Perspective and FAQ About the SolarWinds Orion Hack Discovered in December 2020

The Importance of Network Visibility and Observability to Defend Against Cyberattacks

Our focus at cPacket Networks is to “eliminate blind spots” because they are a huge exposure and risk that will be discovered and exploited by cyber criminals. Blind spot exploitation is at the heart of a recently discovered national cyber-catastrophe that resulted in breaches to U.S. government agencies, major U.S. technology and accounting companies, and numerous other organizations.

Continuously reliable delivery of data (aka “Security Delivery”) that enables observation and inspection of every network data packet is an absolute fundamental necessity for a strong cybersecurity posture. This is made possible by cybersecurity solutions such as Network Detection and Response (NDR), Security Information and Event Management (SIEM), and Intrusion Prevention Systems (IPS).

As the diagram below shows, each link in the NDR ecosystem is dependent on the preceding link. As the saying goes, “a chain is only as strong as its weakest link” and the first link in the chain is the foundation – network data visibility and the observability it provides to security tools, analysts, and forensic records.

SUNBURST Malware Infects SolarWinds Orion Software

One Hack, Many Infections

The attack initially targeted the updating mechanism a trusted industry-leading network management software – Orion from SolarWinds. The company claims that Orion is used by as many as 300,000 organizations around the world. The entire matter would have been averted if this initial attack was detected.

The attack was perpetrated by an organized nation-state by exploiting an opportunity to use Remote Code Execution to trojanize Orion by planting the SUNBURST malware into the software’s updating mechanism. This multi-stage “supply chain attack” was meticulously orchestrated to become the vehicle for distributing the SUNBURST malware to infect many organizations.

After infecting a host system, the SUNBURSE malware uses a “low and slow: strategy, staying dormant for up to several weeks to make it difficult to be correlated with invalid traffic. It also uses many additional methods to cloak its activity, covertly blend into the environment, and appear as legitimate SolarWinds activity to avoid suspicion and evade detection, and ultimately exfiltrate data.

FireEye Detected the Attack

Cybersecurity provider FireEye first detected the attack by monitoring secondary registrations of their two-factor authentication and reporting suspicious behavior. The attack is believed to have begun in October 2019 – more than 1 year prior to its discovery (as reported by Kevin Mandia, CEO of FireEye).

The orchestration of the attack was complex, meticulously planned, and well-executed. In their findings, FireEye believes the infection began when trojanized updates to SolarWind’s Orion software were planted by highly skilled criminals who prioritized stealth, patiently conducted reconnaissance, and consistently covered their tracks.

Corelight Describes the Malware’s Evasion Tactics

Security analysts at Corelight, a provider of cybersecurity solutions, analyzed the attack and pointed out that the malware created and used an encrypted connection on port 443 of an HTTP proxy server to conceal its illegitimate activity.

The analysts pieced together the attacker’s methods using 5-tuple information (typically available in flow data) to observe connections across ports and protocols. This analysis reinforces the value of combining lossless visibility and observability of real-time and historical network packet and flow data.

This attack reinforces cyber criminals’ efforts to probe for and exploit weaknesses such as when visibility is compromised during periods of high network traffic. Low and slow attacks that unfold over long periods of time are designed to evade detection by appearing as non-threatening legitimate traffic. Detecting attacks of this type and preventing the consequences requires continuous, reliable, and unbiased comprehensive visibility to observe all traffic and behaviors at all times. This is why a monitoring fabric that drops packets when heavily loaded is an exploitable risk. This is also why cPacket Networks’ appliances have been carefully designed to never drop data packets when used for their specified maximum data rates, including and especially when under heavy loads.

Affected Organizations

SolarWinds publicly stated that malicious code could have unknowingly been pushed to nearly 18,000 of its customers that include 425 firms on the Fortune 500, the top 10 U.S. telecommunications companies, and many U.S. Government agencies including the Office of the President of the United States, the Pentagon and all branches of the U.S. Military, the State Department, NASA, NOAA, the National Security Agency (NSA), the Department of Justice, and the Postal Service. The costs and other consequences have not yet been estimated.

Consistently Reliable Network Data is Paramount

Cyber threats, attacks, malware, and malicious activity hidden by encryption or obfuscated by other methods must be detected to be prevented. Without exception, all traffic, in all environments, must be available to cybersecurity tools for inspection, detection, and prevention! This is why organizations trust cPacket Networks’ monitoring fabric to acquire, deliver, and store every network data packet, so that the necessary data always gets to the security solutions and analysts.

Wrap Up

cPacket Networks clearly understands that cyber criminals are organized and well-funded, including operating as covert nation-state entities. They are intelligent, clever, able to weaponize advanced technology, and execute sophisticated and covert methods of attacking IT infrastructures. They use encryption to hide malware in payloads in hopes that it bypasses cybersecurity defenses by exploiting blind spots in all IT environments that inhibit cybersecurity tools’ ability to do the job. Nevertheless, such covert actions do leave detectable footprints in network packet and flow data.

cPacket advises using risk analysis and reduction best practices, along with the following interrelated requirements, to ensure a strong cybersecurity posture. The recommendations apply to physical and virtualized IT infrastructures in on-premises, private cloud, public cloud, and hybrid environments.

  • Availability, visibility, and observability of all traffic into, out of, and throughout the network
  • Detection of malicious and suspicious activity within all network traffic that seamlessly spans all environments, especially multi-cloud and hybrid environments
  • An immutable historical record of activity that is timestamped and tagged for efficient forensic analysis of all activity leading up to, during, and following an event
  • Timely and appropriate manual and automated responses

FAQ – cPacket Networks and the SolarWinds Orion Attack

Q:  Should we consider using cPacket Networks solutions with our cybersecurity solutions?

A: Yes. Our monitoring fabric can access every network data packet that you tap into at strategic points in your network. Each packet is inspected, processed (e.g., to remove duplicates), and routed according to configurable policies to the endpoints you choose such as security monitors, analyzers, etc. No packet is ever dropped by our monitoring fabric so there are no blind spots to be exploited. cPacket Networks’ monitoring fabric is the best choice for security delivery to drive a strong cybersecurity posture; it is the strongest first link in the cybersecurity ecosystem chain!

Q: Could solutions from cPacket Networks alone have prevented this cyber attack?

A: No. Our solutions provide the foundational first links in the chain, which are availability, visibility, and observability of all network traffic to cybersecurity tools. Our solutions also facilitate efficient forensic analysis. This is why leading cybersecurity solution vendors have partnered with and recommend cPacket Networks as the security delivery component of the overall security solution. Our cybersecurity solution partners include: A10 Networks, Cisco, Corelight, Fortinet, Humio, Palo Alto Networks, and Vectra.

Q: How can cPacket Networks assist with the forensic analysis of a cyber attack?

A: There are multiple ways:

  • Packet and flow data is enriched with accurate timestamps and tagged with event information and persistently stored using cStor® appliances and similar capabilities within the cCloud Suite to facilitate efficient forensic analysis
  • The cClear® analytics engine and similar capabilities within the cCloud Suite can be used to surface insights to understand attack vectors and methods

Q: Are visibility and observability really necessary in public cloud environments? Aren’t public cloud Infrastructure as a Service (IaaS) solutions inherently secure?

A: Visibility and observability solutions from third parties such as cPacket Networks are necessary. Public cloud IaaS providers offer some perimeter security, especially for flood-type denial of service attacks and recognizable intrusions. However, securing data and workloads within Virtual Private Cloud (VPC) environments is shared between the IaaS provider and your organization. Each cloud IaaS provider offers varying levels of access to network traffic, but none offer it from all of the strategic points needed to fully cover blind spots and detect stealthy malicious activity. The cloud IaaS providers also do not offer the ability to easily and cost-effectively replicate and route traffic to multiple security tools that are needed to thoroughly assure effective detection, response, and prevention. Augmenting, extending, and filling IaaS visibility and observability gaps to maximize the effectiveness of cybersecurity defenses is the value provided by the cCloud Suite.

Q: In addition to security delivery for NDR, what other cybersecurity benefits does cPacket Networks offer?

A: The cPacket Networks product portfolio provides:

  • Real-time network packet data
  • Real-time network flow data
  • Reliable storage of captured packet and flow data that is timestamped and event-tagged for efficient forensic analysis to uncover IoCs, hunt for threats, identify attackers, assess consequences (e.g., what has been compromised/exfiltrated) by querying and analyzing data from before, during, and after a cybersecurity event.

Q: Was cPacket Networks infected, compromised, or otherwise affected by this cyber attack?

A: No. cPacket Networks does not use Orion from SolarWinds.

Q: Can we get infected or compromised using cPacket Networks monitoring appliances?

A: No. Our physical appliances operate in a separate independent plane, a monitoring plane, that is isolated from the core network’s data plane as well as the control plane.

Q: Where can I learn more details about this attack?

A: FireEye posted details in a Threat Research note dated December 13, 2020. Corelight posted a blog describing analysis of the malware’s actions.

About the Author

Ron Stein
Director of Product Marketing