• #cyber privilege news
  • Dec 23, 2020
  • By QOMPLX

Q:CYBER Spots Lateral Movement as Used in the SolarWinds (Sunburst) Calamity

Q:CYBER Spots Lateral Movement as Used in the SolarWinds (Sunburst) Calamity

QOMPLX leads in detecting Active Directory and Kerberos-based authentication attacks

Tysons Corner, Va. -- QOMPLX’s leading Q:CYBER software suite detections include Kerberoasting and Golden Ticket attacks, both of which have been reported as being leveraged during lateral movement phases against federal agencies and commercial entities over the course of several months. QOMPLX researchers published warnings about ADFS-based attacks linking on-premise AD compromise via Kerberos ticket forgeries to malicious SAML token issuance in 2018 and 2019, as an illustration of how core enterprise authentication remains the pivotal security challenge in modern IT networks.

Q:CYBER’s comprehensive solution for organizations defends Critical Controls Infrastructure and turns back sophisticated attacks on enterprise authentication infrastructure with applied data fusion already proven in some of the world’s largest corporate networks. QOMPLX validates billions of Kerberos transactions each day across its global customer base.

U.S. officials allege Russia is behind the breach, in which hackers added malware to software updates, creating a backdoor into targeted computer networks. This allowed hackers to gain elevated credentials. Russia has denied involvement in the attack, which affected SolarWinds. SolarWinds traced the "supply chain" attack to updates for its Orion network products between March and June.

The injection of malicious code into the SolarWinds Orion product via compromised software build servers is novel and impressive, but represents one of many ways that adversaries gain initial entry into corporate networks. The important techniques used in the next phase of a breach are essential to enabling sophisticated adversaries to move from low-value to high-value IT assets and establish dominance within a compromised network.

“QOMPLX is the most comprehensive and accurate tool to detect advanced lateral movement techniques exploiting Active Directory and enterprise authentication via Kerberos forgeries and related attacks,” QOMPLX CEO Jason Crabtree said. QOMPLX also conducts advanced security research on how Kerberos and SAML protocols are exploited.

Q:CYBER offers a comprehensive solution for organizations interested in getting to ground truth in security. QOMPLX specializes in fusing together multiple security data feeds and uniquely defending Critical Controls Infrastructure, like Active Directory and Kerberos, and turning back sophisticated attacks and security challenges, such as:

  • Attacks on Active Directory and other Critical Controls Infrastructure,
  • Attacks on privileged accounts and lateral movement including forgeries and attacks against the Kerberos authentication protocol,
  • Maintaining an adequate risk posture, and
  • Managing high volume sources like Windows event logs and other high quality data sources that require careful management.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday delivered a warning, saying the breach poses a severe risk to federal, state and local governments as well as private companies and organizations.

“The latest warnings and guidance from CISA, other government agencies, and private companies about the extent and severity of this incident within and outside the federal government deeply concern us,” Crabtree said. “We’re ready to help.”

QOMPLX, a leader in identity assurance for both Active Directory and Kerberos, is used by many of the world’s most sophisticated firms, including some of the world’s premier technology, insurance, financial services, asset management, retailers and critical infrastructure companies to detect and respond to such attacks. The company has spent nearly six years developing the necessary technology, holds dozens of patents, and invested close to $100 million developing its powerful streaming analytics and graph capabilities and related services to harden enterprise authentication, secure Active Directory, and fuse together multiple sources of data from both inside and outside of corporate networks.

“Sophisticated cyber adversaries want to establish persistence within your trusted networks: siphoning off sensitive data from your organization, or laying the groundwork for a crippling attack. Account takeovers and hacks of critical identity infrastructure like Active Directory and Kerberos are their most potent weapons,” said Andy Jaquith, QOMPLX Chief Information Security Officer.

Stateful validation is the key to stopping attacks such as the Golden Ticket technique alluded to in the CISA advisory, and means that applications that rely on Kerberos, such as downstream services, can be authenticated with confidence.

QOMPLX security practitioners are available to answer your questions about the Sunburst attack on SolarWinds and its customer base and to detail how Q:CYBER’s offerings rapidly detect the lateral movement stages of such breaches. For more information or to speak with a QOMPLX executive about this breach, contact Amanda Steinman, 1-202-478-1166 or qomplx@teamlewis.com.

CONTACT:
Abha Dasgupta, Chief Strategy Officer
Amanda Steinman, Media Relations
QOMPLX, Inc.
qomplx@teamlewis.com
1-202-478-1166

Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.