Our Conclusions from the Latest Microsoft Threat Analysis of the December 2020 SolarWinds Attack
“To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.”
The Tier4 Secure team has analyzed Microsoft’s latest analysis on the December SolarWinds attack, and here’s what we learned.
The tools, techniques, and procedures (TTPs) highlighted in the Microsoft brief continue to show the need for organizations to implement layered network detection methods.
Our Tier4 Secure leadership team considers the following solutions “must-have” network defenses:
- 1) File Integrity Monitoring Technology: With file integrity monitoring, network defenders detect an anomalous file on company assets by the file’s binary hash value. Any change to the file will result in a different hash value indicating that a file on the system is different from the standard operating system
- 2) Real-time alerting when logging and security services are disabled
- 3) Zero-trust security architecture and design for high-risk systems such as firewalls and other security tools
Microsoft highlighted several TTPs observed during their forensic investigation into the SolarWinds compromise, including:
1) Tools and binaries used by the attackers (e.g., ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations.
2) Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using a tool called “AUDITPOL” and then re-enabled it afterward.
3) In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
4) Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.