惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
阮一峰的网络日志
阮一峰的网络日志
博客园 - 叶小钗
月光博客
月光博客
人人都是产品经理
人人都是产品经理
美团技术团队
J
Java Code Geeks
博客园 - 聂微东
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
罗磊的独立博客
博客园 - 【当耐特】
GbyAI
GbyAI
P
Proofpoint News Feed
T
The Exploit Database - CXSecurity.com
D
Docker
Vercel News
Vercel News
小众软件
小众软件
NISL@THU
NISL@THU
Simon Willison's Weblog
Simon Willison's Weblog
雷峰网
雷峰网
Spread Privacy
Spread Privacy
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Palo Alto Networks Blog
爱范儿
爱范儿
L
LINUX DO - 热门话题
博客园_首页
I
Intezer
博客园 - Franky
Security Latest
Security Latest
Scott Helme
Scott Helme
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
S
Schneier on Security
O
OpenAI News
WordPress大学
WordPress大学
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
G
Google Developers Blog
M
MIT News - Artificial intelligence
The Register - Security
The Register - Security
Cisco Talos Blog
Cisco Talos Blog
Forbes - Security
Forbes - Security
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tenable Blog
SecWiki News
SecWiki News
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cyber Attacks, Cyber Crime and Cyber Security
N
News | PayPal Newsroom
量子位
博客园 - 三生石上(FineUI控件)

SECURITY.COM

SolarWinds: How Sunburst Sends Data Back to the Attackers Raindrop: New Malware Discovered in SolarWinds Investigation SolarWinds: Insights into Attacker Command and Control Process SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection Sunburst: Supply Chain Attack Targets SolarWinds Users
How SES Complete Can Protect Against Sophisticated Attacks Such As Sunburst
About the Author · 2020-12-23 · via SECURITY.COM

We expect most security conversations for the next several months, at least, to be around the Sunburst/SolarWinds attack.  Former homeland security advisor, Thomas Bossert, has said “The magnitude of this ongoing attack is hard to overstate.”  Using a supply chain attack, 18,000 customers of SolarWinds had their network breached.  This included 100 Symantec customers.  At this time only a small number of the 18,000 have had an active attacker in their networks, but all are compromised.

Symantec has notified our affected customers and published detailed information on the attack and its techniques.  Protection has been put in place.  But it’s natural to ask, what can Symantec’s product do to protect me from this and similar attacks?  It’s a conversation we would love to have.

Symantec Endpoint Security Complete (SESC) was specifically created to help protect against this type of attack. While many vendors offer EDR to help find intrusions, as does Symantec, there are gaps.  We call these gaps blind spots and there are technologies in SESC to eliminate them.

Symantec Endpoint Security Complete addresses these blind spots by identifying and stopping reconnaissance early in the attack chain, preemptively reducing the attack surface to prevent living off the land (LotL) attacks and enhancing EDR by providing essential expertise from Symantec Threat Hunters to understand the subtle signals that attackers emit even when attempting to be stealthy. Three major ways SESC addresses these blind spots are:

  • Threat Defense for Active Directory will identify and stop reconnaissance used by Sunburst and other sophisticated attackers by disrupting any domain reconnaissance LDAP queries made by the adversary, obfuscating all domain assets and admins, thus denying their ability to perform lateral movement undetected. SES Complete is the only endpoint security solution today providing additional layers of protection in the post-exploitation phase, to fully protect Active Directory regardless of the tools that the adversary is using.       
  • Behavioral Isolation proactively eliminates attack pathways utilized in the Sunburst attackThe use of trusted processes as part of the attack chain has become more common and is referred to as living off the land. Defense is often handcuffed because legitimate software can’t be blocked.  However, Behavioral Isolation can prevent the use of legitimate tools as part of the attack chain.  Behavior Isolation identifies and blocks abuse of trusted processes, breaking the attack chain and raises awareness of a potential attack.                    
  • Threat Hunter gives a SOC the global context to recognize unknown threats.  Symantec’s Threat Hunter team provides in product alerts and notification of high-profile incidents.  SESC received this alert on the Sunburst attack – an alert, verified by a Symantec Threat Hunter, of the Sunburst intrusion.

Downloading a malicious trojan due to a sophisticated supply chain attack, as in the case of Sunburst, is nearly impossible to prevent. But the tools associated with the Sunburst attacks are detected and blocked on machines running Symantec Endpoint products. And SESC protected against these threats as mentioned above.  There were many other ways we protect against Sunburst - more to come on that. 

There is one more important detail.  Like other sophisticated attacks, Sunburst will look for certain endpoint security agents and tools running on a machine and will attempt to disable them. For example, Sunburst attempts to deactivate the CrowdStrike Falcon sensor.  Once disabled, any further malicious activity will not be detected or prevented.  This is bad guys 101.  Other security vendors appear to have been slow to catch on to this.  Many are new to the game and still learning. The whole family of Symantec Endpoint Security products uses proprietary technology that prevents and alerts on such tampering.  This was not an issue for our customers.

Symantec Endpoint Security Complete offers a comprehensive, layered approach to secure your endpoints, eliminating the blindspots left by the traditional approach of only using EPP and EDR. We look forward to sharing more of the details with you.