惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
博客园_首页
H
Help Net Security
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
罗磊的独立博客
博客园 - 三生石上(FineUI控件)
B
Blog
I
InfoQ
SecWiki News
SecWiki News
T
Tailwind CSS Blog
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
P
Palo Alto Networks Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Vercel News
Vercel News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
K
Kaspersky official blog
M
MIT News - Artificial intelligence
S
Schneier on Security
T
Threat Research - Cisco Blogs
F
Fortinet All Blogs
Cyberwarzone
Cyberwarzone
Scott Helme
Scott Helme
aimingoo的专栏
aimingoo的专栏
Martin Fowler
Martin Fowler
MyScale Blog
MyScale Blog
The Cloudflare Blog
Recent Announcements
Recent Announcements
Security Latest
Security Latest
G
GRAHAM CLULEY
IT之家
IT之家
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
腾讯CDC
Google DeepMind News
Google DeepMind News
V
V2EX
S
Securelist
TaoSecurity Blog
TaoSecurity Blog
B
Blog RSS Feed
S
SegmentFault 最新的问题
博客园 - 叶小钗
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
Project Zero
Project Zero
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure

SECURITY.COM

SolarWinds: How Sunburst Sends Data Back to the Attackers Raindrop: New Malware Discovered in SolarWinds Investigation SolarWinds: Insights into Attacker Command and Control Process SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection Sunburst: Supply Chain Attack Targets SolarWinds Users
How SES Complete Can Protect Against Sophisticated Attacks Such As Sunburst
About the Author · 2020-12-23 · via SECURITY.COM

We expect most security conversations for the next several months, at least, to be around the Sunburst/SolarWinds attack.  Former homeland security advisor, Thomas Bossert, has said “The magnitude of this ongoing attack is hard to overstate.”  Using a supply chain attack, 18,000 customers of SolarWinds had their network breached.  This included 100 Symantec customers.  At this time only a small number of the 18,000 have had an active attacker in their networks, but all are compromised.

Symantec has notified our affected customers and published detailed information on the attack and its techniques.  Protection has been put in place.  But it’s natural to ask, what can Symantec’s product do to protect me from this and similar attacks?  It’s a conversation we would love to have.

Symantec Endpoint Security Complete (SESC) was specifically created to help protect against this type of attack. While many vendors offer EDR to help find intrusions, as does Symantec, there are gaps.  We call these gaps blind spots and there are technologies in SESC to eliminate them.

Symantec Endpoint Security Complete addresses these blind spots by identifying and stopping reconnaissance early in the attack chain, preemptively reducing the attack surface to prevent living off the land (LotL) attacks and enhancing EDR by providing essential expertise from Symantec Threat Hunters to understand the subtle signals that attackers emit even when attempting to be stealthy. Three major ways SESC addresses these blind spots are:

  • Threat Defense for Active Directory will identify and stop reconnaissance used by Sunburst and other sophisticated attackers by disrupting any domain reconnaissance LDAP queries made by the adversary, obfuscating all domain assets and admins, thus denying their ability to perform lateral movement undetected. SES Complete is the only endpoint security solution today providing additional layers of protection in the post-exploitation phase, to fully protect Active Directory regardless of the tools that the adversary is using.       
  • Behavioral Isolation proactively eliminates attack pathways utilized in the Sunburst attackThe use of trusted processes as part of the attack chain has become more common and is referred to as living off the land. Defense is often handcuffed because legitimate software can’t be blocked.  However, Behavioral Isolation can prevent the use of legitimate tools as part of the attack chain.  Behavior Isolation identifies and blocks abuse of trusted processes, breaking the attack chain and raises awareness of a potential attack.                    
  • Threat Hunter gives a SOC the global context to recognize unknown threats.  Symantec’s Threat Hunter team provides in product alerts and notification of high-profile incidents.  SESC received this alert on the Sunburst attack – an alert, verified by a Symantec Threat Hunter, of the Sunburst intrusion.

Downloading a malicious trojan due to a sophisticated supply chain attack, as in the case of Sunburst, is nearly impossible to prevent. But the tools associated with the Sunburst attacks are detected and blocked on machines running Symantec Endpoint products. And SESC protected against these threats as mentioned above.  There were many other ways we protect against Sunburst - more to come on that. 

There is one more important detail.  Like other sophisticated attacks, Sunburst will look for certain endpoint security agents and tools running on a machine and will attempt to disable them. For example, Sunburst attempts to deactivate the CrowdStrike Falcon sensor.  Once disabled, any further malicious activity will not be detected or prevented.  This is bad guys 101.  Other security vendors appear to have been slow to catch on to this.  Many are new to the game and still learning. The whole family of Symantec Endpoint Security products uses proprietary technology that prevents and alerts on such tampering.  This was not an issue for our customers.

Symantec Endpoint Security Complete offers a comprehensive, layered approach to secure your endpoints, eliminating the blindspots left by the traditional approach of only using EPP and EDR. We look forward to sharing more of the details with you.