These questions may be geared to SOC teams or cybersecurity analysts in general. I’m only a networking guy that has some cybersecurity questions.
From what I’ve read, the SolarWinds breach was able to steal so much information without being noticed with the **”.avsvmcloud[.]com”** DNS name (Microsoft owns the domain now). I have a few questions and some might not be able to be answered.
1. Why did DPL policies not pick up on this attack?
1. Was the bandwidth too low?
2. Was it encrypted so that inspection wouldn’t see it?
3. Was the data sent out a little at a time so it wouldn’t be noticed?
2. Did normal people push this aside because they thought it was just normal SolarWinds traffic?
3. **Now for the big question, How are modern security teams going to protect against another supply chain threat like this from happening again? Assuming supply chain attacks are only going to increase because of the amount of information that could be captured.**
Less important questions:
1. Why wasn’t this domain checked to verify it was owned by SolarWinds or another software vendor on the servers? or was it?
2. Why don’t server admins email SolarWinds directly to ask if this domain is used by the Orion platform?
3. Would SolarWinds support even know that the domain was being used maliciously when asked?