Following the global data breach against software company SolarWinds which took place in March 2020, there are lessons to be learnt from these findings which can protect your law firm from experiencing a similar level of threat. In particular, investigations have highlighted the failure of signature-based tools in being able to detect advanced cyber threats.

Despite the rising number of APTs (Advanced Persistent Threats) and the sophisticated post-exploitation activity which now take place daily and are almost impossible to predict – signature based security tools – which rely solely on past data to predict future threats – are still widely used across the sector.

The Impact of the SolarWinds Attack

News of the SolarWinds attack broke around two months ago, reporting that malware had been installed during software updates, affecting nearly all levels of American government, as well as hundreds of private businesses, equating to around 18,000 of the firm’s customers – with the damage so large that it is yet to be quantified.

As investigations continue, it’s looking like the damage caused by this attack will be difficult to either detect or undo and subsequently is causing data-rich organisations to realign their approach to cyber security. The reality of the SolarWinds incident confirms that attackers are now outwitting traditional security measures and are using new and advanced forms of threat which require an updated level of protection.

As law firms large and small are becoming increasingly reliant on cloud-based services, with staff working from dispersed locations and accessing data through a range of often unknown devices, this predicament creates the perfect hunting ground for sophisticated and stealthy cyber-attacks.

How To Keep One Step Ahead of the Attackers

The most shocking elements of the SolarWinds attack is the amount of time it went unnoticed and put simply, it’s pervasiveness. Whilst the traditional approach to protecting your systems has been to secure the perimeter of the network – stopping anything malicious getting in – once a hacker infiltrates that perimeter there’s often very little to detect subsequent anomalous behaviour or to stop it. This is where there is an opportunity for any security-conscious organisation to improve.

Having recently partnered with leading Cyber AI specialists Darktrace, we have seen some interesting evidence showing how their self-learning security platform has detected the types of behaviours related to the SolarWinds breach. In his recent blog, Max Heinemeyer, Director of Threat Hunting at Darktrace provides examples of anomalous activity – equal to that which successfully infiltrated American government systems in the SolarWinds attack – but which Darktrace’s Enterprise Immune System detected for it’s clients.

Whilst signature-based tools look at historical data to predict the next threat – Darktrace’s Cyber AI works in real-time, tracking activity patterns across all devices present on your network – rather than using already-known malicious signatures. Any unusual activity present which does not fit with the normal ‘pattern of life’ within that enterprise, is therefore detected and locked until further investigation has been carried out.

Offering visibility of your entire network through a single interface, Darktrace’s AI technology automatically clusters devices into peer groups allowing it to detect cases of an individual device behaving unusually as it happens. This self-learning approach acts as an immune system would, sourcing any infection that a signature-based solution is unable to detect. 

Why Is The Post-Exploitation Stage So Harmful?

The post-exploitation stage of the attack is much more unpredictable and stealthy – as this is driven by the attacker’s bespoke intentions for the victim it is targeting. At this stage there’s therefore no pre-defined threat that can be distinguished – making signature-based tools and threat intelligence become almost worthless.

Max goes on to highlight in his blog some examples of anomalous and threatening behaviour taking place on a customer’s network including post-infection activities which the attacker would have used to evade a signature-based tool – had Darktrace’s AI technology not been in place. Darktrace’s Cyber AI Analyst went on to alert the client’s security team to these abnormal changes within the network and provided clear evidence of what was taking place so relevant action could be taken.

How To Stop An Attacker Evading Your Security Measures

By understanding where credentials are used and which devices talk to each other, Cyber AI has an unprecedented and dynamic understanding of business systems. This empowers it to alert security teams to enterprise changes that could indicate cyber risk in real time.

As the evidence in Max’s recent blog demonstrates – attackers have developed a range of techniques to evade traditional security tools which otherwise would have gone undetected including, setting hostnames to match a legitimate hostname on a victim’s environment, allowing the attacker to blend in without suspicion; using C2 servers in geo-political proximity to those of their victim’s, thus circumventing geo-political trust lists; moving laterally using multiple credentials which were different to those used for remote access; or applying a temporary file replacement or task modification technique to execute their payload.

Figure 1 below illustrates how Darktrace triggers this anomalous activity before any damage is caused, alerting security teams to any concerning behaviour taking place:

These alerts demonstrate how AI learns ‘normal’ for the unique digital environment surrounding it, and then alerts operators to deviations, including those that are directly relevant to the SUNBURST compromise. It further provides insights into how the attacker exploited those networks that did not have the appropriate visibility and detection capabilities.

On top of these alerts, Cyber AI Analyst will also be automatically correlating these detections over time to identify patterns, generating comprehensive and intuitive incident summaries and significantly reducing triage time.