The document discusses the SolarWinds attack and lessons learned for cloud security. It begins by outlining the attack chain used, including how the attackers broke into SolarWinds' software development lifecycle and inserted malicious code. It then discusses issues like secret protection, granular identity management, and detecting fileless malware. The presentation recommends rethinking cloud security strategy to address weaknesses in these areas and provide runtime protection in addition to vulnerability scanning and secure development practices.

1. Rethinking your cloud security in the
shadow of the SolarWinds attack
4/2/21

2. THE BIGGEST ATTACK OF 2020?

3. SOLARWINDS ATTACK – HOW IT ALL BEGAN?

4. TODAY’S SPEAKERS
Amir Kaushansky, VP Product
• +15 years of experience in Cyber Security
& Product management
• 3 years cloud, containers and serverless
experience:
• Head of cloud network security (Check
Point)
• VP Product management (ARMO)
Leonid Sandler, CTO, Co-Founder,
• +20 years software security experience
• Ex NDS CTO Software Security
• Designed Cloud Security products serving
the world largest content providers.
• Built & managed Product and Development
team of over 130 people

5. BREAKING THE SOLARWINDS ATTACK TO PIECES
HOW THE ATTACK IS MAPPED TO THE CYBERSECURITY KILL CHAIN
1. The Backdoor
2. The Malware 3. The Actual Attack
Break into SolarWinds & learn the SDLC
Insert malicious code into the source Fileless Droppers Dropper payload

6. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
• SUNSPOT – the malware that compromised SolarWinds
• SUNBURST – the backdoor code
SOLARWINDS ATTACK CHAIN

7. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
Several types were spotted: TEARDROP and RAINDROP
• TEARDROP is a second stage loader
• Cobalt Strike BEACON – loaded by TEARDROP hidden in a jpeg file
SOLARWINDS ATTACK CHAIN

8. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
SOLARWINDS ATTACK CHAIN
Cobalt Strike BEACON (or similar)
• Lateral movements
• Keys & Data exfiltration

9. 1. The
Backdoor
2. The
Malware
3. The Actual
Attack
SOLARWINDS ATTACK CHAIN – TO SUMMARIZE
• Malicious actors will get in. The only question is when.
• Attackers will use all kinds of stealth techniques
• Complexity of target environments will require additional code drops

10. YES, BUT WHAT’S THE FUZZ ALL ABOUT?

11. IS THIS NEW?
Supply Chain

12. IS THIS NEW?
Malware

13. IS THIS NEW?
Strategic Data

14. THINGS TO RETHINK IN YOUR CLOUD SECURITY STRATEGY
Security Stack

15. WHAT’S NEXT?
The blind spots in your security strategy
Secret management
Identity
File less Malware
1
2
3

16. ISSUE 1: SECRET PROTECTION AND SECRET ZERO PROBLEM

17. ISSUE 2: GRANULARITY OF IDENTITY
NGNIX SQL
Web DB
Policy: Web –DB (Allow)
Malware

18. ISSUE 3: FILELESS MALWARE
Where should I be looking?
Host
Operating System
Container
Engine
K8s
POD
OS
Proc
A
Proc
B
OS
Proc
A
Proc
B
OS
Proc
A
Proc
B
OS
Proc
A
Side
car
POD

19. ARMO
The next generation architecture for observability, security and
control in K8s and Cloud Native environments
• ARMO FABRIC is the only solution that brings
together workload and data protection under a single
Zero Trust model
• ARMO FABRIC is the only solution that
automatically protects data in all stages without
change to existing workloads and architecture
• ARMO FABRIC is the only solution that
automatically establishes inherently secure
environments

20. DEMO TIME: IN-MEMORY FILELESS ATTACK BY EZURI
• Ezuri acts as a malware memory
loader and executes its payload in
memory, without writing the file to
disk
• Over the past few months, several
malware authors used the Ezuri loader,
including TeamTNT
• The TeamTNT botnet is a crypto-mining
malware - named Black-T - targets
Docker installs, designed to install
network scanners and retrieve
credentials from memory
• Recently the TeamTNT botnet started to
target also misconfigured Kubernetes
installations.

21. KEY TAKEAWAYS
Security is a cat and mouse game
Attackers are more sophisticated
Vulnerability scanning is everlasting process and can't find all the holes
Posture and shift-left is great, runtime protection must be added as
well!
1
2
3