A skilled and motivated attacker will often find a way to penetrate despite multiple layers of well designed and implemented controls.
When an attack like this one or the FireEye breach comes to light, often the first thought is to implement new NIDS, EDR, or AVS signatures specific to the documented attack.
Naturally, that’s a good thing to do. You might detect that you are currently compromised or document a new attempt, but signatures based on specific attributes such as strings and checksums will be available to the attacker at the same time they are available to you. The attacker need only modify their tools to change the part that gets detected and carry on until their new variant is analyzed and the process starts over. They always have the first-mover advantage and work in the detection gap until detective capabilities catch up to them and the cycle starts over.
Behavior is a much more powerful tool for detection.
For example, the SolarWinds SUNBURST malware will log into multiple endpoints using multiple accounts from a single endpoint. This sort of behavior is highly irregular and should raise an alert. This is why instrumentation visibility and flexibility are the founding design principles of our RaEDR solution. Authenticated and unauthenticated account activity is well worth collecting, tuning, and establishing thresholds for. It is better to focus on detecting the attacker by what they do rather than the tools they use to do it.
To learn more about the SolarWinds SUNBURST attack, and see how RaEDR can help you remain alert in the event of an incident, be sure to contact Ra Security.