools, or in this case, temporarily replacing built-in tools, and some cleanup. The problem is, and has been, trust. We have been here before and this is and has been the world we live in, but we're now forced to acknowledge it more. It has always been the case that behavior belies intent, whether it is a trusted service or something recently compiled, untrusted and downloaded from the Internet.  

Automate the hunt process

Enterprises are collecting and storing an increasing amount of data generated by endpoints and applications in an effort to extract a stronger signal from the noise. Traditional analytical methods are still seeking a singular, atomic detection capability that delivers a boolean result. Instead, we should be using our resources to increase situational awareness and leverage the relationships already found in existing data to intelligently follow interesting tracks throughout the network. By using automated systems that can follow these tracks at machine speeds, describing it using the vernacular of the Mitre ATT&CK matrix and grouped into storylines/narratives that are universally understood by analysts, detection and recognition speed of a threat can be greatly reduced.



Oxygen Icon Box

2064 Walsh Ave, STE C1
Santa Clara, 
California - 95050

Oxygen Icon Box


Copyright © 2021 Kognos, Inc. All Rights Reserved.
envelopemap-markercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram