10 Things We Learned About the Solarwinds Breach (FireEye)

Ten things we learned or were reminded of with the Solarwinds breach:

1. Without Searchable Logs “you were screwed” or no logs at all…..made it impossible to historically investigate.

2. Cloud SOC Platforms made it nearly impossible to go outside of 30-90 days to find the breach. Huge dilemma for the hosting providers. This incident happened March – August ( some now say October of 2019 ) which makes sense…..

3. Without multiple layers of security with long term storage, these attacks would have gone unnoticed or unrecallable/reconstructable since like 99% went unnoticed.

4. Solutions without HEX make it really hard to see Certificate Infections

5. Updates don’t always make you less vulnerable

6. The whole industry and our customers of this industry have problems with implementing and managing controls and the checks and balances behind them. ( think of an airplane here, someone is always double and triple checking, lives are on the line, why is this not the case in cyber)

7. Supply chain risk is not going away

8. Using technology or partially implementing technology can be a huge risk… understand what you are putting in your environment

9. Beacons can tell the story, don’t leave a beacon uncovered

10. Malware and forms of it CAN LIVE ANYWHERE!

Solarwinds Breach Information

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements.

Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye.

The use of Cobalt Strike beacons is popular among red teams and adversaries. In 2020, Cisco Talos released a research paper detailing the large amount of coverage for the Cobalt Strike framework. We have concluded the coverage is still applicable and can reliably detect FireEye red team beacons and other activity.