To say 2020 has been a tumultuous year is an understatement. The seemingly never-ending breaking news cycle in the last twelve months has included a global pandemic, a history-making US presidential election, and a steady slew of cyberattacks targeting private citizens, businesses, and government organizations alike.
This year has also seen a sharp increase in government-backed cyberattacks. The Center for Strategic and International Studies, which keeps a catalog of significant cyber events perpetrated by governments or government-backed private hacking groups, has reported over 130 state-backed cyberattacks since January. These, of course, are just the reported attacks, and there are undoubtedly many more that have not yet been discovered.
What was the SolarWinds cyberattack?
The most recent, and perhaps the most alarming, cyberattack is the SolarWinds attack. This attack has been credited to the Russian-backed group known as Cozy Bear, which also played a hand in the DNC hack and disinformation campaign of 2016. We are still in the process of discovering the full scope and impact, but what we know is that a pervasive malware known as Sunburst has been active since at least the Spring 2020 and has affected at least 18,000 customers of SolarWinds—including US-based cybersecurity firm, FireEye, who first detected the attack and sounded the alarm on December 8th.
The SolarWinds attack relied on the attacker surreptitiously compromising the SolarWinds build and release process in order to add Sunburst malware to a subsequently signed and deployed update to the SolarWinds Orion network monitoring software system. After being received and installed by the SolarWinds customer base, the malware stealthily performed reconnaissance, received commands, and offloaded sensitive information to attacker-controlled servers.
SolarWinds’ scope impacts private organizations & government agencies
Among the organizations compromised is Microsoft, who dubbed the attack “a moment of reckoning” in the cybersecurity space. The need for a defense-in-depth cybersecurity strategy has never been more pertinent, especially considering the fact that the SolarWinds attack was able to facilitate espionage of major US government agencies, including the Treasury Department, the Department of Commerce, and the Department of Homeland Security.
Since the discovery of the attack is so recent, it’s not clear exactly what security lapses happened that resulted in the deployment of the malware within the SolarWinds update. However, what no one can deny is that once again, a major cyberattack has highlighted the dire need for better security.
Preventing the next SolarWinds Attack
Dover’s CoreGuard solution can provide an important line of defense to downstream application users of SolarWinds software or indeed any software that may be subverted for malicious purposes.
CoreGuard provides fine-grained monitoring of every instruction and every memory access that’s performed by a CoreGuard-protected device. CoreGuard micropolicies are designed to stop entire classes of attack—not just specific attacks. Because of this, CoreGuard can dynamically block malicious behavior from both known and unknown sources, including zero-day attacks. We start with our set of base micropolicies which stops the most prevalent and severe types of cyberattacks that impact every system, regardless of industry or application.
Included in our base set is our Heap micropolicy which prevents buffer overflows and protects heap memory, accounting for over 12,000 of Mitre’s recorded Common Vulnerabilities and Enumerations (CVEs). Also a part of the base is our Stack micropolicy which protects against stack smashing attacks that result in code reuse, such as return-oriented programming (ROP) and other control flow integrity compromises. Rounding out our base set is the Read-Write-Execute (RWX) micropolicy, which protects against both injection of binary code and the modification of existing code, at a fine-grained level.\
But what about attacks like the SolarWinds breach, where software that already has malware implanted in it starts running on your system? Well, that’s where a defense-in-depth strategy comes into play. Additional micropolicies can be layered on top of our base set to provide the level of protection that best suits a system or organization’s needs.
CoreGuard has two other categories of security micropolicies that can protect against malicious activity like what happened in the case of SolarWinds: information flow control and fine-grained compartmentalization.
Enforcing Information Flow Confidentiality & Integrity
CoreGuard’s Information Flow Control micropolicies fall into two categories: Confidentiality and Integrity.
Confidentiality micropolicies allow you to specify exactly what data is allowed to flow where in your system, down to individual values. First, developers must specify what values are considered confidential and should therefore not be allowed to leave the system. This process may take some effort, but once these values are defined, CoreGuard is able to track the flow of those values throughout computation and block exfiltration of private values from the system.
Integrity micropolicies allow you to insist on the provenance and integrity (non-modification) of values. For example, CoreGuard can enforce a requirement that all data going to the network be passed through designated sanitization and encryption routines before being sent out. Furthermore, CoreGuard can enforce that keys used for encryption originated from a trusted key store and have not been modified.
Compartmentalization is not a new cybersecurity defense, and current solutions, like Arm TrustZone and Intel SGX, provide the basic level of compartmentalization that many are familiar with. Its purpose is to protect “trusted” software components from being corrupted by “untrusted” applications that are either malicious or have been compromised by cyberattack. They work as intended, however only provide a very coarse-grained level of compartmentalization that would be insufficient in protecting against cyberattacks with the sophistication level of SolarWinds.
A coarse-grained compartmentalization solution has a small number of compartments, with a large amount of software in each compartment. CoreGuard, on the other hand, allows fine-grained compartments, such that individual functions have access to specific regions of memory. A key differentiating feature of CoreGuard’s fine-grained compartmentalization is that the “context switch overhead” of traditional compartmentalization schemes can be avoided, so that performance overhead is not an impediment.
CoreGuard’s Information Flow Control Confidentiality and Integrity micropolicies, as well as its Compartmentalization micropolicy allow fine-grained specification and control of the flow of data through a system. Such control can prevent blatant exfiltration or data modification of the sort perpetrated by the SolarWinds attack. Meanwhile, our standard set of base micropolicies provide a solid security foundation for any system against the most common but dangerous types of attacks.
Together, this layering of micropolicies is a perfect example of a defense-in-depth cybersecurity strategy that can protect against complex, government-backed cyberattacks like the SolarWinds attack.
As we look to the future, we cannot attempt to combat new, technologically advanced, and sophisticated attacks with the cybersecurity defenses of the past. To truly prevent cyberattacks like SolarWinds, a defense-in-depth approach that provides security at multiple levels throughout a system is necessary.
To learn more about how CoreGuard enforces defense-in-depth, download our white paper The Cybersecurity Stack: How to Secure Embedded Systems with a Defense-in-Depth Approach.