CyberWire Daily - SolarWinds, SUNBURST, and supply chain security. [CyberWire-X]
Episode Date: March 14, 2021The SolarWinds Orion SUNBURST exploit forced organizations to determine whether and to what extent they’d been compromised. It’s not enough to eject the intruders and their malware from the networ...ks. Affected organizations also need to know what systems and data had been breached, and for how long. The adversary behind SUNBURST is advanced, quietly breaching the perimeter and moving freely to access, steal, or destroy business-critical data, and to disrupt operations. Joining us to share their expertise on the subject are Ryan Olson of Palo Alto Networks' Unit 42, Bill Yurek of Inspired Hacking Solutions, and we close out the show with Matt Cauthorn, from our sponsor ExtraHop, who joins CyberWire-X to discuss the challenges of detecting such advanced threats, and to share insights from behavioral analysis on what the new breed of threat actor is doing inside our networks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hello, everyone, and welcome to CyberWireX, a series of specials where we highlight important security topics
affecting organizations around the world. I'm Dave Bittner.
Today's episode is titled SolarWinds Sunburst and Supply Chain Security.
The SolarWinds Orion sunburst exploit forced organizations to determine whether and to what
extent they'd been compromised. It's not enough to eject the intruders and their malware from the networks.
Affected organizations also need to know what systems and data had been breached, and for
how long.
The adversary behind Sunburst is advanced, quietly breaching the perimeter and moving
freely to access, steal, or destroy business-critical data, and to disrupt operations.
We begin the show with my conversation with Ryan Olson,
Vice President of Threat Intelligence of Palo Alto's Unit 42.
Later in the show, we're joined by Bill Urich,
President and Founder of Inspired Hacking Solutions.
And we'll conclude our discussion with our show sponsor, ExtraHops Matt Cawthorn, to discuss the challenges of detecting these advanced threats and to share insights from behavioral analysis on what the new breed of threat actor is doing inside our networks.
A program note, each CyberWire X special features two segments. In the first part of the show, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view.
And speaking of sponsors, here's a word from our sponsor, ExtraHop.
And now a word from our sponsor, ExtraHop, stopping advanced threats with network detection and response.
Stopping advanced threats requires knowing exactly what you're up against.
With 90 days look back, ExtraHop RevealX is the only solution that shows you not just where the intruders are going within your network, but where they've been.
are going within your network, but where they've been.
ExtraHop RevealX provides complete visibility across cloud, data center, and IoT,
even when traffic is encrypted.
Powered by cloud-based AI,
RevealX finds threats in real time,
while powerful investigation and forensics capabilities
allow you to respond 84% faster.
See how it works in the full production demo,
free online at extrahop.com slash cyber.
That's extrahop.com slash cyber.
Ryan Olson leads the Palo Alto Network's
Global Threat Intelligence Team, known as Unit 42.
His responsibilities include identification and tracking of threats around the world and across all major industries.
Initially for us, this started on December 8th when FireEye came out and said that their Red Team tools,
the tools used by their Red Team to attack their customers, to test their defenses, had been stolen.
And at the time, they didn't say much about how the tools had been stolen,
just that they had and they were releasing signatures so that security vendors like us
and other defenders could go and make sure that we could detect those tools and protect against them.
And it wasn't until five days later, on December 13 13th that they revealed how they were compromised, that it was through SolarWinds, that SolarWinds software itself had been compromised.
That had enabled the attackers to have an initial foothold inside the FireEye network and then to eventually steal these tools.
And it was really that Sunday night when all of us realized, oh, this is a big deal. And SolarWinds at the time, it wasn't
extremely broadly known outside the security or the technical community.
It's a network. Orion is a network monitoring solution.
The scale of how many customers they have, when we started digging into
30-something thousand customers, they said 18,000 or so
used Orion and had active licenses at that
time. That's massive because it's not 18,000 laptops. It's not 18,000 individual people's
computers. This was 18,000 network monitoring servers that are placed at the core of the
network so that they have access to databases and systems and routers and networking equipment so that they can monitor and manage them.
And at that point, that was when we all started going, this is going to be a big deal.
And everyone is going to spend the next few months trying to understand, have they been impacted?
And if they have, what was the extent of the impact?
of the impact. You know, when we talk about defense in depth, and I think a lot of folks have an aspect of their defensive measures that include behavioral things. They're looking for
unusual activity within their network. I mean, was this able to go undetected to even those
sorts of things? Well, it certainly could evade a lot of tools,
but in our case, Palette Networks
was a SolarWinds Orion customer.
And we actually had a security incident
at the beginning of October
where our Cortex XDR, our endpoint agent,
which does behavioral monitoring,
detected the attempted execution of Cobalt Strike
on that system and prevented it.
It stopped execution from running
on our SolarWinds Orion server. So that behavioral monitoring prevented that attack
from having a further impact for us. At the time, we didn't connect that to a SolarWinds Orion
supply chain compromise because we didn't have that data. We knew that our SolarWinds server
had Cobalt Strike running or attempted to run on it. We had blocked it at that time. We investigated how did
cobalt strike get on the system, but cobalt strike is used really, really broadly. Like we've got
25,000 samples of cobalt strike used from, you know, actors from the very top to the very bottom,
red teamers and everything else. So we weren't able to determine at that time that there'd been
the supply chain compromise. We investigated it because we thought it was significant and serious,
but it was only an attack on us at that point from an unknown actor
that we had blocked. And you could stop this. You certainly could. We couldn't stop Sunburst
from being downloaded. That was downloaded legitimately from SolarWinds. But when they
went to take additional action, that's when our behavior monitoring solution said, hey,
this is out of the ordinary. It looks like cobalt strike.
Let's stop it and alert the SOC so that they can go and perform their investigation. So,
Enfire released their blog saying that on the 13th, you know, they detected this was coming from a SolarWinds Orion supply chain compromise. That's when we connected the dots on those things
and said, oh, that attack that we saw at the beginning of October was probably through the
same channel. We then confirmed that Sunburst had been installed on our Orion server that we shut down at that time
and was able to say this was the same attack that we had blocked.
We just didn't experience impact from it.
So there wasn't an additional investigation that went to the point of,
hey, let's go and really figure out whether or not Sunburst, where it came from.
We just know that it got on the system through SolarWinds somehow.
whether or not sunbursts, where it came from.
We just know that it got on the system through SolarWinds somehow.
And was that kind of an aha moment that rippled through the industry as people took a look at their logs, took a look at things,
like exactly what happened to you all?
You had an incident, but you went through its normal range of checks,
and perhaps you thought that was that.
Yeah, I think everybody, in the wake of the sort of disclosure that SolarWinds themselves have been
compromised and the software had been modified, everyone had to go through a couple of processes.
One was determine whether or not they have SolarWinds Orion in their network. That's not
something everyone could quickly determine. I mean, generally, we've had lots of conversations
about software inventory, people knowing if they have a huge network with thousands of devices,
what piece of software is running on every single one of them. Not everybody can go and do that
quickly. And so that was the first step. Do you have Orion running or not? Second was,
do you have a version of Orion that was running that got the sunburst update? Because you might
have had an old unlicensed version, a version that wasn't getting automatic updates. In some cases, people
found that they were safe simply because they were running Orion, but they weren't getting
automatic updates, which is problematic for other reasons. And then beyond that,
so once you discover you had sunburst on your system, now you've
got a compromise in the network at a certain date, probably months ago,
and what you're trying to determine is, did they take any action with that? Because that was the big chasm that existed in
sunburst intrusions. Approximately 18,000 organizations probably got that update. They
downloaded the DLL at that point. The DLL makes some DNS requests basically to tell the attacker,
hey, I've compromised this network. And it encodes the name
of the active directory domain that the system is part in into a DNS request basically to check in
and say, hey, this network is compromised. The attacker then has options. They can say,
ignore that, don't give them any additional commands, or I've selected them for additional
intrusion. And at that point, they were telling it, go and download Cobalt Strike and execute that.
And it was a bespoke version of Cobalt Strike for each individual intrusion.
They all had their own unique command and control domain and server.
And they got to choose.
Let's go for these government agencies.
Let's go for FireEye.
Let's go for Palo Alto Networks.
All these organizations were then chosen to be targeted later on.
But that's a pretty small number.
It's not 18,000.
I think it's probably somewhere around 100.
At least that's what I've seen from the U.S. government around what they think organizations who saw that further impact was.
But that opens a big door.
You know, if you're in that 18,000, discovering whether or not you were part of that select few who was further targeted was not straightforward. Yeah, I mean, that brings up the question of how do you suppose
this changes things going forward? I mean, does it? Is this a deflection point where people are
going to have to recalibrate some of the ways that they approach their security? So I expect it will cause people to shift a little bit,
but it shouldn't necessarily. So this is not the first software supply chain attack. There've been
quite a few of them in the past. Some of them really impactful, NotPetya in particular in 2017,
where you saw a Ukrainian software company compromised malware deployed through their update channel
the same way with SolarWinds and then a worm that was built into that, which shut down
networks all over Europe and caused a huge amount of damage. That should have been a big wake-up
call for people to say, oh, software supply chain security is important. I think there's
different directions that deflection, as you described it, could go. People could say,
let's focus entirely on trying
to make sure our vendors are doing things right and they are securing their software properly,
which I think would be, it's certainly a useful thing to do, but it only solves one
little component of the overall threat landscape. Whereas the alternative is, let's make sure that
we're building networks and monitoring our endpoints in a way that would help us detect this and ideally prevent it the next time it happens, because it will happen again.
If someone had deployed a zero trust architecture where that SolarWinds Orion server can only talk to the systems it absolutely has to, it would have been able to talk to the update server, Gautasun Burst Trojan, but it wouldn't have been able to go and download Cobalt Strike. It would have been blocked at that point. Same with an
endpoint behavior monitoring solution. If you were using something that could automatically detect
when the system deviates from its normal pattern and stop it from doing that, or at least alert
your SOC so that they can respond, you'd also be in a secure environment. And those things
aren't about software supply chain.
They're about all security.
They would stop an insider threat the same way.
They would stop a security incident that came in through another type of exploit.
Those are just sort of good practices, which are now accessible.
They're not necessarily easy to deploy.
Getting perfect zero trust is not simple for a network to have.
But moving in that
direction helps solve all of these challenges rather than just software supply chain, which
is important. But if we over-rotate and focus on it too much here in 2021, and we ignore the fact
that organizations are going to hit with ransomware and business email compromise every single day,
we may end up sort of losing the forest for the trees.
Bill Yurek is a certified cybercrime investigator, cyber attorney, and critical infrastructure protection specialist, and is owner and president of Inspired Hacking Solutions,
a cybersecurity consulting company. His experience spans over 35 years, including time as both a federal agent, federal prosecutor, and congressional investigator.
You know, it's one of those things, I think, I don't think I'm alone in this.
A lot of people said, well, you know, I'm not surprised it happened because it was inevitable.
But really, for me, what I guess is sort of a mixed silver lining slash painful lesson learned was, you know, the idea that even those companies, those entities that are in the security business, that do this for a living, that are established, can in fact
be compromised.
There's no such thing as the too big to fail in the cyber war environment or the cyber
crime environment.
For me, that's the first thing that struck me.
When I would teach for a small business administration, one of the first things we taught, like day
one was, there's no silver bullet.
You're not going to find a company that's going to help you with,
whether it be monitoring, whether it be with incident response, that's going to be the silver
bullet. They can just say, hey, look, I've got this, the A plus, I got the A team and that's
going to make it, that's okay. I don't really need to worry anymore. It just doesn't work that way.
And to me, I think that was my first reaction to this was that, you know, it's sad to see it, but it wasn't inevitable that some of the very sort of things, I mean, processes or technology that we counted on to believe is, you know, this is part of our defensive system can in fact be compromised, can in fact be, you know, defeated. And that is a harsh reality.
be, you know, defeated. And that is a harsh reality. You know, talking about small businesses,
would you say it's accurate that a lot of small business owners sort of think, well, I don't,
I'm too small to be noticed. I don't have anything, you know, what do I have that they're interested in? Well, I, you know, that's such a common thing. And a matter of fact, that's one of
my, you know, things that I try and get out there right off the bat is why me?
Why would they care about me?
And there's a couple of things I try to point out.
Number one, the bad guys, a lot of time, they may or may not be specifically targeting you.
But some are targets of opportunity.
You're weak or something.
And if they compromise you, they're not going to say, oh, you know, okay, they're just this.
They're going to try and find a way to benefit from compromising you.
And so what, you know, so you might say, well, what would I have to offer, Bill?
Well, a number of things.
And, you know, the example I like to use is let's say you had a carpet cleaning business.
You have three vans.
You have 15 people that work for you.
You have a carpet cleaning business.
You know, Bill, why would they care about me?
Well, you know what I care about?
In the simplest sense, if all I got was your customer list and I could sell that off as a mailing list,
I could find people who are competitors to you or just want to get a list of 300 people in a particular region
that are known to spend upwards of $10,000 on carpet cleaning,
that are known to have a valid email10,000 on carpet cleaning, that are known to have a
valid email address and mailing address and phone number, that's worth money. Now, it might not be
worth a lot, but it's worth it. Now, if you keep your client's information, you keep how they pay
their credit card information, well, now you're a little bit juicier, right? And now I can get that
as well. And now maybe between those, I can do a number of things.
I could, of course, credit card theft.
I'm probably going to try and bundle those and sell them.
But now I can wrap those things together.
I can do identity theft movement.
I can try and get a loan in your client's name.
I could try and file in your name some way, try and use your access to file, you know, to try and put a debit towards them.
And maybe they won't notice it. Maybe I can
get a mortgage in their name. And then what about your employees? What about those 15 people? Do you
have medical information? Do you have their contracts? Do you have, and now what can I,
now if I get a treasure trove there, right, I can get your insurance information. And so if you're
a small business, you're inherently vulnerable because just, I hate to say it, the pure nature of the average small business starting out, they don't have the resources or they don't want to put
the resources towards cybersecurity. And I'm not saying that's right or wrong. That's a decision
to make. But you are vulnerable. You're one of the sort of ripest, juiciest targets out there.
And you're not worthless. It's not like you're not worth compromising. Maybe you won't be the
first thing on someone's list. But if I'm able to compromise you easily why not
why not exploit everything I can out of you and then there's always the
third-party aspect who you contract into who are your business partners who do
you have trusted relationships with what cloud environments are you connected
with and how can I exploit that so you know you can't sit back these days and
say I'm just little on me you know who, who would care about me? It's a pretty hard thing to do these days when you're in an era of
electronic commerce, electronic funds transfers, where so little is, you know, cash these days,
where everything seems to go electronic. You know, it strikes me that every time we have a major event like this, you see folks saying, well, this is a wake-up call.
And I think there's something to that, but also it happens every time we have an event like this.
I mean, to what degree do you think that's true in this case?
I mean, is this going to change how we approach things going forward? Whether it will, I don't know. Whether it should, yeah, it probably should.
I mean, there's a number of lessons learned to come out of this. In other words, you know,
just because it's a big name doesn't mean it's faultless. Just because a big name doesn't mean
faultless. In other words, you can count on them to protect you. Well, also doesn't mean they're
faultless in terms of protecting themselves. Oh, I can never protect myself like,
name the big company. Well, maybe you don't want to. I mean, some of them don't do that good a job.
And there's a number of things that come out of this. Digital signing of updates, for example,
it was, I think, a great lesson to be learned here because it just isn't working the way we're doing
it now. And so there's always lessons to be learned. I think that will be learned by those entities or organizations that, A, have the staff,
whether it be contracted out or support or their own indigenous capability, to look at
this and really apply it to themselves.
B, those who have that and want to and take the effort to apply it themselves, absolutely.
There's some great lessons learned to it. But for those who just say, it's just one more,
it's a sign that over time,
and you've kind of touched on this
with the idea of sort of persistence,
over time, and you've heard this many times
probably in cybersecurity,
if a sophisticated bad guy, given enough time,
will in fact succeed.
The basic things are still there.
The basic rules are still there.
Access control, least privilege, backup, those are still there. The basic rules are still there. Access control, lease privilege, backup.
Those are still there.
But now you have to apply them to a different environment, a different set of data, different data flows, different storage, different levels of security, shared responsibility model.
And even if you have the lessons learned from the last time, they're not perfectly matched with this time.
It doesn't always just click just right.
Oh, yeah, it's the same.
It's everything taken sort of a step further.
You know, do I think this was a,
I think, like I said early on,
I think this was a sort of shot across the bow
bigger than many others
because of the nature of the very entities
that were compromised.
that were compromised.
Matt Cawthorn is Vice President of Cloud and Security Field Engineering at ExtraHop,
our sponsors for this CyberWireX episode.
The first thing that we did is we went back in time.
So we very quickly reviewed when the disclosure came out, we reviewed the indicators and in particular the DNS and IP-based indicators,
as well as some of the, with an eye towards subsequent artifacts, which we'll probably get to.
But so when we had the domain, the sort of stage one and stage two C2 indicators
to suspicious domains and IPs,
there's quite a long list.
We compiled that list
and we put a script out on GitHub
for our customers to download
and ask questions retroactively.
And so one of the interesting things
about this particular one is to me,
it really blurred the lines between retroactive detection and threat hunting and incident response. Because usually those things are sort of cast in these time series buckets.
One happens first, you detect, and then you respond.
And then retroactively, sometimes you sort of speculatively interact with your data to find indicators of
compromise. Well, this was like a mashup of all three. And the big condition here was that you
actually had network-based data because a lot of this stuff wasn't logged. And in this particular
case, Endpoint was so actively evaded. And by the way, that not a a sort of deficiency on their part it's just an artifact
of the way these solutions instrument themselves or are installed and in the sophistication of
sunburst itself and so they actively evaded the endpoint and they actively you know sort of they
were very kind of low and slow and very patient especially in the early. And so what we did is we provided this list
to the customers in the form of a script that they could run, and they could automatically query the
system for these indicators. And unfortunately, many found indicators. Can you help us understand
here? I mean, looking for your insights on why this particular breach set everyone back on their heels so much. It seems as though this one really caught everyone's attention and set our imaginations running.
can speak comfortably for several of the people out there, but at least for me, having come from operations and security myself in my past, is that this one basically, it's analogous to
an Amazon package coming to your door that had a specific, in Amazon branding, delivered by the
truck associated with an Amazon order. Very deterministic.
But when it's opened, now you're in trouble.
And so what it did is it drop-shipped you,
for lack of a better way to put it,
maybe to brutalize the metaphor,
but it drop-shipped you right into the East-West corridor.
And it happened to do so inside of a system,
a software system that had privileges. Because
in most cases, I don't know about every case, but in most cases, systems like that, that do
monitoring, they often ask for database credentials, domain credentials, and many, many other things in
order to do synthetic transactions and other monitoring tasks. And so, A, it's in the east-west corridor.
In other words, it's next to critical assets.
B, you're used to lots and lots of sort of transactional noise coming from this thing.
And then C, it's running with privilege.
The coalescence of those three factors
is what really landed this thing so hard on the industry,
in my opinion.
Well, let's dig into this notion of behavioral analysis.
I mean, first of all, before we look into how it applies
to something like Sunburst, can you give us a little bit
of how you define it, how exactly it works?
Yeah, so behavioral, it's really,
it's a worthwhile exercise to think about what, how you define behavioral analysis. And, you know, it's very easy to conceptually get some intuitive understanding, but building out that intuition into a set of concrete expectations is really much more important for a security practice, right? So for us, at least, behavioral analysis means understanding
behavioral patterns with transactional, like, you know,
at the end of the day on the wire for data in flight, okay?
From a, you know, we're a covert analysis engine
from the network's perspective.
And we analyze transactional behaviors
because transactions is where a lot of the rubber meets the road from a behavioral analysis perspective.
And so it's understanding the nature, the assets in question, the sort of participants on the network, and the nature of the transactions that they're both serving and consuming.
Because in heterogeneous environments and in large environments, you're seeing lots and lots
of server and client activity regardless of the formal role of a system. And so it's really,
really important to understand the disposition, the protocol mix, the behavioral mix, and any
changes, behavioral changes over time. And so that's for us where we really land hard on network-based behavioral analysis.
Now, part of behavioral analysis, and this is really worth commenting on, part of behavioral analysis might mean a simple pattern that you can match on in real time and flag some event or fire off a detection or an alert.
or an alert. And that too is a form of behavioral analysis. But I would encourage the listeners to think about network behavioral analysis as a much, much more comprehensive art in the modern era,
because it used to be sort of pattern matchy without long-term look back and historical
trends and feature extraction. And the game has completely changed now, and it's all of those things and more, actually.
Is there the ability to detect, for example, if someone's trying to boil the frog, you know, making slow changes over time to try to fly under your radar to mix metaphors?
Part of the implication of behavioral analysis, and I just, you know, kind of danced around this, but we have a very declarative term for what I'm about to describe.
I talked about matching suspicious patterns, which is, you know, like a rules-based detection methodology.
And then I talked about historical trends and feature extraction, right?
And that taken together represents a spectrum of detection capabilities, of behavioral detection capabilities.
And so one of those behavioral categories is the low and slow attack, or the first-time observed attack, or an unusual endpoint has presented itself to the wire, but it's actually acting
different than its peers, even though it's trying to emulate them. All of these are behavioral
categories that you need to be mindful of when you're in the business of network detection and than its peers, even though it's trying to emulate them. Like all of these are behavioral categories
that you need to be mindful of
when you're in the business of network detection and response.
Well, let's pivot back to SolarWinds
and the Sunburst exploit.
I mean, how specifically would behavioral analysis apply?
So when the disclosure first lands,
you've got sort of, this was sort of zero-day style, like, boom, here it is.
FireEye wrote it up.
They did a great job doing so.
And all of a sudden, the entire industry was in retroactive analysis mode.
So sort of step one is, do I have artifacts in my environment?
And therefore, I need to look back in time, regardless of the data source, whether it's logs or endpoint or network, you need to be able to go back in time and have captured
those, that analysis to answer those questions, right? So that's stage one. Then stage two is the
subsequent, you know, the real, in my opinion, it was a very sophisticated attack from the sort of
stage one and stage two command and control.
Some of the intelligent decisions it made at the time of initial compromise. From there,
south of that, once they decided, okay, I've got this environment now and it's game on,
then you're falling back to very standard TTPs that many, many, you know, solutions out there, including
ours are able to detect, right? And so then some of them are network based, so you need network
and others are sort of more endpoint based, but your endpoints have been evaded. And so
it was, it's a really, it was a really interesting cocktail of problems, but, but after the initial
compromise and that sort of that initial two week period, because it was quite good at sort of just, like I said, being very patient.
Then it's using very standard stuff.
You know, one can think of, you know, DC sinks potentially or golden tickets or, you know, other privilege escalation mechanisms, whatever.
And from there, it's lateral movement in the east-west corridor and trying to get actions on your objectives.
So it flipped from sort of retroactive analysis mode to continuous behavioral analysis mode.
And interestingly, we were able to go back.
We've got a blog post on this from our chief data scientist.
scientists. And we were able to go back and in the time period in question, we saw 150% increase in our behavioral detections in the east-west corridor, in the server-to-server
corridor during the time of sunburst. And it wasn't the traditional indicators. It wasn't
the sort of IP-based or DNS-based. These were like behavioral lateral movement and actions
on objective
privilege escalation, things like that. So we saw this correlation that was, well, it was pretty
unfortunate actually, but it was there. How do you recommend that folks get started with this?
When someone is beginning the journey and they want to integrate behavioral analysis into their defensive measures, what's the best way to begin? First of all, and I, this might sound
flippant or whatever. I honestly don't mean it that way. Like understand like threat modeling
is really important and threat modeling doesn't have to be this advanced sort of thing. You don't
need a sophisticated team of consultants to come in
if you don't have in-house folks. But there's great resources out there. One of them is called
the Threat Modeling Manifesto, actually. Start with that. Ask yourself a set of high-quality
questions. That starts to encapsulate your risk and starts to prioritize the technical and sort of physical and personnel level controls around your critical assets.
So that's sort of step one and two.
Then you're going to start to back into your choice of solutions.
And for that, I would say from a behavioral analysis perspective, don't think that machine learning is some fancy panacea.
is some fancy panacea.
Machine learning is a pragmatic and very required strategic asset
for the SOC nowadays,
just given the asymmetry of the problem,
which heavily favors the adversary.
So first of all,
accept the idea of machine learning,
but also have a balanced perspective.
It's not a panacea.
It's not a be-all, end-all.
And then take advantage of solutions that can both invoke machine learning and sort of time
series intelligence with, you know, extracting behavioral features and artifacts and then
bringing them to bear, especially in concert with one another. And this is sort of part three.
There are really four, we talk about three pillars, but I added a fourth based on another
friend of mine in the analyst community who finally shook me hard enough by the shoulders
to convince me he was right. You know, there's endpoint, which is mandatory. There's a sim,
which is mandatory. There's covert, there's sort of network-based analysis, which is mandatory.
So those three data sources are the
sort of operational points of leverage. And they all nowadays can and should work in concert with
one another because each one of us have our own constraints. We work on the network. We don't
have a concept of the individual process that's running on in, you know, in memory that we see
the behaviors as they, that process presents itself onto the network, but
we don't have the call stack, say, of that process. And similarly, with logs, they've got
this sort of systems sense of awareness of itself, and the process is running on it. And that's very,
very useful as well. And taken together collectively, it gives you levels of telemetry
that are really, really hard to get, especially if you treat them, again, as a sort of one plus one equals three kind of thing.
Then lastly, threat intelligence.
That's the fourth that I now agree.
Threat intelligence is that, look, Sunburst was Exhibit A for the power of the commons and the collective, especially now.
And so you can't ignore the power of the commons and the collective, especially now. And so you can't ignore the power
of the commons, get yourself some good threat intel. And so now taken together, you've got
the sort of springboard for a SOC strategy that doesn't have to be complex. You don't have to be
like a level four out of five to implement this stuff. You need a couple of capable analysts and some good sysadmin talent to help run the stuff if needed.
And now you've got a strategy that is going to really, really set you up and stack the deck in your favor, such as you can.
Look, supply chain attacks, and you know this better than I do, David, right?
You've been talking about supply chain for a very long time.
In fact, I was on about a year ago, and I think I talked about it then.
So this one was really, really different,
and I'm afraid we're going to end up with this sort of copycat killer model
for some of these more advanced supply chain attacks
because this one was just so devastating.
And I think that as a vector,
if I'm an adversary
and I don't have to go through all the trouble
of convincing you to click on the link
and then elevating my privileges
and doing all that sort of scaffolding work ahead of time,
if you can just fast track into a Docker container's supply chain
via NPM or whatever,
that's got me pretty concerned. And it's a very
difficult problem, class of detection problem to solve, frankly, it really is.
Our thanks to Bill Yurek of Inspired Hacking Solutions and Ryan Olson of Palo Alto's Unit 42
for sharing their expertise,
and for ExtraHop's Matt Cawthorn for providing his insights and for sponsoring this program.
CyberWire X is a production of the CyberWire
and is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our coordinating producer is Jennifer Iben.
Our executive editor is Peter Kilby.
I'm Dave Bittner.
Thanks for listening.