How we stopped SolarWinds Sunburst before it could impact our customers

Intrusion Team

Mar 12, 2021

While the impact from the Sunburst attack still lingers as more and more businesses discover they were compromised, let’s step back and analyze what happened. The very first evidence something was coming was setting up the domain: avsvmcloud.com, which was the origin of the initial infection. Shield blocked this domain because it did not meet our criteria for a safe domain, thus halting an initial infection and all the subsequent sunburst activity.

There were several reasons Shield’s AI engine categorized this domain as unsafe. While we won’t reveal all the reasons our Artificial Intelligence (AI) engine flagged it as unsafe, suffice it to say that avsvmcloud.com did not meet the ‘safe’ reputation index based on history, rank and registry parameters.

This analogy probably makes sense.Imagine the very first COVID infected person (Patient 0) was stopped at the port of entry into the US, and based on his blood assays, all ports of entry prevented COVID infected patients from entering the country. Then, would we be in this situation with 525,000 and growing COVID related deaths and 29 million infected with COVID? The answer is no.

Similarly, if the initial infection from avsvmcloud.com was successfully blocked by all the security devices (Firewalls/NGFWs, IDPS, EDR etc.), we wouldn’t have the Sunburst disaster affecting 18,000 companies and government agencies, including large well-known enterprises such as Cisco and Microsoft and 16 Federal agencies.

With COVID-19, patient 0 was NOT identified or stopped. Secondary infection ensued; the spread continued. The same scenario unfolded with Sunburst. Once the initial compromise was successful, trusted devices became the vectors to spread infection to compromise other devices. The call homes from (previously) known trusted devices were allowed because the security devices (NGFWs/IDPS/EDR) were not configured for this event. The result was widespread damage.

Unlike other products in the security space such as NGFWs and IDPSs, we look at a lot of factors related to the reputation of IPs and domains, their registrations, and very importantly their history. INTRUSION TraceCop, our threat intelligence cloud, has maintained the richest history of all Internet traffic. TraceCop enables Shield to identify bad actors, risky behaviors and kill them silently.Shield’s main goal is to protect our customers from the initial infection including Zero-Days. Prevent Patient 0 and you’ll have nothing to compromise.

While Sunburst is neither the first nor last of such large-scale and impactful attacks, it has highlighted the reality that we are constantly under siege by well-funded and well-organized adversaries. It is more important than ever to shore up your defenses to ensure you’re not a victim when the next big attack strikes.

Ready to get protected?

INTRUSION Shield is inexpensive enough to be affordable to every business, large or small. For a small fee per seat, per month – with no annual contract and no hardware to buy – you can get immediate protection.