The Solarwinds Breach Highlights the Need for Desired State Enforcement

The Solarwinds Breach Highlights the Need for Desired State Enforcement

Solarwinds: Modern Attacks vs Traditional Defenses

The recent Solarwinds hack is the latest headline grabbing 0-day to send shockwaves throughout the information security community. It was a sophisticated supply chain attack that incorporated several forensic countermeasures and impacted a number of large government institutions and private companies. These countermeasures, including mimicking legitimate files, using hostnames that match the victim environment, and using IP addresses in the victim’s country thwarted a number of traditional defenses because traditional blacklisting approaches look for known threat signatures and behaviors. The problem with this approach is that attacks are constantly evolving, meaning your blacklists and detections must evolve and grow at a similar pace. Worse yet, these detections and signatures have to be collected from any number of threat intelligence feeds and third party sources then propagated throughout all of your defenses. 

Rather than base your defenses on how quickly you can learn, why not base it on what you already know? This is the basis for desired state enforcement. It’s much easier and more effective to catalog your own repositories, code, and files and create a dynamic whitelist that automatically updates every time you push code than it is to protect yourself against a constantly changing universe of unknown threats. Once you’ve created this whitelist, you can take a default-deny approach to workload and application protection.

The Solarwinds Attack Chain Disrupts Your Desired State

Why would Desired State Enforcement protect against supply chain attacks when many other approaches fail?

The answer begins with a critical part of the attack chain; in the event of the Solarwinds scenario, for example, a victim installs the trojanized Solarwinds update. Then, after a dormant period of up to two weeks, the Solarwinds SUNBURST backdoor sends some basic host information (username, IP address, OS version) back to a command and control server to determine if the machine is worth exploring. If the attacker thinks that the network is worth exploring, they use the backdoor to download a small dropper known as TEARDROP, which will then download additional tools for post-intrusion activities. 

The download or existence of code from untrusted provenance is the first opportunity for desired state enforcement to event or alert on a deviation from desired state. Any files downloaded would not be in the whitelisted repository of files, functions, and commands and would therefore deviate from your desired state. In the case of Rezilion Enforce, the cloud workload protection platform would then automatically trigger a “File not in Notary” alert.

The Solarwinds malware also used temporary file replacement and task modification to execute various payloads before restoring the legitimate files and restoring the tasks. Desired state enforcement is designed to catch both of these attack techniques. Any temporary files may have the same name as the legitimate files but would have different hashes that haven’t been cataloged, triggering a file hash mismatch alert. The modified tasks would also behave unexpectedly, further alerting users to the attacker’s presence.

Incapacitating Supply Chain Attacks with Rezilion Certify

Applications are running in production with known and unknown vulnerabilities, and the threats they face are getting increasingly complex. Desired State Enforcement with Rezilion Certify is a simple autonomous way to protect them with no policies or tuning required. Certify is fully deterministic; it sanctions your pipelines to production and establishes smart gates to ensure only approved code is promoted. Once the smart gates are implemented, Certify agentlessly monitors your environment for any unsanctioned promotions including temporary new files, administrators making changes directly in production, and zero-day attacks. If an unsanctioned file or action is detected, Certify alerts you to investigate and take the appropriate action. This approach allows your developers to continuously push code from trusted repositories.

Zero day vulnerabilities are inevitable, the only question is do you have the right tools deployed to give you confidence that your production environment is resilient enough to withstand such a breach. With Rezilion Certify, you can declaratively say yes. Click here for a free trial and give your security team the peace of mind they deserve.

Reduce your patching efforts by
85% or more in less than 10 minutes