Lessons Learned from the SolarWinds SUNBURST Attack

Should We Prioritize Detection or Prevention? The XM Factor Is Needed.

In 1736, Benjamin Franklin famously advised fire-threatened Philadelphians that “An ounce of prevention is worth a pound of cure.”

When considering the recent SolarWinds SUNBURST backdoor attack, which impacted a reported 18,000 United States government agencies and myriad large global corporations, this proverb holds sound and true.

What Is a Supply Chain Attack?

The SolarWinds SUNBURST attack was a supply chain attack, where products, services or technology supplied by a vendor to a customer are breached and compromised. This type of attack introduces a risk to the vendor’s install base of clients.

Summary of the Recent Attack Against SolarWinds

In the SolarWinds attack, the hackers executed an attack that exploited a vulnerability in supply chain for management software created by a company called SolarWinds. That software, which is called Orion, is widely used by Fortune 500 companies and government agencies, and international companies. Hackers compromised SolarWinds’ software and inserted their own malicious malware (called Sunburst), which then pushed out as a regular update to Orion.

To increase their odds of success, the hackers used a variety of stealthy, novel techniques, including the purchase of abandoned internet domains. The attackers also ensured the component that contained Sunburst was code-signed with the correct SolarWinds certificate, which helped make the DLL appear to be legitimate and free of suspicious scripts.

Security analysts are still poring over the incident, which seems likely to keep them busy for months to come. Early indications are that the attack was planned for at least four years and was primarily espionage-focused, with hackers targeting a relatively small number of the 18,000 victimized entities for detailed operations.

Evolving Threat Landscape Is Looming

This latest attack arrives against a backdrop of larger cyberattack developments that are concerning enough to send a shiver down the spine of defenders. Not only are state-sponsored attacks becoming more prevalent, sophisticated, and damaging, the threat from so-called Private Sector Offensive Actors (PSOA) also is growing. If state-sponsored hackers can be thought of as conventional soldiers, PSOA are more akin to contractors or mercenaries. Nation-states — flush with cash but not always flush with top cybersecurity talent — can lean on PSOA to support their efforts.

Certain sectors are especially vulnerable. According to Microsoft, 44 percent of attack victims work in the information security space, while another 36 percent fall either in the government or think tank/NGO category, which makes them the three most at-risk targets by a wide margin.

Detect or Prevent? Reactive or Proactive?

We need to employ both tactics, detection and prevention, but we have arrived at a point in time when these dual strategies are not enough to address the ever-evolving threat model. Adversaries are always ahead of the curve, and this recent supply chain attack proves it yet again. Let’s explore the technologies currently in use.


Existing cybersecurity industry best practices call for endpoint detection and response (EDR), network detection and response (NDR), and identity management tools. These tools are deployed to assist MDRs or in-house SOC teams to detect lateral movement and abnormal activities in an organization’s credentials management system.

In addition, experts recommend an exploration of contextual user behavior analytics to detect non-standard access behavior to servers.

Prevention: Background of the SolarWinds Attack

Let’s examine the SolarWinds attack in a bit more detail. First, as described earlier, according to FireEye analysis, the cyberattackers implemented updates to the SolarWinds.Orion.Core.BusinessLayer.dll components. These trojan updates were digitally signed as early as March 2020 and posted on the SolarWinds updates website. After the launch of the malicious update, the malware remained dormant for seven to 14 days; then it “woke up” and attempted to resolve a subdomain of the avsvmcloud[.]com. The DNS response eventually led to the establishment of C2 traffic that mimicked standard SolarWinds API communications protocol.

Now, any network security with signatures or threat intelligence feeds, including firewalls, secure web gateways, intrusion detection and prevention systems, could detect and stop the SUNBURST C2 communication. This is the result of network detection and response systems as well as DNS security.

Finally, this was implemented in December, nine long months after the attack commenced. Obviously, it’s impossible to determine how much data was infiltrated until the proverbial barn doors were finally closed.

A quick glance at this sequence of events proves that although detection and prevention systems are important and organizations should deploy a healthy mix of these, this architecture still does not give the peace of mind knowing that business-sensitive systems are secured from a potential breach.

Networks are in a constant state of breach and we need to deal with it effectively.

We can easily add more layers of detection and prevention, but this latest SolarWinds attack proves that we need to recalculate our path. We need to find the right way to mitigate the risks of a cyber-attack aiming at the organization’s critical business assets.

XM Factor is Needed

Every organization needs to be able to easily answer one simple question – are our critical business-assets, our “crown jewels,” secured or not?

At XM Cyber, our roots include a deep understanding of how an adversary thinks, the techniques and tools attackers use, and all the tactics they are likely to employ to reach your organization’s “crown jewels.”

The XM Cyber “assumed-breached philosophy” and derived solution platform helps the security and IT operation teams to continuously achieve the highest possible security posture and operational efficiency by focusing and remediating the critical exposures risking business-sensitive systems.

Our Attack-Centric platform continuously identifies new exposures and attack vectors, prioritizes the cyber risks that affect business-sensitive systems, and provides context-sensitive least-effort remediation options.

We cement this understanding into the core of our XM Cyber Platform for hybrid cloud environments. Organizations can rely on our ability to easily answer the very simple question:

Are your critical business assets secured — or not? You need XM Cyber to help you see your system through the eyes of a hacker and resolve prioritized security exposures before they can be exploited.

Shaul Efraim is Senior Vice President Marketing, XM Cyber


Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.