sb-as logo
Story image

ExtraHop reveals methods used by attackers in SUNBURST breach

15 Feb 2021

In the wake of the discovery of the SolarWinds SUNBURST breach, ExtraHop has released a report detailing the specific methods used by cyber-criminals involved in the incident to evade detection. 

The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.

The use of these tactics meant more traditional detection methods, like endpoint detection and response (EDR) and antivirus, were not as effective. Attackers evaded these tactics either by disabling them or by redirecting their approach before they could be detected, according to ExtraHop.

“Unfortunately, what we found when investigating SUNBURST is that the activity was actually detected on the network,” says ExtraHop deputy CISO Jeff Costlow.

“But because other detection methods weren’t alerting on the activity, it largely went ignored. In this case, the attack was strategically designed to evade those detections, and we can expect more similar attacks to follow. It’s an important reminder that the network doesn’t lie.”

In its report, ExtraHop also revealed that significant increases in ‘suspicious’ network activity went largely unnoticed due to SolarWinds’ privileged and trusted status within the IT environment. 

The report also found that many ExtraHop customers investigated and remediated the exploit within their own environments. The case studies include details on how customers were able to use historical metrics to determine the duration of the compromise, as well as which systems and data may have been impacted.   

As part of the report, ExtraHop also released an expanded list of over 1,700 SUNBURST indicators of compromise (IOCs) as observed across affected environments protected by Reveal(x), critical information that can help organisations determine if and to what extent they’ve been compromised.

The report follows a significant announcement from ExtraHop: the opening of the company’s newest data centre facilities in Sydney, a move the company says was motivated by its desire to host its security offering locally.

“Organisations around the world are rethinking their approach to security as advanced threats like APTs and software supply chain attacks take a financial and reputational toll,” says ExtraHop Asia Pacific and Japan vice president David Sajoto.

He says the company provides machine learning-backed detection and response capabilities. These are delivered through ExtraHop Reveal(x) 360.

“[Our] commitment includes investing in the markets we serve to ensure that our customers have access to high-availability, low-latency security capabilities that meet local standards for data sovereignty and protection. This investment affirms our commitment to the region and our customers.”

Story image
Over half of ransomware victims pay up - but does it work?
"Handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice."More
Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
Five things ANZ businesses should know about storing customers’ data
Businesses need to correlate events intelligently across multiple threat surfaces, application layers, and time spans to connect event A, to event B, to event C — even if they are months apart.More
Story image
Remote work continues, and endpoint security cited as a must
Nearly half of workers will stay remote after the pandemic ends, and two out of three IT professionals are concerned with endpoint misuse, according to Prey Software's new study.More