The Solarwinds Breach Highlights the Need for Desired State Enforcement

Solarwinds: Modern Attacks vs Traditional Defenses

The recent Solarwinds hack is the latest headline grabbing 0-day to send shockwaves throughout the information security community. It was a sophisticated supply chain attack that incorporated several forensic countermeasures and impacted a number of large government institutions and private companies. These countermeasures, including mimicking legitimate files, using hostnames that match the victim environment, and using IP addresses in the victim’s country thwarted a number of traditional defenses because traditional blacklisting approaches look for known threat signatures and behaviors. The problem with this approach is that attacks are constantly evolving, meaning your blacklists and detections must evolve and grow at a similar pace. Worse yet, these detections and signatures have to be collected from any number of threat intelligence feeds and third party sources then propagated throughout all of your defenses. 

Rather than base your defenses on how quickly you can learn, why not base it on what you already know? This is the basis for desired state enforcement. It’s much easier and more effective to catalog your own repositories, code, and files and create a dynamic whitelist that automatically updates every time you push code than it is to protect yourself against a constantly changing universe of unknown threats. Once you’ve created this whitelist, you can take a default-deny approach to workload and application protection.

The Solarwinds Attack Chain Disrupts Your Desired State

Why would Desired State Enforcement protect against supply chain attacks when many other approaches fail?

The answer begins with a critical part of the attack chain; in the event of the Solarwinds scenario, for example, a victim installs the trojanized Solarwinds update. Then, after a dormant period of up to two weeks, the Solarwinds SUNBURST backdoor sends some basic host information (username, IP address, OS version) back to a command and control server to determine if the machine is worth exploring. If the attacker thinks that the network is worth exploring, they use the backdoor to download a small dropper known as TEARDROP, which will then download additional tools for post-intrusion activities. 

The download or existence of code from untrusted provenance is the first opportunity for desired state enforcement to event or alert on a deviation from desired state. Any files downloaded would not be in the whitelisted repository of files, functions, and commands and would therefore deviate from your desired state. In the case of Rezilion Enforce, the cloud workload protection platform would then automatically trigger a “File not in Notary” alert.

The Solarwinds malware also used temporary file replacement and task modification to execute various payloads before restoring the legitimate files and restoring the tasks. Desired state enforcement is designed to catch both of these attack techniques. Any temporary files may have the same name as the legitimate files but would have different hashes that haven’t been cataloged, triggering a file hash mismatch alert. The modified tasks would also behave unexpectedly, further alerting users to the attacker’s presence.

Incapacitating Supply Chain Attacks with Rezilion Enforce

Applications are running in production with known and unknown vulnerabilities, and the threats they face are getting increasingly complex. Desired State Enforcement with Rezilion Enforce is a simple autonomous way to protect them with no policies or tuning required. Enforce is fully deterministic; it identifies and sanctions the sources of all code in production and uses those sources to build a whitelist of allowed code, commands, and functions. Once the dynamic whitelist is generated, Enforce agentlessly monitors your environment for any deviations from that whitelist including temporary new files, administrators making changes directly in production, and zero-day attacks. If an unsanctioned file or action is detected, Enforce alerts you and integrates with your IT orchestration tools to safely tear down and bring the asset back to its known good state. This approach allows your developers to continuously push code, and gives your security team a mitigating control against known and unknown vulnerabilities. 

Zero day vulnerabilities are inevitable, the only question is do you have the right tools deployed to give you confidence that your production environment is resilient enough to withstand such a breach. With Rezilion Enforce, you can declaratively say yes. Click here for a free trial and give your security team the peace of mind they deserve.

You are Three Clicks Away from a POC

Rezilion is a true turnkey SaaS solution for your cloud workload headaches.

© 2021 Rezilion. All Rights Reserved.