Stopping Malware by Continuously Measuring and Validating the Full Stack Security Posture

Welcome back to our ongoing retrospective blog series on the two year anniversary of the SolarWinds attack. In part one, we broke down how Cozy Bear used SUNBURST malware to steal privileged credentials and used them to access SolarWinds’s trusted SAML token signing certificate inside their network. Equipped with the SAML certificate, the threat actors signed falsified authentication tokens, granting themselves unfettered access to the SolarWinds networks for over nine months without raising suspicions.

Note that we address the SolarWinds breach, identify tactics and techniques leveraged in the attack, and review the four core cybersecurity innovations that Gradient Cybersecurity Mesh uses to eliminate them in depth in our Whitepaper: “Securing Digital Infrastructure Against the Next SolarWinds Attack

Part Two: Cozy Bear Cozies Up to the SolarWinds Networks

The SolarWinds attack was made possible in part by the fact that the original malware was able to install a malicious executable file on the virtual machine used to build product software releases — and the security features of the build environment failed to detect the malicious file installation.

EDR isn’t sufficient in this case as these tools can’t see, let alone protect against, changes to firmware (and other lower levels of stack) integrity. Therefore it’s critical to augment those approaches with one that includes a comprehensive measurement check of the boot codebase and process.

A comprehensive measurement check of the codebase on boot would have quickly revealed the modification to the platform and effectively stopped the attack right then and there. Without such a check, the malicious actors were able to operate undetected inside the network for nine months. And even then, they left prior to detection.

However, the SolarWinds breach isn’t unique in this particular point of failure. In fact, Microsoft estimates that 83% of organizations have fallen victim to such firmware compromise over a two year period. This need to secure the low-level firmware is such an issue that the National Security Agency (NSA) recommends that computers be replaced every three years just to ensure that what low level firmware security exists is maintained by the vendor.

Keep Your Hardware (Virtual or Physical) — Get Gradient Cybersecurity Mesh Full-Stack Attestation

At Gradient, we recognize that trashing your organization’s hardware every few years isn’t viable for most organizations – and isn’t a particularly effective solution besides. That’s why we’ve created our second Gradient Cybersecurity Mesh innovation – Remote Attestation.

With Remote Attestation, Gradient Security Mesh enables the kind of comprehensive, continuous validation of low level software components necessary to finally put an end to SolarWinds-style compromises. We must protect low-level software components from compromise to ensure that other defenses, like Endpoint Detection and Response (EDR) tools, remain viable — just one of the ways in which GCM is greater than the sum of its parts. This secure, remote measurement — Remote Attestation — is the lynchpin at the center of the Gradient Security Mesh solution.

How Gradient Keeps the New Identity Perimeter Secure

Gradient Security Mesh’s Remote Attestation capabilities utilize decentralized, lightweight software agents to continually measure the full-stack security “fingerprint” of a device, environment, and user, making each layer of the stack — from the lowest levels of firmware to the integrity of virtual machines and even system memory when possible — integrate into a single, unified identity.

Under such an architecture, rather than being simply additive, each additional layer in the fingerprint acts as a force multiplier for security — making the validation process of remote attestation a force to be reckoned with.