Asset Management, Blue team, Incident Response, NDR, Network Security, Security Operations, Threat Management

How Behavioral Detections Actually Discovered the SolarWinds Orion SUNBURST Attack

The Solarwinds Orion SUNBURST attack has been in the news for weeks. We’re starting to get great details into the actual attack, especially after FireEye released the initial set of indicators of compromise. But the question I want answered is why didn’t anyone discover this attack before the breach. What defenses are we missing to detect the next SUNBURST-style attack?

First, let’s start with the fact that this attack was very sophisticated. They were extremely sneaky and used a lot of countermeasures to hide their tracks, most notably evading more traditional methods of security monitoring and detection, like endpoint detection and response (EDR) and antivirus.   

Organizations monitoring for signs of initial compromise would have no luck in detecting SUNBURST because, well… there was no initial compromise. The intruders snuck in via a signed and verified source with heightened privileges–the SolarWinds Orion platform. These techniques make traditional signature-based detections extremely difficult, if not impossible. Even some of the most advanced endpoint security solutions didn’t detect the attack until after the indicators of compromise were released.  How would anyone have detected this attack?

We recently interviewed Matt Cauthorn, VP of Sales Engineering at ExtraHop, on Business Security Weekly to discuss why SUNBURST was so challenging to detect, and to share some network data-derived insights to shed light on what the attackers were doing post-compromise. The net-net is ExtraHop did see a 150% rise in suspicious behavioral detections during the attack. While the SUNBURST attack made sure to evade other tooling, they had no way of knowing that a network detection and response (NDR) solution was watching, leaving their movement exposed and possible to defend against.  

To see how ExtraHop and NDR can detect the next advanced attack, watch the interview on Business Security Weekly here, watch their on-demand webcast here, or visit for more information.

Matt Alderman

Chief Product Officer at CyberSaint, start-up advisor, and wizard of entrepreneurship.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.