Blog
03.18.2021

Why the SolarWinds Attack Easily Slipped by All EDR/EPP Solutions

EDR/EPP Solutions Were Unable to Identify or Stop the SolarWinds Attack

The SolarWinds attack was a brutal security failure that continues to impact the US government, agencies, and thousands of businesses. To the dismay of many, Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP) solutions did not have any role in seeing or stopping the SolarWinds attack whatsoever. As perimeter tools, their preventative steps aimed at stopping attacks at endpoints were completely powerless against the Remote Code Execution (RCE) exploit that was used against SolarWinds and ultimately, its entire supply chain.

EDR/EPP Tools Are Not Enough

EDR/EPP tools failed so abysmally because the attack was multi-layered with strikes levied at applications. The RCE attack took advantage of a vulnerability widely believed to be in the MS Exchange server. It allowed the attackers to orchestrate an invasion of thousands of user systems through the SolarWinds supply chain.

The attack continues to be studied, and analysts have discovered that several different types of malware were used, including some going by the names of SunBurst, SunSpot and SuperNova. They compromised SolarWinds’ Orion Platform and employed a trojanized attack to deposit a backdoor into SolarWinds’ infrastructure.

 

In-Memory Attacks

The backdoor process cleverly involved no trackable file for EDR to detect, but instead placed a URL inside an application. Attacker code ran in memory with nothing calling attention to it that would appear abnormal from the SolarWinds’ routine product function. No part of the attackers’ stealthy steps could be picked up by traditional security tools, including EDR/EPP tools. 

When it comes to applications in these environments, endpoint tools cannot distinguish normal functions from abnormal ones. They cannot look at application behavior or analyze tool files, programs and processes running in memory.

Lack of Visibility 

Enterprises in general and EDR/EPP tools specifically lack visibility into all of these areas, which presents vulnerable blind spots primed for attack. This fatal flaw of application blindness is all too common. All vendor varieties of EDR/EPP tools missed the SolarWinds attack that went on for over a year. It’s a classic case of the wrong tool for a critical job.

This poses a significant problem for enterprises because the SolarWinds attack is just one of many active threats. RCE attacks will continue and numerous common applications, from email applications to authentication systems to performance tools, remain vulnerable.

Virsec customers were protected from the SolarWinds attack. Learn more about the Virsec Security Platform and the importance of application-aware workload protection during runtime at the host, web, and memory layers.

 

Additional Learning

 

Webinar: EPP/EDR Tools Don't Work

Webinar: SolarWinds Post-Mortem Report: Analysis & Action Plan

Webinar: SolarWinds CSI: Recreating the SolarWinds Attack

Download our Technical Brief: Taxonomy of The Attack on SolarWinds and Its Supply Chain