Blue Hexagon Blog

Solarwinds Breach: Are sandboxes and signature-based tools still effective?

Over the weekend you may have read about the massive global intrusion campaign perpetrated by the nation-state group APT29 targeting thousands of enterprises and government entities in the US. This was an attack that involved delivering a previously unseen malware (Sunburst) via a trusted software update source. This advanced supply-chain attack evaded all the traditional security defenses — next-generation firewalls, sandboxes, and signature-based security and has been exfiltrating data for several months without detection.

This is undeniable evidence of why signatures and sandboxes are completely ineffective against advanced attacks. Here are five major reasons why:

  1. Delayed execution for 12–14 days: No sandbox in the world will wait that long to observe the bad runtime behavior
  2. Domain resolution to private IP (e.g. in a sandbox): If domain resolution performed resulted in a private IP address (similar to the sandbox), the malware refused to show its bad runtime behavior
  3. Missing Domain Connection: If the sandbox machine is not joined to a domain, malware refused to show its bad runtime behavior
  4. Attack/Exploit Variants: Every customer targeted had a different style of post-infection attack. Sharing threat intel signatures did not help.
  5. Multi-stage Attack: Advanced attacks use a combination of malware (as initial payload) & malicious actions (like privilege escalation, command, and control, exfiltration) over the network to achieve their objectives. A holistic approach to detect both the initial malware and its subsequent manifestations is needed.

So, what can you do now? I highly recommend immediately bolstering your cloud and network defenses with a network detection and response (NDR) solution that does not depend on signatures or threat intelligence feed and nor does it depend on apriori knowledge of IOCs like domain/IP/hash all of which can be easily modified.

At Blue Hexagon, the AI-Security team built the first real-time deep learning platform that does not need specific signatures nor does it depend on prior knowledge of IOCs like domain/IP/hash all of which can be easily modified. It can also detect a breadth of MITRE codified reconnaissance & post-compromise actions without requiring agents or wading through copious post-event SIEM logs. The “generalizability” of this advanced threat detection technique captures the essence of any evasive malicious code as it streams into your network, be it over trusted channels or the wide-open Internet.

If you are still not convinced, feel free to reach out to me and I will do my best to provide you more evidence. In the meanwhile, if you want to look at independent test-lab results to compare deep learning effectiveness against signature-based and sandbox detection, here’s a link to a free third party report from Miercom.

Lastly, I want to share the excellent information that Jacob Williams of SANS Institute provided in his webcast. He had the following recommendations that you should find useful if your organization is impacted by this breach:

(All image copyrights belong to the respective owners. These are reproduced here for educational purposes)

Image for post
Image for post

I hope you found this information useful and it helps you defend your organizations better. Please reach out to me if I can be of further assistance to you in any way.

This blog was also published in our Medium Publication Deep Learning for Cybersecurity