Cybersecurity people have been generally outspoken that backdoors are bad. When governments or intelligence agencies suggest that a phone, cryptography tool, or product have a backdoor installed, both blue and red teams agree that it’s a very bad idea.
Vulnerabilities, or weaknesses, in products are hard to find. Exploits are easier to find once we know the vulnerabilities. But an intentional backdoor, whether vendor or infiltrator installed, is maybe the most difficult malware to identify.
First, a backdoor is a vulnerability and exploit all in one and there is no malware that needs to be deployed. The backdoored system is the official version and has a legitimate certificate, and will pass all hash, size, and validation checks. And unlike a vulnerability, the backdoor comes with whatever security and obfuscation the designers wish. which makes it nearly undetectable to 3rd party threat researchers. And unlike a vulnerability, the backdoor comes with whatever security and obfuscation the designers wish making it nearly undetectable to 3rd party threat researchers. And every customer of that product has that backdoor that can be utilized. A wish-list of both vulnerabilities and exploits.
To clarify, backdoor in this context is within a legitimate product release, not a post-release swap out later in the supply chain.
Hard to Spot Before The Attack
So if the backdoor code is effectively undetectable, can they be spotted at all? Yes, although not while dormant (i.e., before any actions are taken).
Once the backdoor is utilized, even the stealthiest one can be detected although not easily. Traditional exploit pattern matching won’t be of help unless the backdoor distributes previously known malware internally, but that would be sloppy. Vulnerability based IPS signatures won’t spot it at the early stages. They may spot behavioral changes once the backdoor starts being utilized, but will have an easier time once clear indicators of compromise (IOCs) are distributed.
With those IOCs, retroactive sweeps are now possible. This can be an early check on the scope of the compromise.
One “gotcha” is that a lot of infrastructure software is ‘safe listed,’ or indicated to be Known-Good, meaning that a lot of the first line security safeguards are thereby told to exclude or ignore the backdoored system.
Critical Period Between First Backdoor Use and IOCs Issued
But what about before those IOCs are widely known? Digital breadcrumbs are still there to indicate an attack even before IOCs are available, but no single indicator would be enough to identify a threat.
Communications pattern changes would be one, but those would be subtle. A lot of systems management and backup software intentionally talks to a lot of resources. But it’s expected that the frequency or nature of those communications could be different. Bigger packets, exchanges out of the norm, and more repeated external communications such as those to command and control servers are additional indicators.
XDR products are specifically designed to warehouse logs of security and non-security event data in a data lake to look for such suspicious patterns (if you now have a mental picture of a warehouse at the bottom of a lake that is not the point :-)).
Where those patterns are so subtle, a SOC threat-hunter analyst at the least will have data to examine that is collected from many sources. The reason XDR is better than EDR alone, is that XDR collects all the EDR data plus telemetry and data from sources such as email, network devices, DNS, and others.
That data lake of telemetry data has a second use as well, in looking backwards to determine the scope of the attack by looking at the history of interactions that could indicate if unexpected code was executed or data exfiltration was likely. These events can be spotted with telemetry and XDR.
Another “gotcha” is the length of data retention. Now seems like the time for all SOC teams to review the duration of data retention for telemetry – although not likely an issue in this week’s events, it is a reminder that with the most advanced attacks, the attackers will not sit still and use the same methods.
XDR has been a great new tool in hunting advanced attacks, and for determining and limiting the scope of them. But for the most advanced attack –a backdoored legitimate product - it turns out there is help there too.
We’re not likely to suddenly only get secure products from our suppliers any time soon, but hopefully the attention from this attack will make software makers more concerned about their internal software supply chains. Otherwise we need to turn to equally advanced telemetry analysis as a second line to our first line of traditional defenses.
For more information on all the ways Trend Micro is supporting and protecting customers impacted by the SolarWinds situation, please visit: https://success.trendmicro.com/solution/000283368.